hi everyone!
i have a strange problem:
i use the following code on my linux 2.6.20 (kubuntu debian, i386) to
dynamically get the location of the system-call table (as can also be
found in /proc/kallsyms --> "sys_call_table") as it is quite
interesting for new exploits ( :-) )
on a real cpu this works fine, however crashes in qemu... obviously
there is a bug somewhere. i have not found my way that deep into the
qemu source, so i cannot really help to find the bug.
well, here is the code:
struct
{
unsigned short limit;
unsigned int base;
} __attribute__ ((packed)) idtr;
struct
{
unsigned short off1;
unsigned short sel;
unsigned char none, flags;
unsigned short off2;
} __attribute__ ((packed)) *igd;
unsigned long *sys_call;
unsigned char *pc;
// find idt_table
__asm__("sidt %0" : :"m"(idtr));
// find system_call
igd = idtr.base + 8 * 0x80;
// !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
// the next line crashes
// !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
sys_call = (igd->off2 << 16) | igd->off1;
// find sys_call_table
// ff 14 85 XX XX XX XX call <sys_call_table>(,%eax,4)
sys_call_table = 0x0;
pc = (char*)sys_call;
// check the first 100 bytes in system_call
for (i = 0; i < 100; ++i)
{
if ((*(long*)++pc << 8) == 0x8514ff00)
{
sys_call_table = *(long*)(pc+3);
break;
}
}
maybe, someone has time to look at this problem (by the way, i use the
same system inside qemu as on my laptop)
greets!!