# grep -i sys_ni_syscall System.map-2.6.18-308.1.1.v5
c0437304 T sys_ni_syscall
# grep compat_sys_futex System.map-2.6.18-308.1.1.v5
c0437304 W compat_sys_futex

# ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86 linux_volshell
Volatility Foundation Volatility Framework 2.3.1
Current context: process init, pid=1 DTB=0x1a4a000
Welcome to volshell! Current memory image is:
file:///root/image_mem/AAA.lime
To get help, type 'hh()'
>>> dis(0xc0437304)
0xc0437304 b8daffffff                       MOV EAX, 0xffffffda
0xc0437309 c3                               RET
0xc043730a 90                               NOP
0xc043730b 90                               NOP
0xc043730c 55                               PUSH EBP
0xc043730d 89cd                             MOV EBP, ECX
0xc043730f 57                               PUSH EDI
0xc0437310 89d7                             MOV EDI, EDX
0xc0437312 56                               PUSH ESI
0xc0437313 89c2                             MOV EDX, EAX
0xc0437315 53                               PUSH EBX
0xc0437316 83ec10                           SUB ESP, 0x10
0xc0437319 89442408                         MOV [ESP+0x8], EAX
0xc043731d 8b4044                           MOV EAX, [EAX+0x44]
0xc0437320 8b5248                           MOV EDX, [EDX+0x48]
0xc0437323 890424                           MOV [ESP], EAX
0xc0437326 89542404                         MOV [ESP+0x4], EDX
0xc043732a 09c2                             OR EDX, EAX
0xc043732c 0f8402010000                     JZ 0xc0437434
0xc0437332 8b4c2408                         MOV ECX, [ESP+0x8]
0xc0437336 8b410c                           MOV EAX, [ECX+0xc]
0xc0437339 83e003                           AND EAX, 0x3
0xc043733c 83f802                           CMP EAX, 0x2
0xc043733f 0f85ad000000                     JNZ 0xc04373f2
0xc0437345 8b7140                           MOV ESI, [ECX+0x40]
0xc0437348 8b593c                           MOV EBX, [ECX+0x3c]
0xc043734b 39f5                             CMP EBP, ESI
0xc043734d 0f82e1000000                     JB 0xc0437434
0xc0437353 7708                             JA 0xc043735d
0xc0437355 39df                             CMP EDI, EBX
0xc0437357 0f82d7000000                     JB 0xc0437434
0xc043735d 033c24                           ADD EDI, [ESP]
0xc0437360 136c2404                         ADC EBP, [ESP+0x4]
0xc0437364 c744240c00000000                 MOV DWORD [ESP+0xc], 0x0
0xc043736c 29df                             SUB EDI, EBX
0xc043736e 19f5                             SBB EBP, ESI
0xc0437370 eb12                             JMP 0xc0437384
0xc0437372 8b1424                           MOV EDX, [ESP]
0xc0437375 011424                           ADD [ESP], EDX
0xc0437378 8b4c2404                         MOV ECX, [ESP+0x4]
0xc043737c 114c2404                         ADC [ESP+0x4], ECX
0xc0437380 ff44240c                         INC DWORD [ESP+0xc]
>>>


see ya




2014-03-17 19:40 GMT+00:00 Andrew Case <atcuno@gmail.com>:
Hello,

Can you paste the outpout of grepping the System map file from the
machine (its inside the profile if you don't have on disk) for
'sys_ni_syscallall' and 'compat_sys_futex'? In particular, I am
interested in the addresses they report.

Also, could you please run the following inside of linux_volshell:

dis(0xc0437304)

and paste me the results?

Also, I am looking into the IDT entry.

Thanks,
Andrew (@attrc)

