内核态获取系统调用表的实现原理,请参看本人的博文《Linux下实现劫持系统调用的总结》。用户态的实现原理,从本质上应该是和内核一致的。有区别的地方就在于,内核态可以直接访问内核地址空间,而用户态是不可以的。
一、代码及实现
(一)用户空间源代码
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define CALLOFF 100 //读取100字节
struct {
unsigned short limit;
unsigned int base;
} __attribute__ ((packed)) idtr; //这个结构表示IDTR寄存器,这个寄存器中保存中断描述符表 的地址
struct {
unsigned short off1;
unsigned short sel;
unsigned char none,flags;
unsigned short off2;
} __attribute__ ((packed)) idt; //中断描述符表中的内容:中断门描述符
unsigned int old_readkmem (int fd, void * buf,size_t off,unsigned int size) //用read方式读取kmem中一定长度内容
{
if (lseek64(fd, (unsigned long long)off,SEEK_SET)!=off)
{
perror("fd lseek error");
return 0;
}
if (read(fd, buf,size)!=size)
{
perror("fd read error");
return 0;
}
}
unsigned long readkmem (int fd, void * buf, size_t off, unsigned int size)//用mmap方式从kmem中读取一定长度内容
{
size_t moff, roff;
size_t sz = getpagesize();
char * kmap;
unsigned long ret_old = old_readkmem(fd, buf, off, size); //先用老方法读取,不行再用mmap
#p#if (ret_old != 0)
return ret_old;
moff = ((size_t)(off/sz)) * sz;
roff = off - moff;
kmap = mmap(0, size+sz, PROT_READ, MAP_PRIVATE, fd, moff);
if (kmap == MAP_FAILED)
{
perror("readkmem: mmap");
return 0;
}
memcpy (buf, &kmap[roff], size);
if (munmap(kmap, size) != 0)
{
perror("readkmem: munmap");
return 0;
}
return size;
}
int main (int argc, char **argv)
{
unsigned sys_call_off;
int kmem_fd; // /dev/kmem文件描述符
unsigned sct;
char sc_asm[CALLOFF],*p;
/* 获得IDTR寄存器的值 */
asm ("sidt %0" : "=m" (idtr));
printf("idtr base at 0x%X\n",(int)idtr.base);
/* 打开kmem */
kmem_fd = open ("/dev/kmem",O_RDONLY);
if (kmem_fd
知优网 » Linux用户空间获取系统调用表地址(linux查看表空间命令)