From: H. P. A. <hp...@zy...> - 2011-08-23 19:18:40
|
On 08/23/2011 09:48 AM, Al Viro wrote: > > Um... How would it know which syscall variant had that been, to start > with? For int 0x80 it would need to use registers as-is. For SYSENTER > it also could use them as-is - ebp will differ from what we put there > when entering the sucker, but not critically so; on the way out of > syscall we'll overwrite it anyway immediately (either by pop or mov). > For SYSCALL... we don't really care about ecx contents prior to entering > the kernel (and it'll be blown out anyway), and ebp one could be found in > regs.ecx. So yes, we can do it that way, but... how to tell what variant > had been triggered? Examining two bytes prior to user eip? Sounds bloody > brittle... We could drop that information in a metaregister. It's not backward compatible, but at least it will be obvious when that information is available and not. -hpa |