| lang | size | rundeps | ↓total | type | arch | linkage | debug? | strip? | buildT | runT/100 |
|---|---|---|---|---|---|---|---|---|---|---|
| nasm-elf32-s | 134 | 0 | 134 | ELF32l | Intel 80386 | static | no | yes | 6.05ms | 134.12µs |
| nasm-elf32 | 141 | 0 | 141 | ELF32l | Intel 80386 | static | no | yes | 7.99ms | 165.81µs |
| nasm-elf-s | 165 | 0 | 165 | ELF64l | x86-64 | static | no | yes | 14.65ms | 131.77µs |
| nasm-elf | 173 | 0 | 173 | ELF64l | x86-64 | static | no | yes | 7.66ms | 150.67µs |
| jmpld | 56 | 308 | 364 | bin | jmpld | - | - | - | 19.09ms | 144.06µs |
| bld | 54 | 493 | 547 | bin | bld | - | - | - | 9.28ms | 233.59µs |
| nasm | 8.30KB | 0 | 8.30KB | ELF64l | x86-64 | static | no | yes | 14.62ms | 139.83µs |
| c-gcc-nlibc | 8.72KB | 0 | 8.72KB | ELF64l | x86-64 | static | no | yes | 50.08ms | 180.19µs |
| c-musl-st | 13.45KB | 0 | 13.45KB | ELF64l | x86-64 | static | no | yes | 41.59ms | 190.95µs |
| jmpld-c | 56 | 17.45KB | 17.50KB | bin | jmpld | - | - | - | 83.34ms | 164.79µs |
| c-gcc-st | 648.45KB | 0 | 648.45KB | ELF64l | x86-64 | static | no | yes | 109.54ms | 304.16µs |
| c-clang-st | 656.55KB | 0 | 656.55KB | ELF64l | x86-64 | static | no | yes | 141.96ms | 301.99µs |
| oksh-musl-st | 42 | 1010.13KB | 1010.17KB | script | oksh | - | - | - | 4.07ms | 571.29µs |
| go-s | 1.36MB | 0 | 1.36MB | ELF64l | x86-64 | static | no | yes | 206.59ms | 1.08ms |
| c++gcc-st | 2.10MB | 0 | 2.10MB | ELF64l | x86-64 | static | no | yes | 707.85ms | 560.04µs |
| go | 2.10MB | 0 | 2.10MB | ELF64l | x86-64 | static | yes | no | 257.03ms | 1.07ms |
| c++clang-st | 2.14MB | 0 | 2.14MB | ELF64l | x86-64 | static | no | yes | 722.34ms | 563.63µs |
| rust-nstd-s | 14.05KB | 13.45MB | 13.46MB | ELF64l-PIE | x86-64 | dynamic | no | yes | 163.81ms | 598.39µs |
| c-gcc-s-lto | 14.14KB | 13.45MB | 13.47MB | ELF64l-PIE | x86-64 | dynamic | no | yes | 104.36ms | 479.64µs |
| c-gcc-s | 14.14KB | 13.45MB | 13.47MB | ELF64l-PIE | x86-64 | dynamic | no | yes | 66.75ms | 472.23µs |
| c-clang-s | 14.16KB | 13.45MB | 13.47MB | ELF64l-PIE | x86-64 | dynamic | no | yes | 95.86ms | 458.92µs |
| rust-nstd | 19.70KB | 13.45MB | 13.47MB | ELF64l-PIE | x86-64 | dynamic | yes | no | 82.25ms | 457.37µs |
| c-gcc | 19.88KB | 13.45MB | 13.47MB | ELF64l-PIE | x86-64 | dynamic | yes | no | 63.22ms | 621.80µs |
| c-clang | 19.89KB | 13.45MB | 13.47MB | ELF64l-PIE | x86-64 | dynamic | yes | no | 90.55ms | 554.57µs |
| c-gcc-g | 48.71KB | 13.45MB | 13.50MB | ELF64l-PIE | x86-64 | dynamic | yes | no | 77.53ms | 511.37µs |
| sh-unix | 23 | 13.57MB | 13.57MB | script | dash | - | - | - | 3.11ms | 729.54µs |
| sh | 34 | 13.57MB | 13.57MB | script | dash | - | - | - | 2.71ms | 721.37µs |
| rust-s | 312.67KB | 13.63MB | 13.93MB | ELF64l-PIE | x86-64 | dynamic | no | yes | 2.97s | 658.44µs |
| rust-s-nlto | 360.77KB | 13.63MB | 13.98MB | ELF64l-PIE | x86-64 | dynamic | no | yes | 160.25ms | 753.09µs |
