Non-Linux, e.g. Solaris & FreeBSD, in-memory execution support #4
Description
fexecve is defined in the IEEE Std 1003.1-2008 (POSIX.1-2008) standard, however it's not so widely supported by the libc of various different systems.
The aim is to avoid creating our own executable/library loader, and avoid ever writing to the filesystem as that leaves an audit-trail of sorts.
The underlying premise for Unix-like platforms relies having one of two options available:
- Have a /proc filesystem where open file descriptors can be accessed like regular files and passed to
execlike normal paths. - Have a libc or kernel system call which performs special handling of file descriptors to exec them directly, aka
fexecve.
For Windows platforms there are two options available:
- Hook ntos.dll calls so when it tries to load an executable / library you can read from a buffer
- Re-implement the loader, e.g. MemoryModule or the various Meterpreter EXE loaders.
Man pages and related info for fexecve on non-Linux platforms:
- POSIX / opengroup - http://pubs.opengroup.org/onlinepubs/9699919799/functions/fexecve.html
- https://www.freebsd.org/cgi/man.cgi?query=fexecve&sektion=2
- https://docs.oracle.com/cd/E36784_01/html/E36872/fexecve-2.html
- Illumos - https://illumos.org/issues/5798
- AIX v7.1 - http://www-01.ibm.com/support/docview.wss?uid=isg1IV26545
- Cygwin - https://github.com/mirror/newlib-cygwin/blob/f763e2dc88d04430dd2524a529eef91a2e517e4e/winsup/cygwin/exec.cc#L111
- OpenBSD 5.9 doesn't support fexecve
- NetBSD doesn't support fexecve,
sys_fexecvereturns ENOSYS...