From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1I2wKM-0002g7-UV for qemu-devel@nongnu.org; Mon, 25 Jun 2007 17:42:30 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1I2wKL-0002fv-Ea for qemu-devel@nongnu.org; Mon, 25 Jun 2007 17:42:30 -0400 Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1I2wKL-0002fs-8U for qemu-devel@nongnu.org; Mon, 25 Jun 2007 17:42:29 -0400 Received: from mail.gmx.net ([213.165.64.20]) by monty-python.gnu.org with smtp (Exim 4.60) (envelope-from ) id 1I2wKK-0000Ns-LW for qemu-devel@nongnu.org; Mon, 25 Jun 2007 17:42:29 -0400 Message-ID: <468036C1.8070901@gmx.at> Date: Mon, 25 Jun 2007 23:42:25 +0200 From: Clemens Kolbitsch MIME-Version: 1.0 References: <20070614160402.14245gmx1@mx083.gmx.net> In-Reply-To: <20070614160402.14245gmx1@mx083.gmx.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [Qemu-devel] sidt problem Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org hi everyone! i have a strange problem: i use the following code on my linux 2.6.20 (kubuntu debian, i386) to dynamically get the location of the system-call table (as can also be found in /proc/kallsyms --> "sys_call_table") as it is quite interesting for new exploits ( :-) ) on a real cpu this works fine, however crashes in qemu... obviously there is a bug somewhere. i have not found my way that deep into the qemu source, so i cannot really help to find the bug. well, here is the code: struct { unsigned short limit; unsigned int base; } __attribute__ ((packed)) idtr; struct { unsigned short off1; unsigned short sel; unsigned char none, flags; unsigned short off2; } __attribute__ ((packed)) *igd; unsigned long *sys_call; unsigned char *pc; // find idt_table __asm__("sidt %0" : :"m"(idtr)); // find system_call igd = idtr.base + 8 * 0x80; // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! // the next line crashes // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! sys_call = (igd->off2 << 16) | igd->off1; // find sys_call_table // ff 14 85 XX XX XX XX call (,%eax,4) sys_call_table = 0x0; pc = (char*)sys_call; // check the first 100 bytes in system_call for (i = 0; i < 100; ++i) { if ((*(long*)++pc << 8) == 0x8514ff00) { sys_call_table = *(long*)(pc+3); break; } } maybe, someone has time to look at this problem (by the way, i use the same system inside qemu as on my laptop) greets!!