Question: CLONE_STUB_HEAD stack use #1
Description
I am trying to understand how the CLONE_STUB_HEAD shellcode works. I put the bytes through a disassembler and got this:
0: eb 44 jmp 0x46
2: b9 00 00 00 00 mov ecx,0x0 ; stack ptr
7: 5b pop ebx ; payload ptr
8: 83 e1 f0 and ecx,0xfffffff0 ; align stack address
b: 83 e9 1c sub ecx,0x1c ; create stack space
e: 31 c0 xor eax,eax
10: 89 41 0c mov DWORD PTR [ecx+0xc],eax ; 0
13: 89 59 08 mov DWORD PTR [ecx+0x8],ebx ; payload ptr
16: c7 41 04 00 00 00 00 mov DWORD PTR [ecx+0x4],0x0 ; 0
1d: be 00 00 00 00 mov esi,0x0
22: ba 00 09 01 00 mov edx,0x10900 ; clone flags
27: bb 00 09 01 00 mov ebx,0x10900 ; clone flags
2c: bf 00 00 00 00 mov edi,0x0
31: 89 19 mov DWORD PTR [ecx],ebx ; clone flags
33: b8 78 00 00 00 mov eax,0x78
38: cd 80 int 0x80
3a: 85 c0 test eax,eax
3c: 74 01 je 0x3f
3e: cc int3
3f: bd 00 00 00 00 mov ebp,0x0
44: eb 05 jmp 0x4b
46: e8 b7 ff ff ff call 0x2
So in addition to putting the clone syscall parameters into the proper registers before the int80, you also create stack space (pointed to by ECX) and add four dwords: zero, a pointer to the caller payload immediately after CLONE_STUB_HEAD, zero, and then the clone flags.
My questions are this: What is the purpose of setting up the stack this way? Would it not suffice just to set the registers and make the syscall? I'm studying thread injection on linux, so thanks in advance for answering my questions.