#include "remods.h"
#include "precomp.h"

Include dependency graph for syscall.c:

Classes
struct	_FRAME_SYSCALL

Typedefs
typedef struct _FRAME_SYSCALL	FRAME_SYSCALL

Functions
void	other_module_cleanup_module (void)

void	CSyscallHandler (FRAME_SYSCALL *ptr, ULONG ulSysCall, ULONG ebx)

	__asm__ ("\n\t \ NewSyscallHandler:\n\t \ // save used regs\n\t \ pushfl\n\t \ cli\n\t \ cld\n\t \ pushal\n\t \ pushl %ds\n\t \ \n\t \ // push the syscall number\n\t \ pushl %ebx\n\t \ pushl %eax\n\t \ \n\t \ // frame ptr\n\t \ lea 48(%esp),%eax\n\t \ pushl %eax\n\t \ \n\t \ // setup default data selectors\n\t \ movw %ss,%ax\n\t \ movw %ax,%ds\n\t \ \n\t \ call _CSyscallHandler\n\t \ \n\t \ // remove pushed params\n\t \ add $12,%esp\n\t \ \n\t \ // restore used regs\n\t \ popl %ds\n\t \ popal\n\t \ popfl\n\t \ \n\t \ // chain to old handler\n\t \ .byte 0x2e\n\t \ jmp *_OldSyscallHandler")

void	InstallSyscallHook (void)

void	DeInstallSyscallHook (void)

Variables
char	syscallTemp [1024]

BOOLEAN	bReportProcessEvents = TRUE

ULONG	OldSyscallHandler =0

ULONG	ulFreeModule =0

PDEBUG_MODULE	pModJustFreed =NULL

void(*	old_cleanup_module )(void) =NULL

Typedef Documentation

◆ FRAME_SYSCALL

typedef struct _FRAME_SYSCALL FRAME_SYSCALL

Function Documentation

◆ asm()

__asm__	(	"\n\t \NewSyscallHandler:\n\t \ // save used regs\n\t \ pushfl\n\t \ cli\n\t \ cld\n\t \ pushal\n\t \ pushl %ds\n\t \\n\t \ // push the syscall number\n\t \ pushl %ebx\n\t \ pushl %eax\n\t \\n\t \ // frame ptr\n\t \ lea	48%esp,
		%eax\n\t \ pushl %eax\n\t \\n\t \//setup default data selectors\n\t \ movw %	ss,
		%ax\n\t \ movw %	ax,
		%ds\n\t \\n\t \ call _CSyscallHandler\n\t \\n\t \//remove pushed params\n\t \ add	$12,
		%esp\n\t \\n\t \//restore used regs\n\t \ popl %ds\n\t \ popal\n\t \ popfl\n\t \\n\t \//chain to old handler\n\t \ .byte 0x2e\n\t \ jmp *_OldSyscallHandler"
	)

◆ CSyscallHandler()

void CSyscallHandler	(	FRAME_SYSCALL *	ptr,
		ULONG	ulSysCall,
		ULONG	ebx
	)

Definition at line 71 of file syscall.c.

 {
 //  DPRINT((0,"CSyscallHandler(): %.4X:%.8X (syscall = %u)\n",ptr->cs,ptr->eip,ulSysCall));
 /*
     switch(ulSysCall)
     {
         case 1: // sys_exit
             DPRINT((0,"CSysCallHandler(): 1\n"));
             if(bReportProcessEvents)
             {
                 PICE_sprintf(syscallTemp,"pICE: process destroyed \"%s\" PID=%.4X\n",current->comm,current->pid);
                 AddToRingBuffer(syscallTemp);
             }
             break;
         case 11: // sys_execve
             DPRINT((0,"CSysCallHandler(): 11\n"));
             if(bReportProcessEvents)
             {
                 if(PICE_strlen((char*)ebx))
                     PICE_sprintf(syscallTemp,"pICE: process created \"%s\" PID=%.4X (parent \"%s\")\n",(char *)ebx,current->pid,current->comm);
                 else
                     PICE_sprintf(syscallTemp,"pICE: process created PID=%.4X (parent \"%s\")\n",current->pid,current->comm);
                 AddToRingBuffer(syscallTemp);
             }
             break;
         case 128: // sys_init_module
             DPRINT((0,"CSysCallHandler(): 128\n"));
             if(PICE_strlen((char *)ebx))
             {
                 if(pmodule_list)
                 {
                     struct module* pMod = *pmodule_list;
                     do
                     {
                         if(PICE_strcmpi((char*)ebx,(LPSTR)pMod->name)==0)
                         {
                             ULONG ulInitAddress;
                             PICE_sprintf(syscallTemp,"pICE: module \"%s\" loaded (%x-%x init @ %x)\n",(char*)ebx,pMod,(ULONG)pMod+pMod->size,pMod->init);
                             if((ulInitAddress=FindFunctionInModuleByName("init_module",pMod)))
                             {
                                 DPRINT((0,"setting DR1=%.8x\n",ulInitAddress));
 
