Re: Detecting abnormal behaviour

From: Alexander E. Cuttergo (algoat_private)
Date: Fri Mar 21 2003 - 14:40:00 PST

Next message: Cleber P. de Souza: "RES: NSLOOKUP.EXE"

Previous message: Mysq : "Re: NSLOOKUP.EXE"
Maybe in reply to: Adrian S: "Detecting abnormal behaviour"
Next in thread: Stephen.: "Re: Detecting abnormal behaviour"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Adrian S <hotelectronat_private> wrote:
> Is it possible to determine the source address of the system call to check
> if it is proper from a list of legal addresses (legal process space etc) ?
If your question was:
"Is it possible to determine in kernel mode the value of userland instruction 
pointer at the moment of executing a system call"
then in case of Linux it is. I think it is true on every sane OS.

What are you trying to achieve ? If a protection against executing
shellcode, then be aware that in case of return-into-libc exploits the rogue
code executes within library/executable image, not within stack/heap.

peace,
Algo

application/pgp-signature attachment: stored

Next message: Cleber P. de Souza: "RES: NSLOOKUP.EXE"
Previous message: Mysq : "Re: NSLOOKUP.EXE"
Maybe in reply to: Adrian S: "Detecting abnormal behaviour"
Next in thread: Stephen.: "Re: Detecting abnormal behaviour"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 21 2003 - 14:56:11 PST