elf linux amd64 hello world

#include <unistd.h>
#include <inttypes.h>
#include <stdio.h>
#include <fcntl.h>
#include <err.h>
#include <elf.h>


#define MESSAGE "hello, world\n"
#define MESSAGE_SZ (sizeof(MESSAGE) - 1)

/*
 * Smallest possible (?) proper hello world for ELF amd64 linux.
 *
 * The code itself is:
 *  movb $13, %dl
 *  lea 2f(%rip), %rsi
 *  inc %eax
 *  mov %eax, %edi
 * 1:   syscall
 *  movb $60, %al
 *  jmp 1b
 * 2:   .string "hello, world\n"
 *
 * The only wrong thing is the exit code. We depend on the kernel zeroing registers for us,
 * but that should be a safe assumption because the kernel doesn't want to leak registers
 * to userland anyway (unless there's some ABI I'm not aware of).
 *
 * The code is stuffed into unused fields in the ELF headers with relative jumps gluing it
 * together. The string is stuffed into the nicely contiguous space provided to us by e_shoff
 * (section headers are irrelevant for executables), e_flags e_ehsize, that is just perfectly
 * fits the One True Hello World Message.
 *
 * The program header overlaps with the elf header with some trickery involving a good guess
 * about what the kernel actually does with p_flags (see comment for e_unused4).
 *
 * I am not sure since when the Linux kernel supports ET_DYN binaries. Maybe it always had?
 * ET_DYN allows us to pull off a horrible horrible trick (see comment for e_unused1).
 * This wouldn't work without ET_DYN unless we can find some way to load the address of the
 * message into rsi with some shorter instruction.
 */

#define OVERLAP

int
main(int argc, char **argv)
{
#define RIP_OFFSET(from_field, to_field) ((char *)&blob.to_field - (char *)&blob.from_field)
    struct blob {
        unsigned char e_ident[8];
        unsigned char e_unused1[8];
        uint16_t e_type;
        uint16_t e_machine;
        unsigned char e_unused2[4];     /* e_version */
        uint64_t e_entry;
        uint64_t e_phoff;
        unsigned char e_unused3[8 + 4 + 2]; /* e_shoff + e_flags + e_ehsize */
        uint16_t e_phentsize;
        uint16_t e_phnum;
        unsigned char e_unused4[2 + 2 + 2]; /* e_shentsize + e_shnum + e_shstrndx */

#ifndef OVERLAP
        uint32_t p_type;
        uint32_t p_flags;
#else
#define p_type e_phnum
#endif
        uint64_t p_offset;
        uint64_t p_vaddr;
        unsigned char p_unused1[8];
        uint64_t p_filesz;
        uint64_t p_memsz;
        uint64_t p_align;
    } __attribute__((__packed__)) blob = {
        .e_ident = { 0x7f, 'E', 'L', 'F', ELFCLASS64, ELFDATA2LSB, EV_CURRENT, 0x00 },
        .e_unused1 = {
            /*
             * First 8 bytes of e_ident must be what they are. The next 8 bytes
             * are free for all so we make that our entry point.  We use
             * "lea MESSAGEOFFSET(%rip), %rsi"  to load the address for write(2).
             * lea is a 7 byte instruction. The 8th byte is a relative jump
             * instruction with the jump offset conveniently provided to us by
             * e_type, which is ET_DYN = 3. This lets us skip e_machine and
             * execute the next instructions from e_version.
             */
            0x48, 0x8d, 0x35, RIP_OFFSET(e_unused1[7], e_unused3), 0x00, 0x00, 0x00,
            0xeb
        },
        .e_type = ET_DYN,
        /* 0x03, 0x00 */
        .e_machine = EM_X86_64,
        /* 0x3e, 0x00 */
        .e_unused2 = {
            /*
             * mov $0xe,%dl   - length of string for write(2)
             * jmp <to rest of code>
             */
            0xb2, MESSAGE_SZ,
            0xeb, RIP_OFFSET(e_unused2[4], e_unused4[2])
        },
        .e_entry = 8,
        .e_phoff = ((char *)&blob.p_type - (char *)&blob),
        .e_unused3 = MESSAGE,
        .e_phentsize = sizeof(Elf64_Phdr),
        .e_phnum = 1,
        /* 0x01 0x00 */
        .e_unused4 = {
            0x00, 0x00,         /* Must be zero if OVERLAP */
            0xff, 0xc0,     /* inc %eax - syscall number for read is 1. */
            /*
             * The original code was:
             *  mov $1, %al
             *  mov %eax, %edi
             * This set up the syscall number to 1 (write) and fd to 1 (stdout)
             * and could be done in 4 bytes. But we can't use mov here, registers
             * after exec come pre-zeroed, so we inc %eax instead. This is because
             * the mov instruction is 0xb0, but we need the lowest bit of it set so
             * we can make this and the phdr overlap.
             *
             * The lowest bit must be set because it overlaps with the p_flags in
             * phdr and that specifies that the loaded region is executable. We don't
             * need to specify readability (even though we do read from the region
             * since the message is in it) because amd64 doesn't have an executable
             * but not readable PTE. Unfortunately "inc" also makes the region
             * writeable, so we violate W^X. Looking for a better instruction.
             */
            0xeb, RIP_OFFSET(e_unused4[6], p_unused1)
        },
#ifndef OVERLAP
        /* This can overlap with .e_phnum. */
        .p_type = PT_LOAD,
        /* 0x01 0x00 0x00 0x00 - must be this */
        .p_flags = PF_R|PF_X,
        /* 0x03 0x00 0x00 0x00 - can be anything as long as the lowest bit is set. */
#endif
        .p_offset = 0,
        /* 0x0000000000000000 - must be 0 */
        .p_vaddr = 0,
        /* 0x0000000000000000 - must be 0 */
        .p_unused1 = {
            /*
             * mov %eax, %edi
             * syscall
             * mov $0x3c, %al
             * jmp <back to the syscall instruction>
             */
            0x89, 0xc7,
            0x0f, 0x05,
            0xb0, 0x3c,
            0xeb, 0xfa,
        },
        .p_filesz = sizeof(blob),
        .p_memsz = sizeof(blob),
        .p_align = 0,
    };

    int fd;

    if ((fd = open("a.out", O_CREAT|O_RDWR|O_TRUNC, 0755)) == -1)
        err(1, "open");

    if (write(fd, &blob, sizeof(blob)) != sizeof(blob))
        err(1, "write");

    return 0;
}