0

If I have the virtual address of system call, can I disassemble that system call? I want to do it on running kernel to find what all address are handled by the particular system call while running.

I am running 32 bit 2.6.38 kernel (x86).

VividD
  • 10,456
  • 6
  • 64
  • 111
user567879
  • 5,139
  • 20
  • 71
  • 105
  • I've read this a few times and I still can't figure out what you mean. What is the "address" of a system call? – David Schwartz Dec 14 '11 at 09:07
  • @DavidSchwartz TO know whether a rootkit affected the system by looking at the disassembled instructions – user567879 Dec 14 '11 at 09:11
  • What CPU ? "32 bit" isn't enough information – Paul R Dec 14 '11 at 09:12
  • Looking at this and the answers and comments below, sounds like this might be better on unix.stackexchange.com. – Chris J Dec 14 '11 at 09:16
  • @PaulR I am having corei3 running Debian Squeeze with custom linux kernel 2.6.38 (32 bit). I could easily get the system call virtual address (System.map file/ a kernel module). Can i disassmble the system call placed at that particular virtual address. I understood that GDB could do that by `gdb /boot/vmlinux-2.4.* /proc/kcore`. But in my Debian , I only have vmlinuz not vmlinux. Is there any other way? – user567879 Dec 14 '11 at 09:18
  • OK - I have added edited your question to indicate that this is x86-specific and added an `x86` tag – Paul R Dec 14 '11 at 09:46
  • @user567879: a good rootkit (especially one using virtualization) won't be directly visible in the affected system and will only be discovered indirectly by observing irregularities in timing, performance and maybe some glitches. – Alexey Frunze Dec 14 '11 at 09:57

1 Answers1

0

I am not sure you question is very meaningful.

Please read more about system calls, kernels, operating systems, linux, and the linux kernel

Essentially, a system call is (from the application point of view) an atomic operation implemented by one machine instruction (int 0x80, syscall, etc.) with a few book-keeping instructions before (e.g. loading the system call arguments to registers) and after (e.g. setting errno). When it happens, control goes into the kernel, with a (sort-of) different address space and a different protection ring; here is the list of linux syscalls

The real code doing the system call is inside the kernel. You can get the Linux kernel code on kernel.org

See also the Linux Assembly Howto and asm.sourceforge.net

To understand what system calls a given application or process is doing, use strace

Basile Starynkevitch
  • 223,805
  • 18
  • 296
  • 547
  • Sorry for not making the question clear. I want to disassmble a particular system call for the running kernel so that I could find whether a rootkit attack occurred or not. – user567879 Dec 14 '11 at 09:14
  • As I explained to you, that question has no meaning at all. The machine code for a system call is essentially one machine instruction (`syscall`) and you cannot "disassemble" it. Please take time to read all the links I gave you. – Basile Starynkevitch Dec 14 '11 at 09:17
  • I understood that GDB could do that by gdb /boot/vmlinux-2.4.* /proc/kcore. But in my Debian , I only have vmlinuz not vmlinux. Is there any other way? This link gives the explanation http://www.symantec.com/connect/articles/detecting-rootkits-and-kernel-level-compromises-linux – user567879 Dec 14 '11 at 09:19
  • You understood wrongly. If you want to understand how system calls are implemented, study the Linux kernel. Its source code is free (GPLv2) and you are encouraged to study it. It is very complex, and several good books are explaining it. Indeed, if your kernel is compromized, your machine is zombie... – Basile Starynkevitch Dec 14 '11 at 09:22
  • But the how could I get dump of assmebly code when I run `gdb /boot/vmlinux-2.4.* /proc/kcore (gdb) disass sys_read` using gdb? – user567879 Dec 14 '11 at 09:30
  • Where are you looking: inside kernel space or inside user space... ??? (there is indeed some way to debug the kernel, and there have been progress about that). Most of the kernel code handling system calls is coded in C. – Basile Starynkevitch Dec 14 '11 at 09:31
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/5841/discussion-between-user567879-and-basile-starynkevitch) – user567879 Dec 14 '11 at 09:42