Handling a syscall via ASM (x86) (ebp needed)

Question

On x64 I handle syscalls (I hook syscalls and then call them myself) by reserving some space on the stack and copying all the arguments (6) to the stack. I save all the arguments so I can use them later in the code.

This is what my code looks like (intel syntax):

push rbp;
mov rbp, rsp;
sub rsp, 64;

mov [rbp - 8], rax;
mov [rbp - 16], rdi;
mov [rbp - 24], rsi;
mov [rbp - 32], rdx;
mov [rbp - 40], rcx;
mov [rbp - 48], r8;
mov [rbp - 56], r9;
...
...
...

Note that I'm using rbp to access the stack.

Now I'm trying to do the same code for x86. I thought it would be pretty much the same, but then I realized (as per https://stackoverflow.com/a/2538212/940158) that ebp is used for the 6th argument of the syscall, which means I can't use ebp to access the stack. Or can I?

How could I achieve the same thing that I'm doing in x64?

Answer 1

You can do that, just (equivalent of your code) do something like:

push ebp
mov ebp, esp
sub esp, 64

mov [ebp - 4], eax
mov [ebp - 8], ebx
mov [ebp - 12], ecx
mov [ebp - 16], edx
mov [ebp - 20], esi
mov [ebp - 24], edi
mov eax, [ebp]       ; restore original ebp into eax
mov [ebp - 28], eax  ; and store into “ebp” location

What I’m wondering is why you’re referencing the Linux/amd64 and Linux/i386 syscall ABI here, yet seem to be doing the kernel component… (if you’re hacking your own OS, there are better calling conventions for syscalls; if you’re hacking Linux you’ll never see the raw calling arguments). But not the problem at hand, so… ok.