executing a process with argc=0

痞子三分冷 提交于 2019-12-01 03:28:26

You can write a program that calls exec directly; that allows you to specify the command-line arguments (including the program name) and lack thereof.

You may use linux system call execve().

int execve(const char *filename, char *const argv[], char *const envp[]);

You may pass the filename of executable and a null pointer as the argv[] to execute the binary and the argc will be zero.

It is my test code:

#include <stdio.h>
#include <unistd.h>

int main( void ) {
    char *argv[]={ NULL };
    execv( "./target", argv );
    return ( 0 );
}

And the strace result is:

execve("./target", [], [/* 20 vars */]) = 0

You could use envp[] to pass the arguments you defined anyways.

Furthermore, you could use assembly language to reach your goal (argc == 0 but you still need to pass arguments). I assume that you are using a 32-bits x86 environment.

The concept is that:

  • store 0x0b ($SYS_execve) into %eax
  • put the address of argv[] into %ebx
  • put the address of envp[] into %ecx
  • then use int 0x80 to do a system call

The memory structure is shown below:

+--------------------------------------------------+     
|               +----------------------------------|-----+
v               v               v------------------|-----|-----+
[arg_0][\0][...][arg_1][\0][...][arg_2][\0][...][ptr0][ptr1][ptr2][\0]
                                                ^
                                                |   (argv[] = NULL)
                                                +--- envp

I am wondering that if you were doing the lab assignment of the course provided by Prof. Taesoo Kim (GATech). Course Link: https://tc.gtisc.gatech.edu/cs6265

Or is it a hacker CTF (catch-the-flag contest) problem?

You could write a C program that spawns/execs the other program with no argv, like:

#include <spawn.h>
#include <stdlib.h>

int main(int argc, char** argv, char** envp)
{
    pid_t pid;
    char* zero_argv[] = {NULL};
    posix_spawn(&pid, "./that_app", NULL, NULL, zero_argv, envp);

    int status;
    waitpid(&pid, &status, NULL);
    return 0;
}
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!