6.3 System calls (syscall-s).
TheGS:selector is also used to access theTLS, but in a somewhat different way:
Listing 6.18: Optimizing GCC 4.8.1 x86.text:08048460 my_srand proc near
.text:08048460
.text:08048460 arg_0 = dword ptr 4
.text:08048460
.text:08048460 mov eax, [esp+arg_0]
.text:08048464 mov gs:0FFFFFFFCh, eax
.text:0804846A retn
.text:0804846A my_srand endp
.text:08048470 my_rand proc near
.text:08048470 imul eax, gs:0FFFFFFFCh, 19660Dh
.text:0804847B add eax, 3C6EF35Fh
.text:08048480 mov gs:0FFFFFFFCh, eax
.text:08048486 and eax, 7FFFh
.text:0804848B retn
.text:0804848B my_rand endp
More about it: [Ulrich Drepper,ELF Handling For Thread-Local Storage, (2013)]^6.
6.3 System calls (syscall-s)
As we know, all running processes inside anOSare divided into two categories: those having full access
to the hardware (“kernel space”) and those that do not (“user space”).
TheOSkernel and usually the drivers are in the first category.
All applications are usually in the second category.
For example, Linux kernel is inkernel space, but Glibc inuser space.
This separation is crucial for the safety of theOS: it is very important not to give to any process the
possibility to screw up something in other processes or even in theOSkernel. On the other hand, a
failing driver or error inside theOS’s kernel usually leads to a kernel panic orBSOD^7.
The protection in the x86 processors allows to separate everything into 4 levels of protection (rings), but
both in Linux and in Windows only two are used: ring0 (“kernel space”) and ring3 (“user space”).
System calls (syscall-s) are a point where these two areas are connected.
It can be said that this is the mainAPIprovided to applications.
As inWindows NT, the syscalls table resides in theSSDT^8.
The usage of syscalls is very popular among shellcode and computer viruses authors, because it is hard
to determine the addresses of needed functions in the system libraries, but it is easier to use syscalls.
However, much more code has to be written due to the lower level of abstraction of theAPI.
It is also worth noting that the syscall numbers may be different in various OS versions.
6.3.1 Linux
In Linux, a syscall is usually called viaint 0x80. The call’s number is passed in theEAXregister, and any
other parameters —in the other registers.
Listing 6.19: A simple example of the usage of two syscallssection .text
global _start
_start:
mov edx,len ; buffer len
mov ecx,msg ; buffer
(^6) Also available ashttp://go.yurichev.com/17272
(^7) Blue Screen of Death
(^8) System Service Dispatch Table