Comments 1
Hi ultral!
You can get address of system call table:
instead:
and you can use that instead asm code for disable protect memory.
I think it'd be cleaner.
Anyhow thanks so much for unconventional approach.
You can get address of system call table:
kallsyms_lookup_name("sys_call_table")
instead:
void *system_call;
unsigned char *ptr;
int i, low, high;
asm volatile("rdmsr" : "=a" (low), "=d" (high) : "c" (IA32_LSTAR));
system_call = (void*)(((long)high<<32) | low);
for (ptr=system_call, i=0; i<500; i++, ptr++) {
if (ptr[0] == 0xff && ptr[1] == 0x14 && ptr[2] == 0xc5)
return (void*)(0xffffffff00000000 | *((unsigned int*)(ptr+3)));
}
return NULL;
and you can use that instead asm code for disable protect memory.
write_cr0 (read_cr0 () & (~ 0x10000));
I think it'd be cleaner.
Anyhow thanks so much for unconventional approach.
0
Sign up to leave a comment.
System call interception in Linux-kernel module