RE: Seek Help !!! (about getting a pointer to sys_call_table)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Ashish,

Well there are workarounds to do the required system call hacking.
What you can do is, before loading the kernel module, you look up the
address of sys_call_table in /boot/Syste.map file and pass this address
to kernel module at loading time as a parameter. Kernel module can store
this address in its unsigned long variable and can use it as a pointer
to sys_call_table.

This is a workaround, but not a secure way to do it, as System.map lies
in filesystem and anybody can modify ot change the name of this file, in
that case your module will not be loaded properly.




The other and secure way to do this is (spl for i386 platform), that you
do the following thing in your module initialization function.

1. - get the pointer to IDT (Interrupt Descriptor Table), using SIDT
assembly instruction. This instruction will store the value of IDTR
register of processor, which actually is a pointer to IDT in kernel.

2. - Once you get the pointer to IDT, get to the 128th entry of IDT by
multiplying 128 with 8 (as each entry in IDT is of 8 bytes) and adding
that to the IDT pointer, which we got in first step. This is a pointer
to the system gate through with system calls enter kernel mode.

3. - As each entry in IDT is of 8 bytes, now you are pointing to the
system call entry in IDT. Get the offset from this entry (1, 2, 7 and
8th bytes). To know the format of this entry in IDT, read the article:
http://www.osdever.net/tutorials/interrupts.3.php?the_id=41

4. - once you get an offset, it's a pointer to the system_call()
function, which actually calls the specific system call after checking
the system call number passed. You can find this function at following
link: http://lxr.linux.no/source/arch/i386/kernel/entry.S?v=2.4.21#L202


5. - Now comes some complex thing. You have a pointer to this function,
now you need to check for following assembly instruction in it

call *SYMBOL_NAME(sys_call_table)(,%eax,4)

It is the instruction which is calling the specific system call by
looking it in sys_call_table array of pointers. You need to know the
machine instruction corresponding to this assembly instruction. I don't
exactly remember the bit sequence for it, which we need to check, you
need to check the first 3 bytes of this machine instruction if it
matches, your pointer is onto this instruction, now pick the next four
bytes and that will be the base address of sys_call_table. Just for
explanation, I am assuming that first 3 bytes in the machine instruction
corresponding to above mentioned assembly instruction are as follows:
0x2A 0x34 0XBE. Assuming this following code will get you the pointer to
sys_call_table array, which is a system call table in kernel.

In following code 'p' contains the pointer to system_call() function
(this is after step 4 mentioned above)

If((*((char *)p) == 0x2A) && (*((char *)p + 1) == 0x34) && (*((char *)p
+ 2) == 0xBE)){
	P = ((char *)p + 3);
	sys_call_table_ptr = *((unsigned long *)p + 1);
}

After this code we have the pointer to sys_call_table in
'sys_call_table_ptr' pointer variable.
NOTE: second method is only for i386 platform as it depends upon the
machine instruction format.

Hope things are not too complex ..... well you can contact me on my
mobile (040-32384853) if you want to discuss something, as second method
is something which I have also used. I might be of some help to you.

Regards,
Gaurav


-----Original Message-----
From: kernelnewbies-bounce@xxxxxxxxxxxx
[mailto:kernelnewbies-bounce@xxxxxxxxxxxx] On Behalf Of Ashish Mishra
Sent: Thursday, September 30, 2004 5:55 PM
To: Kenel Newbies
Subject: Seek Help !!!

Hi, 
   I am totally new to linux kernel . I want to intercept system calls
with sys_call_table. But , it seems that this symbol is not exported in
linux kernel 2.4.
  Is there any method by which i can export this symbol ??

Waiting for the help ....

Thanx
Ashish Mishra



--
Kernelnewbies: Help each other learn about the Linux kernel.
Archive:       http://mail.nl.linux.org/kernelnewbies/
FAQ:           http://kernelnewbies.org/faq/



--
Kernelnewbies: Help each other learn about the Linux kernel.
Archive:       http://mail.nl.linux.org/kernelnewbies/
FAQ:           http://kernelnewbies.org/faq/



[Index of Archives]     [Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]
  Powered by Linux