Understanding the behavior of the 32 bit mmap system call
Rdbo
rdbodev at gmail.com
Wed Jul 21 21:04:32 UTC 2021
By remote process, I meant a tracer. Because apparently the syscall
arguments are passed on the stack, I'm gonna have to modify my shellcode a
little in order for the syscall injection to work. I thought it was going
to be the same way as on Linux, apparently not. I'll report back if I get
it working.
Em ter., 20 de jul. de 2021 às 09:15, Rdbo <rdbodev at gmail.com> escreveu:
> Hi, I'm a hobbyist developer working on a multiplatform, multiarch memory
> library, and I chose FreeBSD to be one of the supported operating systems.
> I was playing around with the SYS_mmap system call and I noticed that, for
> x86_32, you have to pass a struct containing all the mmap arguments, rather
> than the arguments themselves. The thing is, this structure is not passed
> as a pointer (like on Linux, for example), so I don't see how one would do
> this syscall from a remote process, as each register is responsible for one
> argument of the syscall, and a single register can't store a structure this
> size. I've tried passing the structure as a pointer, passing each mmap
> argument in a separate register (like __NR_mmap2 on Linux), looking for
> alternative mmap system calls that do not require the struct parameter.
> Unfortunately, these attempts have all failed.
> TLDR; how to run a 32 bit SYS_mmap system call from a remote process when
> a single register can't fit the whole structure and the structure is not
> passed as a pointer?
> Regards, rdbo
>
More information about the freebsd-questions
mailing list