Copying kernel stack in a generic way
Elazar Leibovich
elazarl at gmail.com
Sun Dec 21 11:08:44 IST 2014
Thanks,
On Sun, Dec 21, 2014 at 9:27 AM, Muli Ben-Yehuda <mulix at mulix.org> wrote:
> On Fri, Dec 19, 2014 at 02:19:07PM +0000, Elazar Leibovich wrote:
>
>> I know where the stack ends, but how can I know where it begins?
>
> What assumptions can you make? Can you run kernel code in the VM
> (e.g., by cloning and restarting it)? Can you assume it's running
> Linux and/or Windows? Can you assume the kernel was compiled with
> frame pointers? Or is it a completely black box VM and you can't make
> any assumptions about what's running inside?
This is a very practical question.
Yes, I can run a forth-based OS, which isn't even using C-like stack.
But I need to solve a problem for most of the user, and I want to
support any reasonable OS.
So Windows and Linux is a must, freeBSD/Solaris is nice-to-have, and
anything else is probably optional.
I want to assume anything which would be reasonably portable across
popular OSes.
For example, you asked about frame pointers, assuming you meant I can
follow ebps back, until I get invalid ebp address, assuming this is
the head of the stack. I'm not sure if it's reasonable to assume most
kernel would be compiled with frame pointers, so I'm not sure how
valid would this heuristic be.
I can run code in the guest context, and actually to fetch the stack
I'll probably run code that would copy it from the host context, but I
couldn't think of a way to fetch the stack, that wouldn't be too
implementation-specific.
> By the way, some OS's have separate interrupt stacks, so you may be on
> an interrupt stack or on a regular stack.
>
Good point, but I think the heuristic should catch it as well.
More information about the Linux-il
mailing list