A little offtopic: Get EIP

[clemens.kol at gmx.at (Clemens Kolbitsch)]

oh yeah... just to make sure

i'm using debian linux, 2.6.20 on a i386.
still happy for help :-)

Clemens Kolbitsch wrote:
> hi guys!
> sorry... i know this is a little off-topic, but this is probably the 
> best place to ask for help...
>
> we're developing a linux kernel stager to execute netcat as reverse 
> shells (or acutally an app...) very similar to the winXP stager...
>
> everything works really good (you'll hear from us soon ;-)  )
>
> however, to try an exploit, i have to obtain the current EIP (and 
> store it into some register).
>
> in user-mode, i use
>
> unsigned char *from;
> __asm__ __volatile__("call 0x0");
> __asm__ __volatile__("pop %eax");
> __asm__ __volatile__("mov %%eax,%0" : "=r" (from) : : "%eax");
>
> what works just fine (well, the "call 0x0" must be edited manually 
> after compiling, because gcc makes a "call 0xfcffffff" out of it for 
> some reason...)
>
> however, when i execute this very same code in kernel mode (during a 
> system call or a module init routine, for example) i get
>
> Segmentation fault
> Code: Bad EIP value.
> EIP:  [<00000004>] 0x4 SS:ESP 0068:c6afec4
>
> if i change it to "call 0x10" i get
>
> Segmentation fault
> Code: Bad EIP value.
> EIP:  [<00000014>] 0x14 ....
>
> so obviously, the relative near-call is treated as a call with 
> ABSOLUTE address...
>
> can anybody tell me why?? (or simply how to do this correctly??)
>
> thanks!!
> clemens