我们可以观察到代码中有一处硬编码,其实是对应 Nt 函数的 raw hex 格式,我们通过下图可以看到前四个字节是4c8bd1b8,由于是小端格式存储,在内存中就变成了00B8D18B4Ch 上面第一个名为findSyscallNumber的过程很简单,就是比较硬编码和在内存中获取的是不是一样,如果不一样我们就认为它被 hook 了,并且跳转到 er...
struct mini_regs {unsigned long ip;unsigned long cs;unsigned long flags;unsigned long sp;unsigned long ss;}; struct user_vmas {unsigned long start_code;unsigned long end_code;unsigned long start_data;unsigned long end_data;unsigned long start_brk;unsigned long brk;unsigned long start_stack;}...
extern int SysClone(int flags, void *stack, int *parentTid, unsigned long tls, int *childTid); extern int SysUnshare(int flags); extern int SysSetns(int fd, int type); extern unsigned int SysGetPID(void); extern unsigned int SysGetPPID(void); extern int SysSetGroup...
static inline int test(void) { long __res; __asm__ volatile ("int $0x80" : "=a" (__res) : "0" (__NR_test)); if (__res >= 0) return (int) __res; errno = -__res; return -1; } _syscall0(int, test)实际上是声明了一个名为test的函数,声明函数后,应用程序就可以使用t...
asmlinkage long sys_##sname(void) #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__) #define SYSCALL_DEFINE2(name, ...) SYSCALL_DEFINEx(2, _##name, __VA_ARGS__) #define SYSCALL_DEFINE3(name, ...) SYSCALL_DEFINEx(3, _##name, __VA_ARGS__) ...
return -1; @@ -182,7 +185,7 @@ static int check_prctl(void) /* * Either new or old interface must be supported in the kernel. */ ret = sys_prctl(PR_SET_MM, PR_SET_MM_MAP_SIZE, (unsigned long)&size, 0, 0); ret = prctl(PR_SET_MM, PR_SET_MM_MAP_SIZE, (unsigned long...
__array(unsignedlong, args,6) ), TP_fast_assign( __entry->id=id; syscall_get_arguments(current, regs,0,6, __entry->args); ), TP_printk("NR %ld (%lx, %lx, %lx, %lx, %lx, %lx)", __entry->id, __entry->args[0], __entry->args[1], __entry->args[2], ...
syscall指令,ax寄存器指定系统调用号
F-Stack is an user space network development kit with high performance based on DPDK, FreeBSD TCP/IP stack and coroutine API. - f-stack/lib/ff_syscall_wrapper.c at dev · zimo1988/f-stack
/** PAGE_TABLE_ISOLATION PGDs are 8k. Flip bit 12 to switch between the two* halves:*/#definePTI_USER_PGTABLE_BIT PAGE_SHIFT#definePTI_USER_PGTABLE_MASK (1 << PTI_USER_PGTABLE_BIT)#definePTI_USER_PCID_BIT X86_CR3_PTI_PCID_USER_BIT#definePTI_USER_PCID_MASK (1 << PTI_USER_PC...