Vulnerability Development mailing list archives
Re: Detecting abnormal behaviour
From: "Alexander E. Cuttergo" <algo () sdf lonestar org>
Date: Fri, 21 Mar 2003 14:40:00 -0800
Adrian S <hotelectron () hotmail com> wrote:
Is it possible to determine the source address of the system call to check if it is proper from a list of legal addresses (legal process space etc) ?
If your question was: "Is it possible to determine in kernel mode the value of userland instruction pointer at the moment of executing a system call" then in case of Linux it is. I think it is true on every sane OS. What are you trying to achieve ? If a protection against executing shellcode, then be aware that in case of return-into-libc exploits the rogue code executes within library/executable image, not within stack/heap. peace, Algo
Attachment:
_bin
Description:
Current thread:
- Detecting abnormal behaviour Adrian S (Mar 21)
- Re: Detecting abnormal behaviour Stephen. (Mar 23)
- Re: Detecting abnormal behaviour Jose Nazario (Mar 23)
- Re: Detecting abnormal behaviour Martin Mačok (Mar 24)
- Re: Detecting abnormal behaviour Jose Nazario (Mar 23)
- <Possible follow-ups>
- Re: Detecting abnormal behaviour Alexander E. Cuttergo (Mar 21)
- Re: Detecting abnormal behaviour Stephen. (Mar 23)