int 0x80 is the classic software interrupt instruction used on 32-bit Linux (x86) to enter the kernel and make a system call.
Breakdown
int= “interrupt” instruction0x80= interrupt vector number (128 decimal) reserved for Linux syscalls- When executed, the CPU switches from user mode → kernel mode, jumps into the kernel’s syscall handler, and executes the requested system call.
How it Works (x86, 32-bit Linux)
-
Place the syscall number in
EAX
(this identifies which system call to run, e.g.,1=sys_exit,4=sys_write). -
Place syscall arguments in registers:
EBX→ arg1ECX→ arg2EDX→ arg3ESI→ arg4EDI→ arg5EBP→ arg6
-
Execute:
int 0x80→ traps into kernel space.
-
The kernel executes the syscall and returns the result in
EAX.
Example: write(“Hello\n”)
section .data
msg db "Hello", 0x0A
len equ $ - msg
section .text
global _start
_start:
mov eax, 4 ; syscall number for sys_write
mov ebx, 1 ; file descriptor 1 (stdout)
mov ecx, msg ; pointer to message
mov edx, len ; message length
int 0x80 ; call kernel
mov eax, 1 ; syscall number for sys_exit
xor ebx, ebx ; status 0
int 0x80Notes
int 0x80was the old Linux syscall mechanism for 32-bit x86.- On newer systems:
- x86 (32-bit):
sysenterorsyscall(faster, butint 0x80still works for compatibility). - x86-64: only the
syscallinstruction is used (with a different register calling convention).
- x86 (32-bit):
So in reversing:
- If you see
int 0x80, you’re looking at a 32-bit Linux binary making a direct system call.