Copying kernel stack in a generic way

Copying kernel stack in a generic way

Elazar Leibovich elazarl at gmail.com
Sun Dec 21 21:22:03 IST 2014


It could very well be the case,
I just want to clarify, the reason I need the stack, is for
analyzing/debugging/profiling later by OS specific tools. So it is OK
to err on some pathological cases.

If you have a concrete idea that would fit many Linux versions - I'll
be happy to hear about it.

On Sun, Dec 21, 2014 at 12:19 PM, Omer Zak <w1 at zak.co.il> wrote:
> I think that any serious approach would include code for identifying the
> OS and OS version in question, and using this information to find the
> kernel stack.
>
> Any generalized heuristic would risk missing pathological OS
> configurations and new versions.
>
> On the other hand, reliance upon OS identification would at least enable
> the user to call Support when he runs your code on an OS not identified
> as a supported OS.
>
> --- Omer
>
>
> On Sun, 2014-12-21 at 11:08 +0200, Elazar Leibovich wrote:
>> Thanks,
>>
>> On Sun, Dec 21, 2014 at 9:27 AM, Muli Ben-Yehuda <mulix at mulix.org> wrote:
>> > On Fri, Dec 19, 2014 at 02:19:07PM +0000, Elazar Leibovich wrote:
>> >
>> >> I know where the stack ends, but how can I know where it begins?
>> >
>> > What assumptions can you make? Can you run kernel code in the VM
>> > (e.g., by cloning and restarting it)? Can you assume it's running
>> > Linux and/or Windows? Can you assume the kernel was compiled with
>> > frame pointers? Or is it a completely black box VM and you can't make
>> > any assumptions about what's running inside?
>>
>> This is a very practical question.
>>
>> Yes, I can run a forth-based OS, which isn't even using C-like stack.
>> But I need to solve a problem for most of the user, and I want to
>> support any reasonable OS.
>>
>> So Windows and Linux is a must, freeBSD/Solaris is nice-to-have, and
>> anything else is probably optional.
>>
>> I want to assume anything which would be reasonably portable across
>> popular OSes.
>>
>> For example, you asked about frame pointers, assuming you meant I can
>> follow ebps back, until I get invalid ebp address, assuming this is
>> the head of the stack. I'm not sure if it's reasonable to assume most
>> kernel would be compiled with frame pointers, so I'm not sure how
>> valid would this heuristic be.
>>
>> I can run code in the guest context, and actually to fetch the stack
>> I'll probably run code that would copy it from the host context, but I
>> couldn't think of a way to fetch the stack, that wouldn't be too
>> implementation-specific.
>>
>>
>> > By the way, some OS's have separate interrupt stacks, so you may be on
>> > an interrupt stack or on a regular stack.
>> >
>>
>> Good point, but I think the heuristic should catch it as well.
> --
> If verbal consent is not obtained in triplicate, it is a date rape.
> Asking permission constitutes harassment.
>
> My opinions, as expressed in this E-mail message, are mine alone.
> They do not represent the official policy of any organization with which
> I may be affiliated in any way.
> WARNING TO SPAMMERS:  at http://www.zak.co.il/spamwarning.htmlDelay is the deadliest form of denial.    C. Northcote Parkinson
> My own blog is at http://www.zak.co.il/tddpirate/
>
> My opinions, as expressed in this E-mail message, are mine alone.
> They do not represent the official policy of any organization with which
> I may be affiliated in any way.
> WARNING TO SPAMMERS:  at http://www.zak.co.il/spamwarning.html
>



More information about the Linux-il mailing list