add kallsyms + klookup (#2462)

* Add kallsyms parser * Add klookup command * add klookup docs
2024-10-09 12:13:44 +02:00 · 2024-10-09 12:13:44 +02:00 · eccfd91d86
parent e1f544bca9
commit eccfd91d86
6 changed files with 468 additions and 0 deletions
--- a/docs/commands/index.md
+++ b/docs/commands/index.md
@ -155,6 +155,7 @@
 -  [kchecksec](kchecksec/kchecksec.md) Checks for kernel hardening configuration options.
 -  [kcmdline](kcmdline/kcmdline.md) Return the kernel commandline (/proc/cmdline).
 -  [kconfig](kconfig/kconfig.md) Outputs the kernel config (requires CONFIG_IKCONFIG).
+-  [klookup](klookup/klookup.md) Lookup kernel symbols.
 -  [kversion](kversion/kversion.md) Outputs the kernel version (/proc/version).
 -  [slab](slab/slab.md) Prints information about the slab allocator

--- a/docs/commands/klookup/klookup.md
+++ b/docs/commands/klookup/klookup.md
@ -0,0 +1,27 @@
+
+
+
+
+# klookup
+
+## Description
+
+
+Lookup kernel symbols.
+## Usage:
+
+
+```bash
+usage: klookup [-h] [symbol]
+```
+## Positional Arguments
+
+|Positional Argument|Help|
+| :--- | :--- |
+|`symbol`| Symbol or address to lookup.|
+
+## Optional Arguments
+
+|Short|Long|Default|Help|
+| :--- | :--- | :--- | :--- |
+|`-h`|`--help`||show this help message and exit|
--- a/pwndbg/commands/init.py
+++ b/pwndbg/commands/init.py
@ -711,6 +711,7 @@ def load_commands() -> None:
        import pwndbg.commands.kcmdline
        import pwndbg.commands.kconfig
        import pwndbg.commands.killthreads
+        import pwndbg.commands.klookup
        import pwndbg.commands.kversion
        import pwndbg.commands.linkmap
        import pwndbg.commands.memoize
--- a/pwndbg/commands/klookup.py
+++ b/pwndbg/commands/klookup.py
@ -0,0 +1,32 @@
+from __future__ import annotations
+
+import argparse
+
+import pwndbg.commands
+import pwndbg.gdblib.kernel.kallsyms
+from pwndbg.color import message
+from pwndbg.commands import CommandCategory
+
+parser = argparse.ArgumentParser(description="Lookup kernel symbols")
+
+parser.add_argument("symbol", type=str, help="Address or symbol name to lookup")
+
+
+@pwndbg.commands.ArgparsedCommand(parser, category=CommandCategory.KERNEL)
+@pwndbg.commands.OnlyWhenQemuKernel
+@pwndbg.commands.OnlyWhenPagingEnabled
+def klookup(symbol: str) -> None:
+    ksyms = pwndbg.gdblib.kernel.kallsyms.get()
+    try:
+        symbol_addr = int(symbol)
+        for k, v in ksyms.items():
+            if v[0] == symbol_addr:
+                print(message.success(f"{k} = {symbol_addr:#x}"))
+                return
+        print(message.error(f"No symbol found at {symbol_addr:#x}"))
+    except ValueError:
+        if symbol in ksyms:
+            addr = ksyms[symbol][0]
+            print(message.success(f"{symbol} = {addr:#x}"))
+        else:
+            print(message.error(f"No symbol found for {symbol}"))
--- a/pwndbg/gdblib/kernel/kallsyms.py
+++ b/pwndbg/gdblib/kernel/kallsyms.py
@ -0,0 +1,401 @@
+from __future__ import annotations
+
+from struct import unpack_from
+
+from pwnlib.util.packing import p16
+from pwnlib.util.packing import u32
+from pwnlib.util.packing import u64
+
+import pwndbg.aglib
+import pwndbg.color.message as M
+import pwndbg.commands
+import pwndbg.gdblib.kernel
+import pwndbg.lib.cache
+import pwndbg.search
+
+
+@pwndbg.lib.cache.cache_until("start")
+def get():
+    ks = Kallsyms()
+    return ks.kallsyms
+
+
+class Kallsyms:
+    """
+    - linux_banner >= 6.4
+    - ... <= 6.4
+    - kallsyms_offsets
+    - kallsyms_relative_base
+    - kallsyms_num_syms
+    - kallsyms_names
+    - kallsyms_markers
+    - kallsyms_token_table
+    - kallsyms_token_index
+    - kallsyms_offsets >= 6.4
+    - kallsyms_relative_base >= 6.4
+    """
+
+    def __init__(self):
+        self.kallsyms = {}
+        self.kbase = pwndbg.gdblib.kernel.kbase()
+
+        mapping = pwndbg.gdblib.kernel.get_first_kernel_ro()
+        self.r_base = mapping.vaddr
+        self.kernel_ro_mem = pwndbg.gdblib.memory.read(mapping.vaddr, mapping.memsz)
+
+        self.kernel_version = pwndbg.gdblib.kernel.krelease()
+        self.is_offsets = False
+
+        self.rbase_offset = 0
+
+        self.token_table = self.find_token_table()
+        # TODO: if self.token_table is None its maybe an uncompressed kallsyms
+
+        self.token_index = self.find_token_index()
+        self.markers = self.find_markers()
+        self.num_syms = self.find_num_syms()
+        self.offsets = self.find_offsets()
+
+        if self.is_offsets:
+            self.rbase_offset = self.find_relative_base()
+
+        self.names = self.find_names()
+        self.kernel_addresses = self.get_kernel_addresses()
+        self.parse_symbol_table()
+
+    def find_token_table(self) -> int:
+        """
+        This function searches for the kallsyms_token_table structure in the kernel memory.
