Hi,
I'm working on a lecture about FreeBSD rootkits. I was reading the kernel source code and trying to understand the syscall flow from
where the kernel creates a trapframe and passes it as a parameter to the syscall function. Inside the syscall function, i found this code snippet that made me confused:
Where is the kernel setting tf_esp and why is it adding 4 bytes to it? I found this paper and the autor explains:
I don't understand what it means. I thought the reason was because the FreeBSD kernel uses the C calling convention, but it seems i'm wrong.
Thank you!
I'm working on a lecture about FreeBSD rootkits. I was reading the kernel source code and trying to understand the syscall flow from
int 0x80 until the point where the syscall is actually executed. As far as i could understand, the execution begins with
Code:
IDTVEC(int0x80_syscall)
pushl $2 /* sizeof "int 0x80" */
pushl $0 /* tf_trapno */
pushal
pushl $0
movw %ds,(%esp)
pushl $0
movw %es,(%esp)
pushl $0
movw %fs,(%esp)
SET_KERNEL_SREGS
cld
FAKE_MCOUNT(TF_EIP(%esp))
pushl %esp
call syscallwhere the kernel creates a trapframe and passes it as a parameter to the syscall function. Inside the syscall function, i found this code snippet that made me confused:
Code:
void
syscall(struct trapframe *frame)
{
...
params = (caddr_t)frame->tf_esp + sizeof(int);
...
}Where is the kernel setting tf_esp and why is it adding 4 bytes to it? I found this paper and the autor explains:
I don't understand what it means. I thought the reason was because the FreeBSD kernel uses the C calling convention, but it seems i'm wrong.
Thank you!
