In the case of compiled
binaries, which are predominantly ELF these days, execve() invokes the appropriate
loader functions to move the binary image from disk into memory, to perform the initial
stack setup, and ultimately to transfer control to the new program.
The execve() function is implemented within the Linux kernel by the do_execve() function,
which can be found in a file named fs/exec.c. ELF binaries are loaded using functions
contained in the file fs/binfmt_elf.c. By exploring these two files, you can learn the exact
process by which binaries are loaded and more specifically, understand the exact stack setup
that you can expect a binary to have as it begins execution.Working from the bottom of the
stack upward (refer to Figure 18-4), the layout created by execve() consists of:
??? A 4-byte null at address 0xBFFFFFFC.
??? The pathname used to launch the program. This is a null-terminated ASCII
string. An attacker often knows the exact pathname and can therefore compute
the exact start address of this string. We will return to this field later to discuss
more interesting uses for it.
??? The ???environment??? of the program as a series of null-terminated ASCII strings. The
strings are usually in the form of
=, for example, TERM=vt100.
Pages:
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821