Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
x86_64 dirty hack to get syscall table address, https://github.com/ultral/linux-keylogger/blob/master/keylogger.c#L40-L59
get_system_call:
mov ecx, 0xc0000082
rdmsr ; eax = low, edx = high
sal rdx, 32
cdqe
or rax, rdx ; rax = guess
.loop_init:
mov rcx, rax
add rcx, 500
jmp .loop_body
.loop_:
add rax, 1
cmp rcx, rax
je .fail
.loop_body:
cmp byte [rax], 0xff
jne .loop_
cmp byte [rax + 1], 0x14
jne .loop_
cmp byte [rax + 2], 0xc5
jne .loop_
.success:
mov rcx, 0xffffffff00000000
mov eax, dword [rax + 3]
or rax, rcx ; 0xffffffff00000000 | *(int*)(guess+3)
ret
.fail:
xor rax, rax
ret
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment