On Fri, Dec 19, 2014 at 02:19:07PM +0000, Elazar Leibovich wrote: > I know where the stack ends, but how can I know where it begins?
What assumptions can you make? Can you run kernel code in the VM (e.g., by cloning and restarting it)? Can you assume it's running Linux and/or Windows? Can you assume the kernel was compiled with frame pointers? Or is it a completely black box VM and you can't make any assumptions about what's running inside? > I can check the memory mapping, and assume nothing would take the > virtual address before the start of the kernel's stack, but I don't > know if I can count on it for most mainstream OSes. That's a pretty good heuristic but see questions above. By the way, some OS's have separate interrupt stacks, so you may be on an interrupt stack or on a regular stack. > Maybe there's a known method I'm missing, I'll be happy for any > comments. Cheers, Muli _______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
