From 53ca41717a4bb2a86dbf25184af88e0dbafda709 Mon Sep 17 00:00:00 2001 From: John Reiser Date: Mon, 25 Sep 2006 13:02:07 -0700 Subject: [PATCH] Document /proc/self/exe and workaround. --- doc/elf-to-mem.txt | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/doc/elf-to-mem.txt b/doc/elf-to-mem.txt index 35cfa38b..42137350 100644 --- a/doc/elf-to-mem.txt +++ b/doc/elf-to-mem.txt @@ -17,7 +17,7 @@ program itself. So, the decompressor program (which contains the compressed version of the original executable) must have the same brk() as the original executable. So, the second PT_LOAD ELF "segment" of the compressed program is used only to set the brk(0). -See src/p_lx_elf.cpp, function PackLinuxI386elf::patchLoader(). +See src/p_lx_elf.cpp, function PackLinuxElf32::generateElfHdr. All of the decompressor's code, and all of the compressed image of the original executable, reside in the first PT_LOAD of the decompressor program. @@ -63,3 +63,14 @@ clear the free portion of the stack (to compensate for ld-linux.so.2 assuming that its automatic stack variables are initialized to zero), and remove (all but 4 bytes of) the decompression program (and compressed executable) from the address space. + +Because the UPX runtime stub removes all traces of the compressed file +from the address space, then the Linux kernel erases the symlink +/proc/self/exe. Linux stores the pathname argument that was specified +to execve() immediately after the '\0' which terminates the character +string of the last environment variable [as of execve()]. This is true +for at least all Linux 2.6, 2.4, and 2.2 kernels. The pathname is not +"bound" to the file as strongly as /proc/self/exe (the file may be changed +without affecting the pathname), but the pathname does provide some +information. The pathname may be relative to the working directory, +so look before any chdir().