"Statifier take "memory snapshot" of the process, created by loader
when loader ALREADY finish relocation and BEFORE loader invoke any
INIT function.
What now ? Now this "memory snapshot" should be somehow loaded
and run from the point were loader was stopped.
Who will be so kind to do it for us ?
Kernel !
Let's save "memory snapshot", i.e. all segments from executable and
libraries loaded by loader as ELF file with program's header of type
'LOAD' for each segment, and entry point set to the address,
where execution was stopped to take sharpshoot.
In this case, kernel will think, it's a statically linked executable.
(Because there is no 'INTERP' segment)
As we already know kernel load statically linked executable as following:
- load all 'LOAD' segment
- jump to the executable's entry point.
That's it !"
So the way it works kills ASLR. But it should be possible to do something similar, keeping all relocations, and that still works with ASLR (but that would need an INTERP).
You can have a statically-linked binary with no INTERP that still uses ASLR, by compiling with "-static-pie". IMO, improvements to statifier should go in that direction, rather than just giving up and using INTERP.
You can theoretically, but there are now segments not covered by a reloc section with the way stratifier is currently working. Unless it builds those too and I'm missing it somehow...
What now ? Now this "memory snapshot" should be somehow loaded and run from the point were loader was stopped.
Who will be so kind to do it for us ? Kernel !
Let's save "memory snapshot", i.e. all segments from executable and libraries loaded by loader as ELF file with program's header of type 'LOAD' for each segment, and entry point set to the address, where execution was stopped to take sharpshoot.
In this case, kernel will think, it's a statically linked executable. (Because there is no 'INTERP' segment) As we already know kernel load statically linked executable as following: - load all 'LOAD' segment - jump to the executable's entry point.
That's it !"
So the way it works kills ASLR. But it should be possible to do something similar, keeping all relocations, and that still works with ASLR (but that would need an INTERP).