fexecve is defined in the IEEE Std 1003.1-2008 (POSIX.1-2008) standard, however it's not so widely supported by the libc of various different systems.
The aim is to avoid creating our own executable/library loader, and avoid ever writing to the filesystem as that leaves an audit-trail of sorts.
The underlying premise for Unix-like platforms relies having one of two options available:
- Have a /proc filesystem where open file descriptors can be accessed like regular files and passed to
exec like normal paths.
- Have a libc or kernel system call which performs special handling of file descriptors to exec them directly, aka
fexecve.
For Windows platforms there are two options available:
- Hook ntos.dll calls so when it tries to load an executable / library you can read from a buffer
- Re-implement the loader, e.g. MemoryModule or the various Meterpreter EXE loaders.
Man pages and related info for fexecve on non-Linux platforms:
fexecve is defined in the IEEE Std 1003.1-2008 (POSIX.1-2008) standard, however it's not so widely supported by the libc of various different systems.
The aim is to avoid creating our own executable/library loader, and avoid ever writing to the filesystem as that leaves an audit-trail of sorts.
The underlying premise for Unix-like platforms relies having one of two options available:
execlike normal paths.fexecve.For Windows platforms there are two options available:
Man pages and related info for fexecve on non-Linux platforms:
sys_fexecvereturns ENOSYS...