Wanted to look at IDT and other structs in memory

[ggodw000]

Wanted to do in linux since it is open source however, I had failed to find it and I am attributing to this feature: ASLR.
https://en.wikipedia.org/wiki/Address_s ... tion#Linux

It appears linux has implemented it after 2.6.x kernel so if I want to play purely for a educational purpose, perhaps I can grab the pre-2.6 kernel and try it?

[Brendan]

Hi,

Wanted to do in linux since it is open source however, I had failed to find it and I am attributing to this feature: ASLR.
https://en.wikipedia.org/wiki/Address_s ... tion#Linux

For slightly older CPUs, you should be able to use the "SIDT" or "SGDT" instructions in user-space (they are not privileged instructions) to determine where the IDT and GDT are (with or without ASLR the CPU must know the right addresses).

Recently (maybe only a few years ago) Intel added a feature they call "User-Mode Instruction Prevention" which is just a flag in CR4 that can be used to disallow the execution of various instructions (SIDT, SGDT, ..) in user-space. In this case you just need a slightly older CPU that doesn't support it or a slightly older kernel that doesn't support it.

It appears linux has implemented it after 2.6.x kernel so if I want to play purely for a educational purpose, perhaps I can grab the pre-2.6 kernel and try it?

For emulators (e.g. Qemu) there's a monitor you can use to inspect the IDT and GDT, without caring which kernel it is, without caring if the kernel uses ASLR or not, and without caring if "User-Mode Instruction Prevention" is supported and used.


Cheers,

Brendan

[Desiderata]

"SIDT" or "SGDT" lauren findley https://athletesphysiques.com/lauren-findley/ you should be able to "SIDT" or "SGDT" if it is a little older