Am I right to get the address of sys_call_table this way with gdb?

I'm now doing this way:

(gdb) info addr system_call
Symbol "system_call" is at 0xffffffff8100b920 in a file compiled without debugging.

(gdb) x/50i 0xffffffff8100b920
0xffffffff8100b920: swapgs 
0xffffffff8100b923: nopw   0x0(%rax,%rax,1)
0xffffffff8100b929: nopl   0x0(%rax)
0xffffffff8100b930: mov    %rsp,%gs:0xb008
0xffffffff8100b939: mov    %gs:0xb508,%rsp
0xffffffff8100b942: sti    
0xffffffff8100b943: sub    $0x50,%rsp
0xffffffff8100b947: mov    %rdi,0x40(%rsp)
0xffffffff8100b94c: mov    %rsi,0x38(%rsp)
0xffffffff8100b951: mov    %rdx,0x30(%rsp)
0xffffffff8100b956: mov    %rax,0x20(%rsp)
0xffffffff8100b95b: mov    %r8,0x18(%rsp)
0xffffffff8100b960: mov    %r9,0x10(%rsp)
0xffffffff8100b965: mov    %r10,0x8(%rsp)
0xffffffff8100b96a: mov    %r11,(%rsp)
0xffffffff8100b96e: mov    %rax,0x48(%rsp)
0xffffffff8开发者_C百科100b973: mov    %rcx,0x50(%rsp)
0xffffffff8100b978: mov    %gs:0xb508,%rcx
0xffffffff8100b981: sub    $0x1fd8,%rcx
---Type <return> to continue, or q <return> to quit---
0xffffffff8100b988: testl  $0x100001d1,0x10(%rcx)
0xffffffff8100b98f: jne    0xffffffff8100bad0
0xffffffff8100b995: cmp    $0x12a,%rax
0xffffffff8100b99b: ja     0xffffffff8100ba5a
0xffffffff8100b9a1: mov    %r10,%rcx
0xffffffff8100b9a4: callq  *-0x7ec62ec0(,%rax,8)

Then 0x7ec62ec0 is the address of sys_call_table,right?

I need the address of that table to hijack the handler for 0x80 int.

Stop right there. What are you really trying to do? Hijacking an interrupt handler isn't your goal, it's one step you think you need to take to achieve something. Whatever it is, you're probably going about this the wrong way.

To hijack interrupts, you need to change the interrupt descriptor table. I suggest you look at the Intel reference manuals to figure out how. This will be painful programming. But I suspect you're more interested in the system calls. Also, on modern Linux systems, the int 0x80 instruction is not the usual way of invoking a system call. That of course still works for backwards compatibility, but you'll see other instructions out there like sysenter (x86) or syscall (x86_64). So if you really are interested in doing something to system calls, don't do it in the interrupt handler.

Anyway, create a new question that asks for advice achieving your end goal, and the community here will help you through it. If you have questions about specific parts, ask more questions and refer back to your high-level post in those new questions.

(BTW, if you want confirmation of the address, try running info addr sys_call_table in gdb. Or, since it looks like you're on x86_64 architecture, try p &sys_call_table.)

Yes, in your dump the 0x7ec62ec0 is the addres of sys_call_table. To get the full sys_call_table address you need to do the following:

sys_call_table = 0xFFFFFFFF00000000 | *(unsigned int *)(0xffffffff8100b9a4 + 3);

Here, 0xffffffff8100b9a4 is the addres of the callq *-0x7ec62ec0(,%rax,8) instruction and 3 is the size. And don't forget that there may be several system call tables at the same time: sys_call_table and ia32_sys_call_table So, you'll need to handle all of the possible ways to do a system call: int $0x80, syscall/sysenter.