Note
  • Introduction
  • PWN
    • __libc_csu_init函数的通用gadget
    • _int_malloc源码分析
    • _IO_FILE利用思路总结
    • C++ 虚表分析
    • Fast_bin笔记
    • house_of_force
    • House_of_Roman
    • Linux_ShellCode
    • Return-to-dl-resolve原理及利用
    • Unlink利用原理
    • Unsorted_Bin_Attack
    • 获取libc方法
    • 利用main_arena泄露libc基址
    • 整数溢出
    • 重写.fini_array函数指针
    • Windows_SEH利用
  • Windows_Operating_System
    • Dll隐藏
    • Dll注入之远程线程注入
    • IAT_HOOK原理实现
    • Windows下通用ShellCode原理
    • 代码注入
    • inline_hook框架
    • 32位程序调用64位函数原理
    • 调试原理
    • Windows异常处理初探
    • Windows_SEH利用
  • Windows_Kernel
    • MSR_HOOK
    • SSDT_HOOK
  • Virus_Analysis
  • Program
    • Dll的生成与使用
  • Miscellaneous
    • ctf笔记
    • 常见算法特征总结
    • ELF文件笔记
  • Linux_Operating_System
    • 系统调用
    • 分页机制
    • 调试原理
    • linux无文件执行elf
    • egg hunter
    • 缺失的动态链接库
  • Linux_Kernel
    • KERNEL_PWN状态切换原理及KPTI绕过
  • IOT
    • IOT调试环境搭建
    • mips_arm汇编学习
    • Cisco RV160W系列路由器漏洞:从1day分析到0day挖掘
  • Symbolic_Execution
    • angr初探
    • angr_进阶
  • Fuzz
    • UAF_overflow_check
    • intel-pin
  • CVE
    • Cisco RV160W系列路由器漏洞:从1day分析到0day挖掘
  • Assembly
    • Junk_Code_Analysis
    • opcode
  • Andriod_Security
Powered by GitBook
On this page

Was this helpful?

  1. Linux_Operating_System

linux无文件执行elf

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <linux/memfd.h>
#include <sys/syscall.h>
#include <errno.h>

int anonyexec(const char *path, char *argv[])
{
    int   fd, fdm, filesize;
    void *elfbuf;
    char  cmdline[256];

    fd = open(path, O_RDONLY);
    filesize = lseek(fd, SEEK_SET, SEEK_END);
    lseek(fd, SEEK_SET, SEEK_SET);
    elfbuf = malloc(filesize);
    read(fd, elfbuf, filesize);
    close(fd);
    fdm = syscall(__NR_memfd_create, "elf", MFD_CLOEXEC);
    ftruncate(fdm, filesize);
    write(fdm, elfbuf, filesize);
    free(elfbuf);
    sprintf(cmdline, "/proc/self/fd/%d", fdm);
    argv[0] = cmdline;
    execve(argv[0], argv, NULL);
    free(elfbuf);
    return -1;
}

int main()
{
    char *argv[] = {"/bin/name", "-a", NULL};
    int result =anonyexec("/bin/name", argv);
    return result;
}
Previous调试原理Nextegg hunter

Last updated 5 years ago

Was this helpful?