Hi,

I am trying to make some check on a linux server with kernel 2.6.18.

I am not a kernel developer so I don't know if what I am going to say is wrong...anyway.

# ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86 linux_check_syscall
Volatility Foundation Volatility Framework 2.3.1
Table Name      Index Address    Symbol
---------- ---------- ---------- ------------------------------
32bit             0x0 0xc0430543 sys_restart_syscall
32bit             0x1 0xc0428888 sys_exit
32bit             0x2 0xc0403190 sys_fork
32bit             0x3 0xc0478826 sys_read

..... SNIP

32bit             0xe 0xc04872bf sys_mknod
32bit             0xf 0xc0476cb8 sys_chmod
32bit            0x10 0xc043cef7 sys_lchown16
32bit            0x11 0xc0437304 compat_sys_futex
32bit            0x12 0xc04808e0 sys_stat
32bit            0x13 0xc047873f sys_lseek
32bit            0x14 0xc042e69f sys_getpid

..... SNIP
32bit           0x13f 0xc0437304 compat_sys_futex
32bit           0x140 0xc0437304 compat_sys_futex
32bit           0x141 0xc0437304 compat_sys_futex
32bit           0x142 0xc0437304 compat_sys_futex
32bit           0x143 0xc049e91f sys_eventfd
32bit           0x144 0xc047691d sys_fallocate
32bit           0x145 0xc0437304 compat_sys_futex
32bit           0x146 0xc0437304 compat_sys_futex
32bit           0x147 0xc0437304 compat_sys_futex
32bit           0x148 0xc0437304 compat_sys_futex
32bit           0x149 0xc0437304 compat_sys_futex
32bit           0x14a 0xc0437304 compat_sys_futex
32bit           0x14b 0xc0437304 compat_sys_futex
32bit           0x14c 0xc0437304 compat_sys_futex
32bit           0x14d 0xc0437304 compat_sys_futex
32bit           0x14e 0xc0437304 compat_sys_futex
32bit           0x14f 0xc0437304 compat_sys_futex
32bit           0x150 0xc0437304 compat_sys_futex
32bit           0x151 0xc05be378 sys_recvmmsg

What is this compat_sys_futex ??? I don't find anything like that on kernel source
linux-2.6.18/arch/i386/kernelsyscall_table.S

compat_sys_futex

32bit             0xf 0xc0476cb8 sys_chmod
32bit            0x10 0xc043cef7 sys_lchown16
32bit            0x11 0xc0437304 compat_sys_futex
32bit            0x12 0xc04808e0 sys_stat
32bit            0x13 0xc047873f sys_lseek

should be sys_ni_syscallall
.long sys_chmod /* 15 */
.long sys_lchown16
.long sys_ni_syscall /* old break syscall holder */
.long sys_stat
.long sys_lseek

but...
# ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86 linux_check_syscall | grep compat_sys_futex | wc -l

Volatility Foundation Volatility Framework 2.3.1
41
#

and
$ grep sys_ni_syscall syscall_table.S | wc -l
21

?!?!?

Anyone have enough patience to explain me this anomaly ?

Or this is a syscall hijacking ?

An other question...

Is it normal that in the idt is missing "double fault" ??

# ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86 linux_check_idt
Volatility Foundation Volatility Framework 2.3.1
     Index Address    Symbol
---------- ---------- ------------------------------
       0x0 0xc0405a7c divide_error
       0x1 0xc0625498 debug
       0x2 0xc0405b14 nmi
       0x3 0xc06254dc int3
       0x4 0xc0405c04 overflow
       0x5 0xc0405c10 bounds
       0x6 0xc0405c1c invalid_op
       0x7 0xc0405adc device_not_available
       0x9 0xc0405c28 coprocessor_segment_overrun
       0xa 0xc0405c34 invalid_TSS
       0xb 0xc0405c40 segment_not_present
       0xc 0xc0405c4c stack_segment
       0xd 0xc0625500 general_protection
       0xe 0xc062550c page_fault
       0xf 0xc0405c74 spurious_interrupt_bug
      0x10 0xc0405ac4 coprocessor_error
      0x11 0xc0405c58 alignment_check
      0x12 0xc0405c64 machine_check
      0x13 0xc0405ad0 simd_coprocessor_error
      0x80 0xc0404f04 system_call

where is 0x8 ?

Thank you very much.