Linux syscall in vmlinux and virtual memory

2

I have find the sys_open code from vmlinux binary:

c1143c20:   55                      push   ebp
c1143c21:   89 e5                   mov    ebp,esp
c1143c23:   83 ec 10                sub    esp,0x10
c1143c26:   89 5d f4                mov    DWORD PTR [ebp-0xc],ebx
c1143c29:   89 75 f8                mov    DWORD PTR [ebp-0x8],esi
c1143c2c:   89 7d fc                mov    DWORD PTR [ebp-0x4],edi
**c1143c2f: e8 74 bb 46 00          call   0xc15af7a8**
c1143c34:   b8 9c ff ff ff          mov    eax,0xffffff9c
c1143c39:   8b 7d 08                mov    edi,DWORD PTR [ebp+0x8]
c1143c3c:   8b 75 0c                mov    esi,DWORD PTR [ebp+0xc]
c1143c3f:   8b 5d 10                mov    ebx,DWORD PTR [ebp+0x10]
c1143c42:   89 fa                   mov    edx,edi
c1143c44:   89 f1                   mov    ecx,esi
c1143c46:   89 1c 24                mov    DWORD PTR [esp],ebx
c1143c49:   e8 e2 fd ff ff          call   0xc1143a30    // same as above here
c1143c4e:   8b 5d f4                mov    ebx,DWORD PTR [ebp-0xc]
c1143c51:   8b 75 f8                mov    esi,DWORD PTR [ebp-0x8]
c1143c54:   8b 7d fc                mov    edi,DWORD PTR [ebp-0x4]
c1143c57:   89 ec                   mov    esp,ebp
c1143c59:   5d                      pop    ebp
c1143c5a:   c3                      ret    
c1143c5b:   90                      nop

and from the virtual memory:

.data:0x00000000    55  push   ebp  
.data:0x00000001    89e5    mov    ebp,esp   
.data:0x00000003    83ec10  sub    esp,0x10 
.data:0x00000006    895df4  mov    DWORD PTR [ebp-0xc],ebx  
.data:0x00000009    8975f8  mov    DWORD PTR [ebp-0x8],esi  
.data:0x0000000c    897dfc  mov    DWORD PTR [ebp-0x4],edi  
**.data:0x0000000f  3e8d742600  lea    esi,ds:[esi+eiz*1+0x0] **
**.data:0x00000014  b89cffffff  mov    eax,0xffffff9c**
.data:0x00000019    8b7d08  mov    edi,DWORD PTR [ebp+0x8]  
.data:0x0000001c    8b750c  mov    esi,DWORD PTR [ebp+0xc]  
.data:0x0000001f    8b5d10  mov    ebx,DWORD PTR [ebp+0x10] 
.data:0x00000022    89fa    mov    edx,edi  
.data:0x00000024    89f1    mov    ecx,esi  
.data:0x00000026    891c24  mov    DWORD PTR [esp],ebx  
.data:0x00000029    e8e2fdffff  call   func_fffffe10    // same
.data:0x0000002e    8b5df4  mov    ebx,DWORD PTR [ebp-0xc]  
.data:0x00000031    8b75f8  mov    esi,DWORD PTR [ebp-0x8]  
.data:0x00000034    8b7dfc  mov    edi,DWORD PTR [ebp-0x4]   
.data:0x00000037    89ec    mov    esp,ebp  
.data:0x00000039    5d  pop    ebp  
.data:0x0000003a    c3  ret

I don't understand why e8 74 bb 46 00 become 3e 8d 74 26 00 when loaded in memory. The adress at 0xc15af7a8 is a simple ret.

c15af7a8:   c3                      ret

0xc15af7a8 is called 26500 times in the vmlinux file. Why we call a simple ret instruction ?

My kernel is 3.2.0-23, with a default configuration. (no KASLR)

linux
memory
linux-kernel
reverse-engineering
system-calls
asked on Stack Overflow May 9, 2014 by user3493959

1 Answer

0

The useless ret is a stub that is replaced by the right code once the memory has been mapped. The code of system calls maybe located to different places depending on some non-deterministic choices and once the memory address is known, the stub is replaced.

answered on Stack Overflow May 19, 2014 by Thomas Coudray

User contributions licensed under CC BY-SA 3.0