| rust | 436.70KB | 13.63MB | 14.05MB | ELF64l-PIE | x86-64 | dynamic | yes | no | 139.50ms | 797.12µs |
| c++gcc-s | 14.15KB | 20.21MB | 20.22MB | ELF64l-PIE | x86-64 | dynamic | no | yes | 549.65ms | 1.22ms |
| c++clang-s | 14.19KB | 20.21MB | 20.22MB | ELF64l-PIE | x86-64 | dynamic | no | yes | 612.06ms | 1.15ms |
| c++clang | 20.21KB | 20.21MB | 20.23MB | ELF64l-PIE | x86-64 | dynamic | yes | no | 558.83ms | 1.14ms |
| c++gcc | 20.40KB | 20.21MB | 20.23MB | ELF64l-PIE | x86-64 | dynamic | yes | no | 529.38ms | 1.22ms |
| c++clang-g | 35.40KB | 20.21MB | 20.24MB | ELF64l-PIE | x86-64 | dynamic | yes | no | 629.34ms | 1.41ms |
| c++gcc-g | 148.93KB | 20.21MB | 20.35MB | ELF64l-PIE | x86-64 | dynamic | yes | no | 622.06ms | 1.17ms |
| tail | 32 | 20.55MB | 20.55MB | script | tail | - | - | - | 3.19ms | 724.24µs |
| bash | 40 | 21.89MB | 21.89MB | script | bash | - | - | - | 2.16ms | 2.01ms |
| zsh | 39 | 25.42MB | 25.42MB | script | zsh | - | - | - | 3.19ms | 2.45ms |
| perl | 42 | 27.96MB | 27.96MB | script | perl | - | - | - | 2.65ms | 1.71ms |
| ruby | 40 | 29.07MB | 29.07MB | script | ruby | - | - | - | 5.30ms | 57.78ms |
| py3 | 45 | 29.17MB | 29.17MB | script | python3.13 | - | - | - | 4.94ms | 14.39ms |
| nodejs | 49 | 177.31MB | 177.31MB | script | node | - | - | - | 7.88ms | 26.03ms |
| c-musl-s | - | - | - | FAIL | - | - | - | - | - | - |
| c-musl | - | - | - | FAIL | - | - | - | - | - | - |
| rust-nstd-st | - | - | - | FAIL | - | - | - | - | - | - |
| rust-st | - | - | - | FAIL | - | - | - | - | - | - |
| rust-tiny | - | - | - | FAIL | - | - | - | - | - | - |
Explanation of naming:
Some things failed because:
A big caveat regarding the “runtime”. The “runtime” benchmarks are more of a benchmark of shell parsing, execve(2) and fork(2)ing and runtime start up of the program, since the program doesn’t really do anything. Still it does show how slow the startup is, I guess it matters for shell scripts/tools.
You can check out the source for this all at my git repo.
IDK if it has any use except to, maybe, show that static binaries are not as bloated as people often think. (Because any decent lib will be split into many .o and only used code will be linked. + LTO) Which is just another reason to use them over the death of us all that is dynamic linking.
]]>I accidentally came to this idea when trying to do the smallest ELF “challenge” on Linux. You know,
turn a 1.4MB (a whole fucking 3½” HD floppy!) abomination that is Go’s “Hello world” program into
the smallest equivalent? Anyways, plenty
of people wrote
about that better than I can, but
maybe I will make a write up about my own journey next time. (Spoiler alert, I got it to 91 bytes
for just exit(0).) What I want to write about is how I had a thought that if you disregard loader
size (which people often do for dynamically linked executables) then If I craft my own loader I can
strip ELF and just load a flat binary!
First, our payload, a simple program that just prints “Nothing happens.” shall do. Let’s call it
xyzzy. Let’s write a minimal x86_64 assembly program for it, I’ll use
nasm as my assembler of choice this time:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
bits 64
db '#!./bld',0xA
start:
xor edi, edi
inc edi
lea rsi, [rel msg]
mov edx, len
mov eax, edi
syscall
dec edi
mov eax, 60
syscall
msg: db "Nothing happens.",0xA
len: equ $-msg
Build it with nasm -fbin xyzzy.asm and chmod +x xyzzy it.
The very first thing you’ll notice is the embedded “#!./bld” line. Since Linux will go through the
list of
its own loaders embedded into kernel and try them all, one of them will look for “#!” and execute
the path after it (till ‘\n’ aka 0x0A) instead, passing the path of the original executable
(that we tried to launch)
to it and let it handle it in user space. This is how your Python, Perl, Ruby and,
of course, shell scripts work. But as you might know, POSIX shell scripts can work even without
that. This saves us the trouble of writing our loader in kernel
space. Although I think I would like to do that anyways, and maybe shave some more bytes. Since
in real world, you’d have “#!/bin/bld” at least, which is 11 bytes (remember the ‘\n’). Instead we
could just either look at filename or a smaller magic number. But I am getting sidetracked.
Okay let’s write the simplest loader I could think of, I’ll use C for now:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#if 0
exe="$(basename "$0" | cut -d. -f1)"
CC=musl-gcc
CFLAGS="-pipe -static -std=c89 -Os -s -Wall -Wextra"
exec $CC $CFLAGS "$0" -o "$exe"
#endif
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/mman.h>
typedef void (*jmp_t)(void);
int main(int argc, char** argv)
{
int fd = -1;
off_t i = 0;
struct stat st = {0};
char* newcode = NULL;
if(argc < 2) exit(1);
fd = open(argv[1], O_RDONLY | O_NOATIME);
if(fd < 0)
{
perror("open");
exit(2);
}
if(fstat(fd, &st) != 0)
{
perror("fstat");
exit(3);
}
newcode = mmap(NULL, st.st_size, PROT_READ | PROT_EXEC, MAP_PRIVATE, fd, 0);
if(newcode == MAP_FAILED)
{
perror("mmap");
exit(4);
}
close(fd);
for(i = 0; i < st.st_size; i++)
{
if(newcode[i] == '\n')
{
jmp_t jmp = (jmp_t)((void*)(newcode + i + 1));
jmp();
exit(0);
}
}
fprintf(stderr, "loader: Failed to skip shebang.\n");
exit(5);
}
As you can see, I use my self-build trick described previously to build the
loader. The idea here is simple, we open the file, map it into an executable memory, find the
end of the shebang (#!) line and jump there. Very crude. The child inherits the loaders execution
environment, including process name. So it won’t look nice in ps/top. But it’s small and simple.
Before we turn it into more proper loader, let’s check something out:
1
2
3
4
5
6
$ ./bld.c # build
$ ./xyzzy
Nothing happens.
$ ls -lh xyzzy bld
-rwxr-xr-x 1 dwlr dwlr 18K May 22 23:41 bld
-rwxr-xr-x 1 dwlr dwlr 54 May 22 23:41 xyzzy
First, hell yea it works! :) Second, the xyzzy executable is only 54 bytes! But look at our
loader! Oof. That ain’t smol, and remember I started this in the spirit of minimal ELF file. So
let’s fix this first. All I am going to do is rewrite this program in nasm just like we wrote
xyzzy, just make it a proper ELF:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
bits 64
st: equ 144 ; sizeof(struct stat)
stsz: equ 48 ; offsetof(struct stat, st_size)
section .text
global _start
_start:
cmp DWORD [rsp], 2 ; [rsp] = argc
jge .1 ; argc < 2 ?
