查看kernel采用的系统调用机制

原文链接 http://yandong.org/?p=253

0x00 链接

http://www.cppblog.com/hex108/archive/2010/11/22/134313.html

http://articles.manugarg.com/systemcallinlinux2_6.html

0x01 方法一

int main(){
    getuid() ;}

静态编译

gcc -g -static ./test.c -o test

使用gdb调试后

b main
r
disass main
disass getuid

0x02 方法二

首先要去掉地址随机化

 sysctl –w kernel.randomize_va_space=0

查看VDSO的地址，并将VDSO的页面dd出来，反汇编，便可看到系统调用机制的实现

$ cat /proc/self/maps 
00110000-0012c000 r-xp 00000000 08:01 260639     /lib/ld-2.12.1.so0012c000-0012d000 r--p 0001b000 08:01 260639     /lib/ld-2.12.1.so0012d000-0012e000 rw-p 0001c000 08:01 260639     /lib/ld-2.12.1.so0012e000-0012f000 r-xp 00000000 00:00 0          [vdso]0012f000-00286000 r-xp 00000000 08:01 260663     /lib/libc-2.12.1.so00286000-00287000 ---p 00157000 08:01 260663     /lib/libc-2.12.1.so00287000-00289000 r--p 00157000 08:01 260663     /lib/libc-2.12.1.so00289000-0028a000 rw-p 00159000 08:01 260663     /lib/libc-2.12.1.so0028a000-0028d000 rw-p 00000000 00:00 0 08048000-08051000 r-xp 00000000 08:01 130326     /bin/cat08051000-08052000 r--p 00008000 08:01 130326     /bin/cat08052000-08053000 rw-p 00009000 08:01 130326     /bin/cat08053000-08074000 rw-p 00000000 00:00 0          [heap]b7df0000-b7ff0000 r--p 00000000 08:01 660864     /usr/lib/locale/locale-archive
b7ff0000-b7ff1000 rw-p 00000000 00:00 0 b7ffd000-b7ffe000 r--p 002a1000 08:01 660864     /usr/lib/locale/locale-archive
b7ffe000-b8000000 rw-p 00000000 00:00 0 bffdf000-c0000000 rw-p 00000000 00:00 0          [stack]$ dd if=/proc/self/mem of=gate.so bs=4096 skip=$[0x12e] count=1$objdump -d gate.so

如果采用中断方式，应该类似这个样子

ffffe400 <__kernel_sigreturn>:ffffe400:	58                   	pop    %eax
ffffe401:	b8 77 00 00 00       	mov    $0x77,%eax
ffffe406:	cd 80                	int    $0x80
ffffe408:	90                   	nop
ffffe409:	8d 76 00             	lea    0x0(%esi),%esi

ffffe40c <__kernel_rt_sigreturn>:ffffe40c:	b8 ad 00 00 00       	mov    $0xad,%eax
ffffe411:	cd 80                	int    $0x80
ffffe413:	90                   	nop

ffffe414 <__kernel_vsyscall>:ffffe414:	cd 80                	int    $0x80
ffffe416:	c3                   	ret

如果采用快速系统调用应该类似这个样子，(sysenter可以改成syscall)

==> objdump -d --start-address=0xffffe400 --stop-address=0xffffe414 linux-gate.dso
ffffe400 <__kernel_vsyscall>:ffffe400:       51                      push   %ecx
ffffe401:       52                      push   %edx
ffffe402:       55                      push   %ebp
ffffe403:       89 e5                   mov    %esp,%ebp
ffffe405:       0f 34                   sysenter 
...ffffe40d:       90                      nop    
ffffe40e:       eb f3                   jmp    ffffe403 <__kernel_vsyscall+0x3>ffffe410:       5d                      pop    %ebp
ffffe411:       5a                      pop    %edx
ffffe412:       59                      pop    %ecx
ffffe413:       c3                      ret

转载于:https://my.oschina.net/toyandong/blog/533792