h earlier)
??? ebx Used for first parameter??”ecx is used for second parameter, edx for third,
esi for fourth, and edi for fifth
If more than five parameters are required, an array of the parameters must be stored
in memory and the address of that array stored in ebx.
Once the registers are loaded, an int 0x80 assembly instruction is called to issue a
software interrupt, forcing the kernel to stop what it is doing and handle the interrupt.
The kernel first checks the parameters for correctness, then copies the register values to
kernel memory space and handles the interrupt by referring to the Interrupt Descriptor
Table (IDT).
Chapter 10: Writing Linux Shellcode
213
PART III
Gray Hat Hacking: The Ethical Hacker??™s Handbook
214
The easiest way to understand this is to see an example, as in the next section.
Exit System Call
The first system call we will focus on executes exit(0). The signature of the exit system
call is as follows:
??? eax 0x01 (from the unistd.h file earlier)
??? ebx User-provided parameter (in this case 0)
Since this is our first attempt at writing system calls, we will start with C.
Starting with C
The following code will execute the function exit(0):
$ cat exit.c
#include
Pages:
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414