Get system call address in system call table from /proc/kcore

Question

How could I retrieve the system call address from /proc/kcore. I could get the system call table address from System.map file.

Answer 1

If you're using an x86-based machine, you can use the sidt instruction to get the interrupt descriptor table register and consequently the interrupt descriptor table itself. With that in hand, you can get the address of the system_call (or the ia32 equivalent for x86-64 compatibility) function invoked by the 0x80 system-call interrupt. Disassembling that interrupt handler and scanning for a specific indirect call instruction, you can extract the address within the call instruction. That address is your system call table (on x86) or the IA32 compatibility system call table on x86-64.

Getting the x86-64 native system call table is similar: instead of reconstructing the interrupt table with sidt, read the processor's IA32_LSTAR MSR. The address at (high << 32 | low) is the system call dispatcher. Scan the memory as before, extract the sys_call_table address from the call instruction, but remember to mask the high 32 bits of the address.

This glosses over a lot of even more technical information (like which bytes to search for) that you should understand before poking around in the kernel code. After a quick Google search I found the entire process documented (with example module code) here.

Good luck, and try not to blow yourself up!