Finding the sys call table in memory 64-bit on 4.x.x Kernel

Question

I\'m trying to write a simple kernel module to find the sys_call_table in Linux and am having some trouble. I found a basic guide for 32-bit Linux here: https://memset.wordpress

Answer 1

Your kernel may have enabled x32 compat.

1. There are two sys_call_tables in this kind of kernel. compat_sys_call_table(ia23_sys_call_table) for 32-bit and sys_call_table for 64-bit. And they use the same sys_close.

2. You may find sys_close in compat_sys_call_table, but __NR_close is different between 32-bit unistd.h and 64-bit unistd.h. You may be using 64-bit __NR_close, so you cannot get compat_sys_call_table nor sys_call_table correctly.

You can check my code, ASyScallHookFrame, it works fine on Android kernel 3.10.