Search code, repositories, users, issues, pull requests...
Userland exec replaces the existing process image within the current address space with a new one. It mimics the behavior of the system call execve, but the process structures describing the process image remain unchanged. In other words, the process name reported by system utilities will retain the old process name.
This technique can be used to achieve stealth after gaining arbitrary code execution. It can also be used to execute binaries stored in noexec partitions.
The first userland exec was created by grugq. This repository is highly inspired by the Rapid7 Mettle library, which includes a comprehensive blog description of the technique.
Initially, a large part of this repository's code mimicked the Mettle library, but it has since been extended to include additional complexity to bypass SELinux verification.
To bypass mprotect, it is necessary to create a temporary file. This can be achieved using memfd_create combined with munmap and mmap, thereby avoiding the mprotect system call altogether.
