issuhub.com

Reverse Engineering for Beginners

(avery) #1

CHAPTER 66. SYSTEM CALLS (SYSCALL-S) CHAPTER 66. SYSTEM CALLS (SYSCALL-S)


Chapter 66


System calls (syscall-s)


As we know, all running processes inside anOSare divided into two categories: those having full access to the hardware
(“kernel space”) and those that do not (“user space”).


TheOSkernel and usually the drivers are in the first category.


All applications are usually in the second category.


For example, Linux kernel is inkernel space, but Glibc inuser space.


This separation is crucial for the safety of theOS: it is very important not to give to any process the possibility to screw up
something in other processes or even in theOSkernel. On the other hand, a failing driver or error inside theOS’s kernel
usually leads to a kernel panic orBSOD^1.


The protection in the x86 processors allows to separate everything into 4 levels of protection (rings), but both in Linux and
in Windows only two are used: ring0 (“kernel space”) and ring3 (“user space”).


System calls (syscall-s) are a point where these two areas are connected. It can be said that this is the mainAPIprovided
to applications.


As inWindows NT, the syscalls table resides in theSSDT^2.


The usage of syscalls is very popular among shellcode and computer viruses authors, because it is hard to determine the
addresses of needed functions in the system libraries, but it is easier to use syscalls. However, much more code has to be
written due to the lower level of abstraction of theAPI. It is also worth noting that the syscall numbers may be different in
various OS versions.


66.1 Linux


In Linux, a syscall is usually called viaint 0x80. The call’s number is passed in theEAXregister, and any other parameters —
in the other registers.


Listing 66.1: A simple example of the usage of two syscalls

section .text
global _start


_start:
mov edx,len ; buffer len
mov ecx,msg ; buffer
mov ebx,1 ; file descriptor. 1 is for stdout
mov eax,4 ; syscall number. 4 is for sys_write
int 0x80


mov eax,1 ; syscall number. 4 is for sys_exit

int 0x80

section .data


msg db 'Hello, world!',0xa
len equ $ - msg


(^1) Black Screen of Death
(^2) System Service Dispatch Table

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.