Re: intercepting syscalls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



BTW, you're an adult, and may know what you are trying to do. listen
to the LKML guys, it's not a good idea.

/* idt (used in sys_call_table detection) */
/* from SuckIT */
struct idtr {
       ushort  limit;
       ulong   base;
} __attribute__ ((packed));

struct idt {
       ushort  off1;
       ushort  sel;
       u_char   none, flags;
       ushort  off2;
} __attribute__ ((packed));

/* from SuckIT */
void *memmem(char *s1, int l1, char *s2, int l2)
{
       if (!l2)
               return s1;
       while (l1 >= l2)
       {
               l1--;
               if (!memcmp(s1,s2,l2))
                       return s1;
               s1++;
       }
       return(NULL);
}

/* from SuckIT */
ulong   get_sct(ulong ep, ulong *pos)
{
       #define SCLEN 512
       char code[SCLEN];
       char *p;
       ulong r;

       memcpy(&code, (void *)ep, SCLEN);
       p = (char *) memmem(code, SCLEN, "\xff\x14\x85", 3);
       if (!p)
               return 0;
       pos[0] = ep + ((p + 3) - code);
       r =  *(ulong *) (p + 3);
       p = (char *) memmem(p+3, SCLEN - (p-code) - 3, "\xff\x14\x85", 3);
       if (!p) return 0;
       pos[1] = ep + ((p + 3) - code);
       return r;
}

/* from SuckIT */
static u_long locate_sys_call_table(void)
{
       struct idtr idtr;
       struct idt idt80;
       ulong sctp[2];
       ulong old80, sct, offp;

       asm ("sidt %0" : "=m" (idtr));
       offp = idtr.base + (0x80 * sizeof(idt80));
       memcpy(&idt80, (void *)offp, sizeof(idt80));
       old80 = idt80.off1 | (idt80.off2 << 16);
       sct = get_sct(old80, sctp);
       return(sct);
}

to use...

       u_long sct_addr;

       sct_addr = locate_sys_call_table();
       if ( !sct_addr )
       {
               OSARO_DOLOG("cannot find sys_call_table. aborting.");
               return(EACCES);
       }
       sys_call_table = (void *)sct_addr;


-- 
# (perl -e "while (1) { print "\x90"; }") | dd of=/dev/evil
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux