open()
, fork()
or read()
; this is because these functions are simply wrappers around the syscalls, making it much easier for the programmer.int80
instruction. Once it's called, the kernel checks the value stored in RAX - this is the syscall number, which defines what syscall gets run. As per the table, the other parameters can be stored in RDI, RSI, RDX, etc and every parameter has a different meaning for the different syscalls.execve
syscall, which executes the program passed to it in RDI. RSI and RDX hold arvp
and envp
respectively.system()
function, we can use execve
to call /bin/sh
instead - all we have to do is pass in a pointer to /bin/sh
to RDI, and populate RSI and RDX with 0
(this is because both argv
and envp
need to be NULL
to pop a shell).