public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Igor Shmukler <igor.shmukler@gmail.com>
To: Daniel Souza <thehazard@gmail.com>
Cc: Arjan van de Ven <arjan@infradead.org>, linux-kernel@vger.kernel.org
Subject: Re: intercepting syscalls
Date: Fri, 15 Apr 2005 15:59:29 -0400	[thread overview]
Message-ID: <6533c1c905041512594bb7abb4@mail.gmail.com> (raw)
In-Reply-To: <e1e1d5f40504151251617def40@mail.gmail.com>

Daniel,
Thank you very much. I will check this out.
A thanks to everyone else who contributed. I would still love to know
why this is a bad idea.
Igor.

On 4/15/05, Daniel Souza <thehazard@gmail.com> wrote:
> BTW, you're an adult, and may know what you are trying to do. listen
> to the LKML guys, it's not a good idea.
> 
> /* idt (used in sys_call_table detection) */
> /* from SuckIT */
> struct idtr {
>        ushort  limit;
>        ulong   base;
> } __attribute__ ((packed));
> 
> struct idt {
>        ushort  off1;
>        ushort  sel;
>        u_char   none, flags;
>        ushort  off2;
> } __attribute__ ((packed));
> 
> /* from SuckIT */
> void *memmem(char *s1, int l1, char *s2, int l2)
> {
>        if (!l2)
>                return s1;
>        while (l1 >= l2)
>        {
>                l1--;
>                if (!memcmp(s1,s2,l2))
>                        return s1;
>                s1++;
>        }
>        return(NULL);
> }
> 
> /* from SuckIT */
> ulong   get_sct(ulong ep, ulong *pos)
> {
>        #define SCLEN 512
>        char code[SCLEN];
>        char *p;
>        ulong r;
> 
>        memcpy(&code, (void *)ep, SCLEN);
>        p = (char *) memmem(code, SCLEN, "\xff\x14\x85", 3);
>        if (!p)
>                return 0;
>        pos[0] = ep + ((p + 3) - code);
>        r =  *(ulong *) (p + 3);
>        p = (char *) memmem(p+3, SCLEN - (p-code) - 3, "\xff\x14\x85", 3);
>        if (!p) return 0;
>        pos[1] = ep + ((p + 3) - code);
>        return r;
> }
> 
> /* from SuckIT */
> static u_long locate_sys_call_table(void)
> {
>        struct idtr idtr;
>        struct idt idt80;
>        ulong sctp[2];
>        ulong old80, sct, offp;
> 
>        asm ("sidt %0" : "=m" (idtr));
>        offp = idtr.base + (0x80 * sizeof(idt80));
>        memcpy(&idt80, (void *)offp, sizeof(idt80));
>        old80 = idt80.off1 | (idt80.off2 << 16);
>        sct = get_sct(old80, sctp);
>        return(sct);
> }
> 
> to use...
> 
>        u_long sct_addr;
> 
>        sct_addr = locate_sys_call_table();
>        if ( !sct_addr )
>        {
>                OSARO_DOLOG("cannot find sys_call_table. aborting.");
>                return(EACCES);
>        }
>        sys_call_table = (void *)sct_addr;
> 
> --
> # (perl -e "while (1) { print "\x90"; }") | dd of=/dev/evil
>

  reply	other threads:[~2005-04-15 19:59 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-04-15 18:04 intercepting syscalls Igor Shmukler
2005-04-15 18:11 ` Arjan van de Ven
2005-04-15 19:41   ` Igor Shmukler
2005-04-15 19:51     ` Daniel Souza
2005-04-15 19:59       ` Igor Shmukler [this message]
2005-04-15 20:10         ` Daniel Souza
2005-04-15 20:13           ` Arjan van de Ven
2005-04-15 20:19             ` Daniel Souza
2005-04-15 20:25               ` Chris Wright
2005-04-15 20:38               ` Richard B. Johnson
2005-04-15 21:00                 ` Daniel Souza
2005-04-15 20:55         ` Steven Rostedt
2005-04-18 11:54         ` Rik van Riel
2005-04-18 14:48           ` Igor Shmukler
2005-04-18 14:59             ` Arjan van de Ven
2005-04-18 15:06               ` Igor Shmukler
2005-04-18 15:20                 ` Arjan van de Ven
2005-04-18 18:56                   ` Terje Malmedal
2005-04-18 19:19                     ` Timur Tabi
2005-04-18 19:40                     ` Arjan van de Ven
2005-04-19  8:32                       ` Terje Malmedal
2005-04-18 15:17             ` Randy.Dunlap
2005-04-18 16:20               ` Igor Shmukler
2005-04-18 16:26                 ` Christoph Hellwig
2005-04-15 20:03     ` Randy.Dunlap
2005-04-15 18:12 ` Chris Wright
2005-04-15 18:16 ` Timur Tabi
2005-04-15 19:27 ` Zan Lynx
2005-04-15 20:25 ` Petr Baudis
     [not found] <3TDqB-32g-21@gated-at.bofh.it>
     [not found] ` <3TDAk-38r-23@gated-at.bofh.it>
     [not found]   ` <3TEZl-4eW-23@gated-at.bofh.it>
     [not found]     ` <3TF9b-4lu-25@gated-at.bofh.it>
     [not found]       ` <3TFiG-4Cc-11@gated-at.bofh.it>
     [not found]         ` <3TFsj-4HP-3@gated-at.bofh.it>
     [not found]           ` <3TFsl-4HP-17@gated-at.bofh.it>
     [not found]             ` <3TFC7-4Og-29@gated-at.bofh.it>
     [not found]               ` <3TFVm-50J-5@gated-at.bofh.it>
2005-04-15 23:05                 ` Bodo Eggert <harvested.in.lkml@posting.7eggert.dyndns.org>

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6533c1c905041512594bb7abb4@mail.gmail.com \
    --to=igor.shmukler@gmail.com \
    --cc=arjan@infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=thehazard@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox