我正在尝试编写一个函数,它将查找bruteforce从起始地址到结束地址搜索sys_call_table的地址。
#define START_ADDRESS 0x815056d0
#define END_ADDRESS 0x81a8e7f0
unsigned long *sys_call_table = NULL;
unsigned long *find_sys_call_table(void)
{
unsigned long ptr;
/*
for (ptr = (unsigned long)®ister_kprobe;
ptr < (unsigned long)&loops_per_jiffy;
ptr += sizeof(void *))
*/
for (ptr = (unsigned long)START_ADDRESS;
ptr < (unsigned long)END_ADDRESS;
ptr += sizeof(void *))
{
unsigned long *p = (unsigned long *)ptr;
if(p[__NR_close] == (unsigned long)sys_close)
{
return p;
}
}
return NULL;
}
经过评估的for循环至少在RHEL 6.3,6.4和Fedora 18上工作,但在Debian下不能使用vanilla内核3.7.X.无论如何,如果我在System.map中查找已使用符号的地址,而不是尝试访问地址,它会在恐慌中炸毁内核。不应该两个解决方案做同样的事情或我是盲目的? :)