Last active
May 14, 2020 23:54
-
-
Save circleous/d2446903a150ffdcd54185c02ad1377f to your computer and use it in GitHub Desktop.
x86_64 dirty hack to get syscall table address, https://github.com/ultral/linux-keylogger/blob/master/keylogger.c#L40-L59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| get_system_call: | |
| mov ecx, 0xc0000082 | |
| rdmsr ; eax = low, edx = high | |
| sal rdx, 32 | |
| cdqe | |
| or rax, rdx ; rax = guess | |
| .loop_init: | |
| mov rcx, rax | |
| add rcx, 500 | |
| jmp .loop_body | |
| .loop_: | |
| add rax, 1 | |
| cmp rcx, rax | |
| je .fail | |
| .loop_body: | |
| cmp byte [rax], 0xff | |
| jne .loop_ | |
| cmp byte [rax + 1], 0x14 | |
| jne .loop_ | |
| cmp byte [rax + 2], 0xc5 | |
| jne .loop_ | |
| .success: | |
| mov rcx, 0xffffffff00000000 | |
| mov eax, dword [rax + 3] | |
| or rax, rcx ; 0xffffffff00000000 | *(int*)(guess+3) | |
| ret | |
| .fail: | |
| xor rax, rax | |
| ret |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment