Aug 12, 2019

System calls explained

Today I selected another topic in computer science. Before we going to learn assembly or shell coding we need to get a clear idea on system calls. When we talk about computer programs, they do various works. Like printing a string to screen, handling a file, getting user input, existing the program etc. All of these tasks are not done by single programs. Every program get the support from operating system to do some special things. Actually what happens hear is there is something called Kernel for handle these requests. Windows systems have there own kernel while Linux distributions have there own Linux kernel. When a program want to print a string to screen it'll load arguments (string) and call specific system call. When the kernel received the call it'll do what wanted. Yes there are many system calls for do various things. Like exit syscall, print syscall etc. But how we identify a system call?. There is a unique number for every system call. When we want to use a syscall we call it with it's own number. Now you know what are system calls. Let's see how we can use them in assembly programs. The most easy system call to understand is exit system call. It will simply quit the program. Following small assembly code will demonstrate how we can use exit syscall. Hear I don't go to explain how we can assemble and link assembly programs . Because I'll explain everything about basic assembly in a next tutorial. Till then let's try to get some idea about how system calls work. After you understand system calls we can learn assembly and shell coding very easily.

global _start

section .text

_start:

mov eax, 0x1
mov ebx, 0x5
int 0x80

Think about above code. It'll call exit system call which cause program to exit. There are three steps we did in above sys-call. First we copied 0x1 (in hexadecimal) to eax register.That is the sys-call number. We know unique number of exit sys-call is one. So that is the way we tell kernel which sys-call we wanted to execute. We should fill eax with it's sys-call number. As the second step we copied 0x5 into ebx. What we expected from it?It is status value. When a program quite in Linux there is a special value called status value. It indicated whether a program exited successfully or not. If a program exit with success it will return zero. Yes you are correct, we found such a situation at functions in C programming. So hear we returned five. (0x5 in hexadecimal) . That is optional we can return any number. But one another thing. After program completed and exited we can get that return value by entering echo $? in our Linux terminal. As the final step we used a command int 0x80 This is called interrupt command. By using that we can break normal program procedure and awake kernel to to rest. Now kernel starts it's job. First it'll check eax for sys-call number After it figures out we want exit system call it checks ebx for status value. Finally it'll do what we wanted . running assembly code

In above pic you can see I used nasm for assemble and ld for link my little assembly code. Then I ran it and result is displayed. Now you have a good idea on system calls. In next tutorials we are going to go deep in assembly . Also I'll post a tutorial that explain basics of shellcoding. Thanks for reading.