xor edi, edi
inc edi
jmp exit
.1:
mov eax, 2 ; 2 = open(2)
lea rdi, [rsp+16] ; [rsp+16] = argv[1]
mov rdi, [rdi]
xor esi, esi ; O_RDONLY = 0
xor edx, edx ; no mode, not creating
syscall
cmp eax, 0
jge .2 ; fd < 0 ?
mov edi, 2
jmp exit
.2:
mov r15, rax ; save fd
sub rsp, st ; push struct stat onto a stack
mov rdi, r15 ; fd
mov rsi, rsp ; struct stat*
mov eax, 5 ; 5 = fstat(2)
syscall
cmp eax, 0
je .3 ; ret != 0 ?
mov edi, 3
jmp exit
.3:
xor edi, edi ; NULL
mov rsi, [rsp+stsz] ; st.st_size
mov edx, 1|2|4 ; PROT_READ | PROT_WRITE | PROT_EXEC
mov r10, 2 ; MAP_PRIVATE
mov r8, r15 ; fd
xor r9, r9 ; offset
mov eax, 9 ; 9 = mmap(2)
syscall
cmp rax, -1
jne .4 ; ret == MAP_FAILED
mov edi, 4
jmp exit
.4:
mov r14, rax ; save new memory addr
mov rdi, r15 ; fd, closing it so "child" doesn't have an extra fd, takes space tho
mov eax, 3 ; 3 = close(2)
syscall ; not checking this one, since if I couldn't close, who cares
cld ; clear direction (for scas*)
mov al, 0xA ; needle, newline 0xA = '\n'
mov rdi, r14 ; hay
mov rcx, [rsp+stsz] ; hay size
repne scasb ; search for it
cmp rcx, 0
je .5 ; found
add rsp, st ; pop struct stat from stack
jmp rdi ; "load" "child"
mov edi, 0
jmp exit
.5:
mov edi, 5
exit:
mov eax, 60 ; 60 = exit(2)
syscall
And build like this:
1
2
3
4
5
6
7
8
9
$ nasm -felf64 bld.asm
$ ld -static -nostdlib bld.o -o bld
$ ./xyzzy
Nothing happens.
$ ls -lh xyzzy bld
-rwxr-xr-x 1 dwlr dwlr 5.0K May 22 23:55 bld
-rwxr-xr-x 1 dwlr dwlr 54 May 22 23:41 xyzzy
$ strip bld
-rwxr-xr-x 1 dwlr dwlr 4.4K May 22 23:56 bld
It’s literally the same program as the C one, but in assembly. You can read the comments if you’re
bad at assembly like me, and I wasn’t trying too hard to optimize its code size. Partially because
I don’t really know how, since as I said, I am not an assembly wizard. 4.4K! Not bad, but we can do
way better. gcc and ld put a lot of cruft we don’t really need for our purposes, so let’s ditch
ld and just handroll an ELF straight in the assembly! The only difference between the above
program, and the following is the ELF headers, so I will skip the actual code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
bits 64
BASE: equ 0x400000
ENTRY: equ BASE + _start
PAGESZ: equ 0x1000
elfhead:
db 0x7F, "ELF" ; magic
db 2 ; 64-bit
db 1 ; Little Endian
db 1 ; ELF Version
db 3 ; Linux
db 0 ; ignored on Linux
times 7 db 0 ; padding
dw 2 ; executable file
dw 0x3E ; AMD64
dd 1 ; ELF Version, again
dq ENTRY ; program entry
dq progheads ; program headers offset
dq sectheads ; section headers offset
dd 0 ; flags
dw elfsz ; size of this ELF header
dw pgsz ; size of 1 program header
dw 1 ; num of program headers
dw scsz ; size of 1 section header
dw 0 ; num of secttion headers
dw 0 ; section header string table index
elfsz: equ $-elfhead
progheads:
dd 1 ; Load
dd 1|2|4 ; Exec | Write | Read
dq 0 ; offset
dq BASE ; virt mem addr
dq BASE ; phys mem addr if applic.
dq allsz ; file size
dq allsz ; mem size
dq PAGESZ ; alignment
pgsz: equ $-progheads
sectheads: equ 0
scsz: equ 0 ;$-sectheads
st: equ 144 ; sizeof(struct stat)
stsz: equ 48 ; offsetof(struct stat, st_size)
text:
_start:
; ... same code here as in previous code segement's _start function
textsz: equ $-text
allsz: equ $-elfhead
We build same as xyzzy: nasm -fbin bld.asm and chmod +x bld it.
