[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] sidt problem

From: Clemens Kolbitsch
Subject: [Qemu-devel] sidt problem
Date: Mon, 25 Jun 2007 23:42:25 +0200
User-agent: Thunderbird (X11/20070604)

hi everyone!
i have a strange problem:

i use the following code on my linux 2.6.20 (kubuntu debian, i386) to dynamically get the location of the system-call table (as can also be found in /proc/kallsyms --> "sys_call_table") as it is quite interesting for new exploits ( :-) )

on a real cpu this works fine, however crashes in qemu... obviously there is a bug somewhere. i have not found my way that deep into the qemu source, so i cannot really help to find the bug.

well, here is the code:

       unsigned short limit;
       unsigned int base;
   } __attribute__ ((packed)) idtr;

       unsigned short off1;
       unsigned short sel;
       unsigned char none, flags;
       unsigned short off2;
   } __attribute__ ((packed)) *igd;

   unsigned long *sys_call;
   unsigned char *pc;

   // find idt_table
   __asm__("sidt %0" : :"m"(idtr));

   // find system_call
   igd = idtr.base + 8 * 0x80;

   // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
   // the next line crashes
   // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
   sys_call = (igd->off2 << 16) | igd->off1;

   // find sys_call_table
   // ff 14 85 XX XX XX XX     call <sys_call_table>(,%eax,4)

   sys_call_table = 0x0;
   pc = (char*)sys_call;

   // check the first 100 bytes in system_call
   for (i = 0; i < 100; ++i)
       if ((*(long*)++pc << 8) == 0x8514ff00)
           sys_call_table = *(long*)(pc+3);

maybe, someone has time to look at this problem (by the way, i use the same system inside qemu as on my laptop)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]