If you are using an x86-based machine, you can use the sidt command to get the register of the interrupt descriptor table and, therefore, the interrupt descriptor table itself. For this purpose, you can get the address of the system_call function (or the ia32 equivalent for x86-64 compatibility) caused by interrupting the 0x80 system call. By disassembling this interrupt handler and scanning for a specific indirect call command, you can extract the address in the call command. This address is your system call table (on x86) or the IA32 compatibility system call table on x86-64.
Getting the x86-64 system call table is similar: instead of restoring the interrupt table using sidt , read the IA32_LSTAR MSR processor. The address in (high << 32 | low) is the system call manager. Scan the memory as before, extract the sys_call_table address from the call statement, but remember to hide 32 bits of the address.
This will mask more, much more technical information (for example, what bytes to look for) that you must understand before delving into the kernel code. After a quick Google search, I found the whole process documented (with sample module code) here .
Good luck, and try not to blow yourself!