1

First of all I need to know addresses in System.map or /proc/kallsyms are virtual or physical? then I want to read from addresses of kernel symbols, for example I want to read pid field of init_task symbol. I can find init_task address from System.map and also offset of pid. but I don't know how to read from an address in kernel. I really appreciate any reference or link to say things in detail because I'm not familiar with kernel programming.

another question: when they say DKOM(dynamic kernel object manipulation) what does it mean? I searched but just find something about windows system!

and when they say you can access exported symbols in LKM? what operations do they mean? are specific functions to read or write from kernel symbols?

Peggy
  • 639
  • 9
  • 28

2 Answers2

2

Just about any pointer address you can see is virtual. Its either user space process virtual space (namely your process), or the kernel virtual address space. It is only when the kernel needs to inform one hardware component how to access another that it will convert the pointer to is physical representation.

Its worth noting that event the physical address space is virtual in the sense that different hardware component are pragmatically assigned memory ranges and are expected to react when those are addressed. It is still very physical in the sense that those address values are the ones that are encoded on the BUS address and no software translation is needed.

As for reading/writing kernel pointers from userspace. Unless granted by a specific API and setup both by the user and the kernel (like shared memory), you can't. Its the most basic security protection etched into core of the operating system. (you can't even access the memory of another user for that matter).

Having said that, if you wish to intentionally decrease your kernel security, as root you may do just about anything, including loading a module that does just that...

here is another discussion on the same topic: how-to-access-kernel-space-from-user-spacein-linux

Community
  • 1
  • 1
Liberty
  • 56
  • 3
2

First, addresses in System.map or /proc/kallsyms are virtual addresses.

Second, if you'd like traverse data structure in kernel, you could use Crash tool. It is based on gdb, easy to use. But you should recompile your kernel with debug information first. With crash tool, you can easily read every data structure of kernel in user space. And it supports multiply distributions, like Ubuntu, Fedora, and so on.

Another tool is Volatility, wrote by Python, you could take a snapshot of your system. Then read the memory snapshot with Volatility.

flyrain
  • 573
  • 6
  • 11