These are the basic steps:
- Read the program headers to find the LOAD directives and determine the total length of the mappings you need on the pages.
- Match the LOAD directive with the smallest address to the total length (which may be longer than the file length), allowing
mmap to assign you an address. This will reserve a virtual address space. - Reprint the LOAD recommendations at the top of this mapping using
MAP_FIXED . - Use the program headers to find the
DYNAMIC vector, which in turn will give you the address of the displacement vector. - Apply Move. Assuming your binary is a
RELATIVE linked PIE binary, they should consist entirely of RELATIVE (just adding the base load address), that is, you don't have to do any character searches or something fantastic. Create an ELF program element stack consisting of the following sequence of system word size values ββin an array on the stack:
ARGC ARGV[0] ARGV[1] ... ARGV[ARGC-1] 0 ENVIRON[0] ENVIRON[1] ... ENVIRON[N] 0 0
(This step requires ASM!) Specify the stack pointer at the beginning of this array and navigate to the download point of the loaded program (which can be found in the program headers).