当前位置: 动力学知识库 > 问答 > 编程问答 >

linux - Getting the address of a function in C?

问题描述:

I'm getting a segfault when running this code as root in userspace. I don't understand why. I believe I have a rootkit and I want to check if the addresses are the same as the ones as in /boot/System.map-3.2.0-4-amd64

unsigned long hex;

unsigned long **sys_call_table;

for(hex = 0xffffffff810f8989; hex < 0xffffffff8160e370; hex += sizeof(void *))

{

sys_call_table = (unsigned long **)hex;

if(sys_call_table[3] == (unsigned long *)0xffffffff810f8989)

{

puts("sys_close's address has not been replaced by the rootkit");

}

}

cat /boot/System.map-3.2.0-4-amd64 | grep "string you want"

ffffffff81401200 R sys_call_table

ffffffff810f9f9e T sys_read // sys_call_table[0]

ffffffff810fa009 T sys_write // sys_call_table[1]

ffffffff810f950d T sys_open // sys_call_table[2]

ffffffff810f8989 T sys_close // sys_call_table[3]

ffffffff8160e370 D loops_per_jiffy

网友答案:

Running from root is not enough - the problem is that you run it in user space - run it in the kernel space, as a kernel module, for example. Although having root privileges is enough for invoking system calls you cannot access the table - in user space you can only access allocated memory to you.

分享给朋友:
您可能感兴趣的文章:
随机阅读: