2

I'm getting a segfault when running this code as root in userspace. I don't understand why. I believe I have a rootkit and I want to check if the addresses are the same as the ones as in /boot/System.map-3.2.0-4-amd64

unsigned long hex;
unsigned long **sys_call_table;

for(hex = 0xffffffff810f8989; hex < 0xffffffff8160e370; hex += sizeof(void *))
{
    sys_call_table = (unsigned long **)hex;

    if(sys_call_table[3] == (unsigned long *)0xffffffff810f8989)
    {
        puts("sys_close's address has not been replaced by the rootkit");
    }
}

cat /boot/System.map-3.2.0-4-amd64 | grep "string you want"

ffffffff81401200 R sys_call_table
ffffffff810f9f9e T sys_read         // sys_call_table[0]
ffffffff810fa009 T sys_write        // sys_call_table[1]
ffffffff810f950d T sys_open         // sys_call_table[2]
ffffffff810f8989 T sys_close        // sys_call_table[3]
ffffffff8160e370 D loops_per_jiffy
elaine
  • 119
  • 5

1 Answers1

3

Running from root is not enough - the problem is that you run it in user space - run it in the kernel space, as a kernel module, for example. Although having root privileges is enough for invoking system calls you cannot access the table - in user space you can only access allocated memory to you.

sasha.sochka
  • 14,395
  • 10
  • 44
  • 68
  • What do you mean, syscalls are accessible from the userspace, that's the whole point. – Ben Jul 25 '13 at 12:32
  • I mean you can not access random parts of memory like OP does if it was not given to you. – sasha.sochka Jul 25 '13 at 12:35
  • Ok but elaine thinks those are valid addresses because they are supposed to be addresses of the systems calls. In fact, they are not because addresses in System.map are only valid in the kernel space and not in the process space. Which is more or less what you are saying ... I guess – Ben Jul 25 '13 at 12:45
  • Syscalls are available from userspace in the sense that userspace code can invoke syscalls, but NOT in the sense that they can access the table. – Drew McGowen Jul 25 '13 at 13:38
  • Thank you. I thought that `root` could access anything. – elaine Jul 25 '13 at 14:06
  • Sure, root passes any privilege check. But a process running in user-space always has its own mapped memory area. Trying to access arbitrary addresses in kernel memory isn't a privilege problem, it's a memory mapping problem. – This isn't my real name Jul 25 '13 at 18:23