On 3/17/2014 1:17 PM, mediomen27 wrote:
> Hi,
> I am trying to make some check on a linux server with kernel 2.6.18.
> I am not a kernel developer so I don't know if what I am going to say is
> wrong...anyway.
>
> # ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86
> linux_check_syscall
> Volatility Foundation Volatility Framework 2.3.1
> Table Name      Index Address    Symbol
> ---------- ---------- ---------- ------------------------------
> 32bit             0x0 0xc0430543 sys_restart_syscall
> 32bit             0x1 0xc0428888 sys_exit
> 32bit             0x2 0xc0403190 sys_fork
> 32bit             0x3 0xc0478826 sys_read
> ..... SNIP
> 32bit             0xe 0xc04872bf sys_mknod
> 32bit             0xf 0xc0476cb8 sys_chmod
> 32bit            0x10 0xc043cef7 sys_lchown16
> 32bit            0x11 0xc0437304 compat_sys_futex
> 32bit            0x12 0xc04808e0 sys_stat
> 32bit            0x13 0xc047873f sys_lseek
> 32bit            0x14 0xc042e69f sys_getpid
> ..... SNIP
> 32bit           0x13f 0xc0437304 compat_sys_futex
> 32bit           0x140 0xc0437304 compat_sys_futex
> 32bit           0x141 0xc0437304 compat_sys_futex
> 32bit           0x142 0xc0437304 compat_sys_futex
> 32bit           0x143 0xc049e91f sys_eventfd
> 32bit           0x144 0xc047691d sys_fallocate
> 32bit           0x145 0xc0437304 compat_sys_futex
> 32bit           0x146 0xc0437304 compat_sys_futex
> 32bit           0x147 0xc0437304 compat_sys_futex
> 32bit           0x148 0xc0437304 compat_sys_futex
> 32bit           0x149 0xc0437304 compat_sys_futex
> 32bit           0x14a 0xc0437304 compat_sys_futex
> 32bit           0x14b 0xc0437304 compat_sys_futex
> 32bit           0x14c 0xc0437304 compat_sys_futex
> 32bit           0x14d 0xc0437304 compat_sys_futex
> 32bit           0x14e 0xc0437304 compat_sys_futex
> 32bit           0x14f 0xc0437304 compat_sys_futex
> 32bit           0x150 0xc0437304 compat_sys_futex
> 32bit           0x151 0xc05be378 sys_recvmmsg
>
> What is this compat_sys_futex ??? I don't find anything like that on
> kernel source
> linux-2.6.18/arch/i386/kernelsyscall_table.S
>
>
> compat_sys_futex
> 32bit             0xf 0xc0476cb8 sys_chmod
> 32bit            0x10 0xc043cef7 sys_lchown16
> 32bit            0x11 0xc0437304 compat_sys_futex
> 32bit            0x12 0xc04808e0 sys_stat
> 32bit            0x13 0xc047873f sys_lseek
>
> should be sys_ni_syscallall
> .long sys_chmod         /* 15 */
> .long sys_lchown16
> .long sys_ni_syscall    /* old break syscall holder */
> .long sys_stat
> .long sys_lseek
>
> but...
> # ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86
> linux_check_syscall | grep compat_sys_futex | wc -l
>
> Volatility Foundation Volatility Framework 2.3.1
> 41
> #
>
> and
> $ grep sys_ni_syscall syscall_table.S | wc -l
> 21
>
> ?!?!?
> Anyone have enough patience to explain me this anomaly ?
> Or this is a syscall hijacking ?
>
> An other question...
> Is it normal that in the idt is missing "double fault" ??
>
> # ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86 linux_check_idt
> Volatility Foundation Volatility Framework 2.3.1
>      Index Address    Symbol
> ---------- ---------- ------------------------------
>        0x0 0xc0405a7c divide_error
>        0x1 0xc0625498 debug
>        0x2 0xc0405b14 nmi
>        0x3 0xc06254dc int3
>        0x4 0xc0405c04 overflow
>        0x5 0xc0405c10 bounds
>        0x6 0xc0405c1c invalid_op
>        0x7 0xc0405adc device_not_available
>        0x9 0xc0405c28 coprocessor_segment_overrun
>        0xa 0xc0405c34 invalid_TSS
>        0xb 0xc0405c40 segment_not_present
>        0xc 0xc0405c4c stack_segment
>        0xd 0xc0625500 general_protection
>        0xe 0xc062550c page_fault
>        0xf 0xc0405c74 spurious_interrupt_bug
>       0x10 0xc0405ac4 coprocessor_error
>       0x11 0xc0405c58 alignment_check
>       0x12 0xc0405c64 machine_check
>       0x13 0xc0405ad0 simd_coprocessor_error
>       0x80 0xc0404f04 system_call
>
> where is 0x8 ?
>
> Thank you very much.
>
>
>
>
>
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users@volatilesystems.com
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>