I am using a parent process that uses execve() to run a child process with specific environment variables that I have defined in the parent process. In the parent process if I look at the memory location $esp + 0x240 I find all the environment variables. However once the child process is launched, I am unable to find the memory address where the predefined environment variables have been stored.
I would have thought that since execve() replaces the parent process with the child process the environment variables passed to the child process would be located at 0xbffffffa minus the length of the environment variable string (in Linux). However when the child process is launched I no longer have access to that location in memory. The esp of the parent process before it calls execve() is 0xbffff120, once the child process is launched the esp jumps to 0xbf9835a0. (Im guess this is because the child process has root privileges that the parent process did not have) Now when I look at the memory from the top of the stack up to the point where I no longer have access to the memory, there is no signed of any of the environment variables that were passed from the parent process. Where would they be located? Also on a more general note, when you run a process are the environment variables all copied to the high end in memory at the very bottom of the stack?
#include <stdio.h> #include <stdlio.h> #include <string.h> #include <unistd.h> char envvari[]= "\x31\xc0\ ...." // Can be any environment variable int main(int argc, char *argv[]) { char *env[2] = {envvari, 0}; unsigned int i, ret; char *buffer = (char *) malloc(160); char *args[] = {"notesearch", buffer, 0}; ret = 0xbffffffa - (sizeof(envvari)-1) - strlen("./notesearch"); for(i=0; i < 160; i+=4) *((unsigned int *)(buffer+i)) = ret; execve("./notesearch", args, env); free(buffer); } 
envvariasexecvewill end your current process including all resourced (except some fds).