On 4/25/06, Jesper Juhl <jesper.juhl@xxxxxxxxx> wrote: > On 4/25/06, Gaurav Dhiman <gauravd.chd@xxxxxxxxx> wrote: > > On 4/25/06, Greg KH <greg@xxxxxxxxx> wrote: > > > On Tue, Apr 25, 2006 at 02:32:00AM +0530, Gaurav Dhiman wrote: > > > > Here is more on it ..... the actual technical reason, why it did not > > > > work as expected on Linux Kernel. > > > > > > > > Have a look: > > > > http://software.newsforge.com/article.pl?sid=06/04/18/1941251 > > > > > > Note that this is now fixed so the virus will "work" on the latest > > > 2.6.16-stable kernel release :) > > > > Hi Greg, > > > > Can you explain in bit detail, what was happening earlier. > > I got some idea that the register value was changed by Assembly code > > generated for sys_ftruncate() by GCC, but how it was not allowing the > > virus to act. Also do explain if you know what virus was intented to > > do. > > > > Also please put some light, can sytem call be invoked by some other > > mechanisum also other than int 0x80 ? (as mentioned in this or some > > other articles). I am in impression that system call can be done > > through only one entry of IDT and that is 0x80th entry, am I wrong ? > > > > There's also then 'sysenter'/'syscall' instructions. > An explanation can be found here (just one of many google can find > you) : http://www.win.tue.nl/~aeb/linux/lk/lk-4.html#ss4.6 As explained in this article "sysenter" machine instruction is sometimes fater that "int 0x80" exception instruction and allows to enter the machine to kernel mode more quickly, I am just wondering, how does the CPU gets the base address of system_call function in kernel (top / first function in kernel to get executed when system call is done) after the sysenter instruction. In int 0x80 mechanisum 0x80 is the entry index in IDT and in this entry we have the virtual address of system_call() function stored, so its not a problem when we invoke the system call throuh int 0x80 mechanism. Can someone provide some links or elaborate on this; how does the CPU get the function pointer of system_call() function when system call is invoked throu sysenter instuction, as there is no oparand to this instruction which can tell us where in IDT the CPU should look for function pointer of system_call() function. regards, Gaurav Email: gauravd.chd@xxxxxxxxx --------------------------------- Read my blog at: http://lkdp.blogspot.com/ --------------------------------- > > -- > Jesper Juhl <jesper.juhl@xxxxxxxxx> > Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html > Plain text mails only, please http://www.expita.com/nomime.html > -- -- -Gaurav Email: gauravd.chd@xxxxxxxxx --------------------------------- Read my blog at: http://lkdp.blogspot.com/ --------------------------------- -- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/