If you just go to Wikipedia and find the page about
ELFs you can see the whole format,
I just replicated the structure straight in the assembly. If you’re totally unfamiliar with assembly
the db, dw, dd, dq define a byte, word(16 bits), double word(32bit) and quad word(64bits)
respectively straight in the resulting binary. So I just define all the fields we need starting from
the beginning of the binary. equ is kind of like #define in C. It stores the value but does not
emit it into the binary. $ is the current location in binary, which is auto-incremented as we add
things, including code. The labels are the same as in C. Although to be honest if you’re reading
this and know C, you must be familiar enough to get this, so IDK who I am explaining this to. :P
Search the web if you’re totally lost.
So, the only things we are required to have a valid ELF are: the ELF header, that describes what ISA (Instruction Set Architecture) and what ABI (Application Binary Interface) the ELF is for. As well as, at least 1 Program Header that points the ELF loader where to find, where to and how to load the executable code in the binary. Of course normal ELFs have way more than this, especially if you have debugging info embedded into it, but this is not an article on ELFs and DWARFs. Linux will use System V or GNU/Linux for ABI on AMD64(x86_64) ISA. Out executable is non-PIE (Position Independent Code) so we just provide a static address as an entry point. The single program header asks the ELF loader to load the code binary as readable, writable (don’t really need this, but if you’re into self-modifying code and security breaches this is for you ;)) and executable memory and tells how big it is. That’s it!
Let’s see the results:
1
2
3
$ ls -lh xyzzy bld
-rwxr-xr-x 1 dwlr dwlr 308 May 22 23:41 bld
-rwxr-xr-x 1 dwlr dwlr 54 May 22 23:41 xyzzy
Now we’re talking! Only 308 bytes! I can live with that, but what I can’t live with is, is it not actually loading the binary as a new executable. It’s more of a “module” loader. Which is fine, but not what I really wanted. Let’s fix that.
The main problem here, is that we want to load a program without using kernel’s
execve(2) syscall.
You know the one that actually loads a program into memory. Why? It was already called by the shell
(usually), failed to load an ELF (since xyzzy isn’t an ELF), saw “#!” and passed the path to us!
So we’re past the execve(2) and, as I said, xyzzy isn’t and ELF.
My first idea was to basically do execve(2) ourselves, without the kernel. Using
fork(2) +
ptrace(2) + reading and writing to the
/proc/$pid/mem I could change the child’s memory, close fds and do general clean up. This is
essentially how gdb and other debuggers are able to change stuff in debugee program. But that
sounds like a lot of work, not to mention I never used ptrace(2) so I would have to learn it. And
even though that might be fun, I wasn’t feeling it at the time. This idea came to me before I wrote
the assembly version of the loader.
Maybe you noticed, but the way the Program Headers are set up, I don’t just load the code into memory, I load the whole file. Including the ELF header. A new idea hatched:
xyzzy for us) after the ELF copyThere was one snag, execve(2) only takes a file path to the executable… Well, we could write out the new ELF to /tmp and launch that, but that just feels wrong. Fortunately, since Linux 3.17 we’ve got a new very useful syscall - memfd_create(2). So we can create a file purely in memory. I can then map it as a shared memory and basically have a view into the file. Okay that’s all cool and nice, but don’t we need a file path not an open fd? An observant reader would ask me. And you would be correct, but some time after Linux 3.19 there was a new syscall - execveat(2). At first glance it won’t help us, since it’s just like openat(2) but for executing instead of opening files. That is, it uses a directory fd as a root to search for file path relative to. But if you read the man page:
If pathname is an empty string and the AT_EMPTY_PATH flag is specified, then the file descriptor dirfd specifies the file to be executed (i.e., dirfd refers to an executable file, rather than a directory).
