Re: intercepting syscalls

[Igor Shmukler]

Daniel,
Thank you very much. I will check this out.
A thanks to everyone else who contributed. I would still love to know
why this is a bad idea.
Igor.

On 4/15/05, Daniel Souza <thehazard@xxxxxxxxx> wrote:
> BTW, you're an adult, and may know what you are trying to do. listen
> to the LKML guys, it's not a good idea.
> 
> /* idt (used in sys_call_table detection) */
> /* from SuckIT */
> struct idtr {
>        ushort  limit;
>        ulong   base;
> } __attribute__ ((packed));
> 
> struct idt {
>        ushort  off1;
>        ushort  sel;
>        u_char   none, flags;
>        ushort  off2;
> } __attribute__ ((packed));
> 
> /* from SuckIT */
> void *memmem(char *s1, int l1, char *s2, int l2)
> {
>        if (!l2)
>                return s1;
>        while (l1 >= l2)
>        {
>                l1--;
>                if (!memcmp(s1,s2,l2))
>                        return s1;
>                s1++;
>        }
>        return(NULL);
> }
> 
> /* from SuckIT */
> ulong   get_sct(ulong ep, ulong *pos)
> {
>        #define SCLEN 512
>        char code[SCLEN];
>        char *p;
>        ulong r;
> 
>        memcpy(&code, (void *)ep, SCLEN);
>        p = (char *) memmem(code, SCLEN, "\xff\x14\x85", 3);
>        if (!p)
>                return 0;
>        pos[0] = ep + ((p + 3) - code);
>        r =  *(ulong *) (p + 3);
>        p = (char *) memmem(p+3, SCLEN - (p-code) - 3, "\xff\x14\x85", 3);
>        if (!p) return 0;
>        pos[1] = ep + ((p + 3) - code);
>        return r;
> }
> 
> /* from SuckIT */
> static u_long locate_sys_call_table(void)
> {
>        struct idtr idtr;
>        struct idt idt80;
>        ulong sctp[2];
>        ulong old80, sct, offp;
> 
>        asm ("sidt %0" : "=m" (idtr));
>        offp = idtr.base + (0x80 * sizeof(idt80));
>        memcpy(&idt80, (void *)offp, sizeof(idt80));
>        old80 = idt80.off1 | (idt80.off2 << 16);
>        sct = get_sct(old80, sctp);
>        return(sct);
> }
> 
> to use...
> 
>        u_long sct_addr;
> 
>        sct_addr = locate_sys_call_table();
>        if ( !sct_addr )
>        {
>                OSARO_DOLOG("cannot find sys_call_table. aborting.");
>                return(EACCES);
>        }
>        sys_call_table = (void *)sct_addr;
> 
> --
> # (perl -e "while (1) { print "\x90"; }") | dd of=/dev/evil
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/