Is Linux program's stack somehow modified in a non-explicit way?

Question

I am trying to write a simple ELF64 virus in NASM on Linux. It appends itself to the victim (and of course does all that section & segment related stuff) and changes victim's entry point so that it points to the malicious code.

When the infected program is being launched, the first one to be executed is my virus, and when does all it's work, it jumps to the original entry point and the victim's code is being executed.

When the virus infects simple C++ hello world, everything works fine: as I can see in strace, the virus executes properly and then the victim's code executes.

But if I append:

printf("%s\n", argv[0]);

to the victim's code, re-infect it and run, the virus' code executes properly, "hello world" is printed, but then a segmentation fault error is thrown.

I think it means that the stack is being changed during virus' execution so that there's some random number instead of the original argv[0].

However, I've analyzed the whole source of my virus, marked all pushes, pops and direct modifications of rsp, analyzed them carefully and it seems that the stack should be in the same state. But, as I see, it isn't.

Is it possible that the stack is being modified in some non-explicit way by for example a syscall? Or maybe it's impossible and I should just spend few more hours staring at the source to find a bug?

Answer 1

ELF64 virus in NASM on Linux

Persumably on x86_64 (64-bit Linux could also be aarch64, or powerpc64, or sparcv9, or ...).

it seems that the stack should be in the same state

What about registers? Note that on x86_64 argv is passed to main in $rsi, not on the stack.

You must read and understand x86_64 calling conventions.