Hosting Provided By

Re: Detecting abnormal behaviour

From: Alexander E. Cuttergo <algo(at)sdf.lonestar.org>
Date: Fri Mar 21 2003 - 17:40:00 EST

Adrian S <hotelectron@hotmail.com> wrote:
> Is it possible to determine the source address of the system call to check
If your question was:
"Is it possible to determine in kernel mode the value of userland instruction pointer at the moment of executing a system call" then in case of Linux it is. I think it is true on every sane OS.

What are you trying to achieve ? If a protection against executing shellcode, then be aware that in case of return-into-libc exploits the rogue code executes within library/executable image, not within stack/heap.

peace,
Algo

application/pgp-signature attachment: stored

Received on Fri Mar 21 17:56:35 2003

This message: [ Message body ]
Next message: Cleber P. de Souza: "RES: NSLOOKUP.EXE"
Previous message: Mysq : "Re: NSLOOKUP.EXE"
In reply to Adrian S: "Detecting abnormal behaviour"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:38 EDT