                                 SetHardwareBreakPoint(ulInitAddress,1);
                             }
                         }
                     }while((pMod = pMod->next));
                 }
                 else
                 {
                     PICE_sprintf(syscallTemp,"pICE: module loaded \"%s\"\n",(char *)ebx);
                 }
             }
             else
                 PICE_sprintf(syscallTemp,"pICE: module loaded\n");
             AddToRingBuffer(syscallTemp);
             break;
         case 129: // sys_delete_module
             DPRINT((0,"CSysCallHandler(): 129\n"));
             if(PICE_strlen((char *)ebx))
             {
                 if(IsModuleLoaded((LPSTR)ebx)!=NULL && PICE_strcmpi((char*)ebx,"pice")!=0 )
                 {
                     PICE_sprintf(syscallTemp,"pICE: module freed \"%s\"\n",(char *)ebx);
                     Print(OUTPUT_WINDOW,syscallTemp);
                     if((pModJustFreed = FindModuleByName((char*)ebx)) )
                     {
                         if(pModJustFreed->cleanup)
                         {
                             old_cleanup_module = pModJustFreed->cleanup;
                             pModJustFreed->cleanup = other_module_cleanup_module;
                         }
                         else
                         {
                             RevirtualizeBreakpointsForModule(pModJustFreed);
                         }
                     }
                 }
             }
             else
             {
                 PICE_sprintf(syscallTemp,"pICE: module freed\n");
                 AddToRingBuffer(syscallTemp);
             }
             break;
     }
  */
 }

◆ DeInstallSyscallHook()

void DeInstallSyscallHook ( void )

Definition at line 218 of file syscall.c.

 {
     ENTER_FUNC();
 /*ei
     MaskIrqs();
     if(OldSyscallHandler)
     {
         SetGlobalInt(0x2e,(ULONG)OldSyscallHandler);
         (ULONG)OldSyscallHandler=0;
     }
     UnmaskIrqs();
 */
     LEAVE_FUNC();
 }

Referenced by CleanUpPICE().

◆ InstallSyscallHook()

void InstallSyscallHook ( void )

Definition at line 194 of file syscall.c.

 {
     ULONG LocalSyscallHandler;
 
     ENTER_FUNC();
 /*ei  fix later
     MaskIrqs();
     if(!OldSyscallHandler)
     {
         __asm__("mov $NewSyscallHandler,%0"
             :"=r" (LocalSyscallHandler)
             :
             :"eax");
         OldSyscallHandler=SetGlobalInt(0x2e,(ULONG)LocalSyscallHandler);
 
         ScanExports("free_module",(PULONG)&ulFreeModule);
 
         DPRINT((0,"InstallSyscallHook(): free_module @ %x\n",ulFreeModule));
     }
     UnmaskIrqs();
  */
     LEAVE_FUNC();
 }

Referenced by InitPICE().

◆ other_module_cleanup_module()

void other_module_cleanup_module ( void )

Definition at line 54 of file syscall.c.

 {
     DPRINT((0,"other_module_cleanup_module()\n"));
 
     if(old_cleanup_module)
     {
         DPRINT((0,"other_module_cleanup_module(): calling %x\n",(ULONG)old_cleanup_module));
         old_cleanup_module();
     }
 
     if(pModJustFreed)
     {
         DPRINT((0,"other_module_cleanup_module(): calling RevirtualizeBreakpointsForModule(%x)\n",(ULONG)pModJustFreed));
         RevirtualizeBreakpointsForModule(pModJustFreed);
     }
 }

Variable Documentation

◆ bReportProcessEvents

BOOLEAN bReportProcessEvents = TRUE

Definition at line 45 of file syscall.c.

◆ old_cleanup_module

void(* old_cleanup_module) (void) =NULL

Definition at line 52 of file syscall.c.

Referenced by other_module_cleanup_module().

◆ OldSyscallHandler

ULONG OldSyscallHandler =0

Definition at line 47 of file syscall.c.

◆ pModJustFreed

PDEBUG_MODULE pModJustFreed =NULL

Definition at line 51 of file syscall.c.

Referenced by other_module_cleanup_module().

◆ syscallTemp

char syscallTemp[1024]

Definition at line 36 of file syscall.c.

◆ ulFreeModule

ULONG ulFreeModule =0

Definition at line 49 of file syscall.c.

Classes

Typedefs

Functions

Variables