NOTE: This reposity is for experiment. See the original modern userland exec here: http://www.stratigery.com/userlandexec.html $Id: README,v 1.1 2014/02/14 00:16:45 bediger Exp $ USERLAND EXEC FOR X86_64 ----------------------- This project is inspired by The Grugq's "userland exec" of 2004. It shares no code, I rewrote from scratch. A few function names remain the same, but prototypes differ. Because the implementation of Dietlibc and the GNU dynamic loader have changed, I had to write x86_64 position independent code for all system calls and library functions. CONTENTS -------- libstatic/ - C and x86_64 assembly for various library calls (strlen(), strtoul(), etc) and system calls (read(), write(), open(), mmap(), etc). Staticly linkable and position independent. The example of exec'ing a non-executable file. example.c - loads ulexec.so via C standard library calls like dl_open() and dl_sym(). ulexec.so constituents: load_elf.c map_file.c print_maps.c stack_fix.c ulexec.c unmap.c ulexec.h - compiled into a position-independent, staticly- linked "shared object", ulexec.so Another example of how to do userland exec: dyn_unmap_run.c static_dyn_load_run.c Test programS - ez.c - statically linked minimal program. global2.c - statically-linked read and write globals. globaltest.c dyn_globals.c - ordinary, dynamically-linked, GCC program hw.c - hello world program, statically linked args2.c - Ordinary dynamically linked program to print command line arguments. margs.c - statically-linked, prints command line arguments. elfauxv.c - statically-linked printout of ELF auxilliary vector. elfauxv_dynamic.c - dynamically-linke ELF aux vector print out. env_test.c - statically linked, prints environment name/value pairs. raw.c - minimal assembly to get to main(), statically linked. places.c DEMONSTRATION ------------- You need a fairly recent version of GNU CC installed. All the above are written in pretty clean C89, with the exception of the assembly language prolog that calls main(), and the system calls in libstatic/ You'll also need "make", I don't think any particular version, "makefile" is pretty basic. I've also complied with clang C compiler. It worked. You should inspect source code. Don't run this crap on my word. It may contain NSA spyware. Create all programs: $ make ... $ You should end up with executable named "example", a shared object file named "ulexec.so" and a set of compiled test programs, that don't have executable permissions. $ PATH=$PATH:. $ export PATH $ example ./ulexec.so elfauxv_dynamic That should show you the contents of the ELF auxilliary vector that the linux kernel passes to a newly-created proces, on its stack. You can try this, to verify that elfauxv_dynamic sees the same thing that ld.so sees: $ LD_SHOW_AUXV=1 ./example ./ulexec.so elfauxv_dynamic My own personal test for when I was done: $ example $(which vim) /etc/hosts Vim is a complicated program, which does dynamic linking itself. If you can run vim with userland exec, you can run anything. Some childish fun: $ ./example ./ulexec.so ./example ./ulexec.so ./example ./ulexec.so /usr/bin/cat /proc/self/maps