[saagarjha]

Here's how you'd exec:

  execv("/path/to/binary", (char *[]){"binary", NULL});

And here's a way to do that without exec:

  (((int (*)(int, char **))dlsym(dlopen("/path/to/binary", RTLD_LAZY), "main")))(1, (char *[]){"binary", NULL});

A bit uglier, but not all that much harder.

[Rapzid]

> dlopen

Doesn't that just end up calling open() and mmap()? Might not have access to the args passed through at that point, but that's going to leave a trail and of course anything interesting the mapped program does will end up going through syscalls(opening other "files").

[saagarjha]

Trying to get stuff into your memory that wasn't there before is going to require at least one syscall.

[cyphar]

Though it should be noted that's not quite the same thing as execve. Execve does a lot of things in addition to running the main function (privilege transitions like setuid being just one example).

[saagarjha]

Of course; in addition to kernel setup this will also skip over initializers in the binary and other things that the C runtime does before main. Needless to say, this is mostly only useful as a fun side effect of PIE executables.