Re: The disappearing sys_call_table export.

Terje Eggestad (terje.eggestad@scali.com)
06 May 2003 00:49:34 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Ernie Petrides: "[PATCH] 2.5.69 problem with semtimedop() on s390 architecture"
Previous message: george anzinger: "Re: [BUG] problem with timer_create(2) for SIGEV_NONE ??"
Next in thread: Dmitry A. Fedorov: "Re: The disappearing sys_call_table export."
Reply: Dmitry A. Fedorov: "Re: The disappearing sys_call_table export."

Good point, it should actually be very simple.
from /proc/ksyms we've got teh adresses of the sys_*, then from
asm/unistd.h we got the order.
Then search thru /dev/kmem until you find the right string og addresses,
and you got sys_call_table.

Dirty but it should be portable.

On Mon, 2003-05-05 at 23:29, Chuck Ebbert wrote:
> Lets deal, I'll GPL the trace module if you get me a
> EXPORT_SYMBOL_GPL(sys_call_table);

You could always use the rootkit techniques from Phrack 58 to find
the table... seems kind of silly to do that in kernel mode, but it
should work.

-- _________________________________________________________________________

Terje Eggestad mailto:terje.eggestad@scali.no Scali Scalable Linux Systems http://www.scali.com

Olaf Helsets Vei 6 tel: +47 22 62 89 61 (OFFICE) P.O.Box 150, Oppsal +47 975 31 574 (MOBILE) N-0619 Oslo fax: +47 22 62 89 51 NORWAY _________________________________________________________________________

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/

Next message: Ernie Petrides: "[PATCH] 2.5.69 problem with semtimedop() on s390 architecture"
Previous message: george anzinger: "Re: [BUG] problem with timer_create(2) for SIGEV_NONE ??"
Next in thread: Dmitry A. Fedorov: "Re: The disappearing sys_call_table export."
Reply: Dmitry A. Fedorov: "Re: The disappearing sys_call_table export."