Bingo! So the plan of action is:
We don’t need to worry about open(2) files and memfd_create(2)ed by us since we pass them O_CLOEXEC and MFD_CLOEXEC. So they automatically close on execveat(2). We didn’t really do anything else to pollute the child’s execution environment, except mmap(2), but execve(2) and execveat(2) create a whole new memory map for the new process, so it’s not inherited. Although you could say it is, since the new program is running from the memfd memory. Anyways! Even though the code is very similar to the previous one, I will paste the whole listing here:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
bits 64
BASE: equ 0x400000
ENTRY: equ BASE + _start
PAGESZ: equ 0x1000
elfhead:
db 0x7F, "ELF" ; magic
db 2 ; 64-bit
db 1 ; Little Endian
db 1 ; ELF Version
db 3 ; Linux
db 0 ; ignored on Linux
times 7 db 0 ; padding
dw 2 ; executable file
dw 0x3E ; AMD64
dd 1 ; ELF Version, again
e_entr: dq ENTRY ; program entry
dq progheads ; program headers offset
dq sectheads ; section headers offset
dd 0 ; flags
dw elfheadsz ; size of this ELF header
dw pgsz ; size of 1 program header
dw 1 ; num of program headers
dw scsz ; size of 1 section header
dw 0 ; num of secttion headers
dw 0 ; section header string table index
elfheadsz: equ $-elfhead
progheads:
dd 1 ; Load
dd 1|2|4 ; Exec | Write | Read
dq 0 ; offset
dq BASE ; virt mem addr
dq BASE ; phys mem addr if applic.
ph_fsz: dq allsz ; file size
ph_msz: dq allsz ; mem size
dq PAGESZ ; alignment
pgsz: equ $-progheads
sectheads: equ 0
scsz: equ 0 ;$-sectheads
elfsz: equ $-elfhead
st: equ 144 ; sizeof(struct stat)
stsz: equ 48 ; offsetof(struct stat, st_size)
memfdname: db 'elfstub',0
text:
_start:
mov rbp, rsp
cmp DWORD [rbp], 2 ; [rbp] = argc
jge .1 ; argc < 2 ?
xor edi, edi
inc edi
jmp exit
.1:
mov eax, 2 ; 2 = open(2)
lea rdi, [rbp+16] ; [rbp+16] = argv[1]
mov rdi, [rdi]
mov esi, 0x80000 ; 02000000 == 0x80000 == O_CLOEXEC, O_RDONLY == 0
xor edx, edx ; no mode, not creating
syscall
cmp eax, 0
jge .2 ; fd < 0 ?
mov edi, 2
jmp exit
.2:
mov r15, rax ; save fd
sub rsp, st ; push struct stat onto a stack
mov rdi, r15 ; fd
mov rsi, rsp ; struct stat*
mov eax, 5 ; 5 = fstat(2)
syscall
cmp eax, 0
je .3 ; ret != 0 ?
mov edi, 3
jmp exit
.3:
lea rdi, [rel memfdname] ; name
mov esi, 1 ; 1 == MFD_CLOEXEC
mov eax, 319 ; 319 = memfd_create(2)
syscall
mov r12, rax ; save memfd
cmp eax, 0
jge .4 ; ret < 0 ?
mov edi, 4
jmp exit
.4:
mov rdi, r12 ; memfd
mov rsi, [rsp+stsz] ; st.st_size + full ELF size
add rsi, elfsz
mov eax, 77 ; 77 = ftruncate(2)
syscall
cmp eax, 0
jge .5 ; ret < 0 ?
mov edi, 5
jmp exit
.5:
xor edi, edi ; NULL
; RSI, size unchanged
mov edx, 1|2|4 ; PROT_READ | PROT_WRITE | PROT_EXEC
mov r10, 1 ; MAP_SHARED
mov r8, r12 ; memfd
xor r9, r9 ; offset
mov eax, 9 ; 9 = mmap(2)
syscall
cmp rax, -1
jne .6 ; ret == MAP_FAILED
mov edi, 6
jmp exit
.6:
mov r14, rax ; save new memory addr
cld ; clear direction (for scas*/stos*)
mov rsi, BASE ; source, start of own image, ELF heaer
mov rdi, r14 ; dest, newmem
mov rcx, elfsz / 8 ; size, ELF headers size
rep movsq ; memcpy(3)
mov rsi, rdi ; newmem + elf header
mov rdi, r15 ; fd = file
mov rdx, [rsp+stsz] ; size
xor eax, eax ; 0 = read(2)
syscall
cmp rax, rdx
je .7 ; ret != st.st_size ?
mov edi, 7
jmp exit
.7:
mov r13, rsi ; save newmem + ELF header offset
mov al, 0xA ; needle, newline 0xA = '\n'
mov rdi, r13 ; hay
mov rcx, [rsp+stsz] ; hay size
repne scasb ; search for it
cmp rcx, 0
jne .8 ; not found
mov edi, 8
jmp exit
.8:
sub rdi, r14 ; patch e_entr in memfd = BASE + (BinStart['\n'] - BinStart)
add rdi, BASE
mov [r14+e_entr], rdi
mov rdi, [rsp+stsz] ; load st.st_size and patch memfd ELF Prog. Headers
mov [r14+ph_fsz], rdi
mov [r14+ph_msz], rdi
mov rdi, r12 ; memfd
mov BYTE [rbp-16], 0
lea rsi, [rbp-16]
lea rdx, [rbp+16] ; argv = loader argv + 1
mov rax, [rbp] ; tmp argc
lea r10, [rbp + rax*8 + 16] ; envp
mov r8, 0x1000 ; AT_EMPTY_PATH = 0x1000
mov eax, 322 ; 322 = exeveat(2)
syscall
.9:
mov edi, 9
exit:
mov eax, 60 ; 60 = exit(2)
syscall
textsz: equ $-text
allsz: equ $-elfhead
And that’s it, we build it the same way as before aaaand:
1
2
3
4
5
$ ls -lh xyzzy bld
-rwxr-xr-x 1 dwlr dwlr 493 May 23 01:06 bld
-rwxr-xr-x 1 dwlr dwlr 54 May 23 01:06 xyzzy
$ ./xyzzy
Nothing happens.
One more thing to mention, is the need to pass command line arguments, and the environment to the
child. That’s easily done by dereferencing argc from rsp register (stack pointer), then skipping
the required number of argv pointers + 1 more one (there’s NULL pointer after last one) and
that’s your envp environment pointers. We, of course, also skip the 1st argument as it would be
“./bld”.
And that’s about it. Last thing I wanted to mention is that while developing this
strace(1) was an invaluable help. As
I could write simple and normal C programs, and see what they do, as well as quickly debug wrong
arguments to syscalls in my assembly programs. Much quicker than loading gdb and stepping through
it.
1
2
3
4
5
6
7
8
9
10
11
12
$ strace ./xyzzy > /dev/null
execve("./xyzzy", ["./xyzzy"], 0x7fff60023570 /* 86 vars */) = 0
open("./xyzzy", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=54, ...}) = 0
memfd_create("elfstub", MFD_CLOEXEC) = 4
ftruncate(4, 174) = 0
mmap(NULL, 174, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED, 4, 0) = 0x7f29e6ecf000
read(3, "#!./bld\n1\377\377\307H\2155\22\0\0\0\272\21\0\0\0\211\370\17\5\377\317\270<"..., 54) = 54
execveat(4, "", ["./xyzzy"], 0x7ffdcf145970 /* 86 vars */, AT_EMPTY_PATH) = 0
write(1, "Nothing happens.\n", 17) = 17
exit(0) = ?
+++ exited with 0 +++
After a break, I think I will try to move the bld into kernel proper, could be fun! Bye! o/