+        The kallsyms_token_table contains 256 zero-terminated tokens from which symbol names are built.
+        Example structure:
+        0xffffffff827b2f00:	"mm"
+        0xffffffff827b2f03:	"tim"
+        0xffffffff827b2f07:	"bu"
+        0xffffffff827b2f0a:	"ode_"
+        0xffffffff827b2f0f:	"robestub"
+        <SKIPPED>
+        0xffffffff827b2fdb:	"0"
+        0xffffffff827b2fdd:	"1"
+        0xffffffff827b2fdf:	"2"
+        0xffffffff827b2fe1:	"3"
+        0xffffffff827b2fe3:	"4"
+        0xffffffff827b2fe5:	"5"
+        0xffffffff827b2fe7:	"6"
+        0xffffffff827b2fe9:	"7"
+        0xffffffff827b2feb:	"8"
+        0xffffffff827b2fed:	"9"
+        """
+        sequence_to_find = b"".join(b"%c\0" % i for i in range(ord("0"), ord("9") + 1))
+        sequences_to_avoid = [b":\0", b"\0\0", b"\0\1", b"\0\2", b"ASCII\0"]
+
+        position = 0
+
+        candidates = []
+        ascii_candidates = []
+
+        while True:
+            position = self.kernel_ro_mem.find(sequence_to_find, position + 1)
+            if position == -1:
+                break
+
+            for seq in sequences_to_avoid:
+                pos = position + len(sequence_to_find)
+                if self.kernel_ro_mem[pos : pos + len(seq)] == seq:
+                    break
+            else:
+                candidates.append(position)
+
+                if 32 <= self.kernel_ro_mem[pos : pos + 1][0] < 126:
+                    ascii_candidates.append(position)
+
+        if len(candidates) != 1:
+            if len(ascii_candidates) == 1:
+                candidates = ascii_candidates
+            elif len(candidates) == 0:
+                print(M.error("No candidates for token_table"))
+                return None
+
+        position = candidates[0]
+
+        current_index = 0x30
+
+        position -= 1
+        for tokens_backwards in range(current_index):
+            for chars_in_token in range(50):
+                position -= 1
+                assert position >= 0
+
+                if self.kernel_ro_mem[position] == 0 or self.kernel_ro_mem[position] > ord("z"):
+                    break
+
+                if chars_in_token >= 50 - 1:
+                    print(M.error("This structure is not a kallsyms_token_table"))
+                    return None
+
+        position += 1
+        position += -position % 4
+
+        return position
+
+    def find_token_index(self) -> int | None:
+        """
+        This function searches for the kallsyms_token_index structure in the kernel memory
+        starting at kallsyms_token_table. The token index table provides offsets into the kallsyms_token_table
+        for each 256 byte-valued sub-table.
+        The kallsyms_token_index is typically located immediately after
+        the kallsyms_token_table in the kernel's read-only data section.
+        Example structure:
+        0xffffffff827b3288:	0x0000	0x0003	0x0007	0x000a	0x000f	0x0018	0x001f	0x0023
+        0xffffffff827b3298:	0x0027	0x0031	0x0035	0x0038	0x003b	0x0043	0x0047	0x004a
+        0xffffffff827b32a8:	0x004f	0x0053	0x0056	0x0059	0x005d	0x0061	0x0067	0x006b
+        0xffffffff827b32b8:	0x006e	0x0071	0x0076	0x007c	0x0080	0x0088	0x008b	0x008f
+        0xffffffff827b32c8:	0x0094	0x0098	0x009b	0x009f	0x00a3	0x00a8	0x00ab	0x00b0
+        """
+        position = self.token_table
+
+        token_table_head = self.kernel_ro_mem[position : position + 256]
+
+        token_offsets = [p16(0)]
+
+        pos = 0
+
+        while True:
+            pos = token_table_head.find(b"\0", pos + 1)
+            if pos == -1:
+                break
+            token_offsets.append(p16(pos + 1))
+
+        seq_to_find = b"".join(token_offsets)
+
+        position = self.kernel_ro_mem.find(seq_to_find, self.token_table)
+        if position == -1:
+            print(M.error("Unable to find the kallsyms_token_index"))
+            return None
+
+        return position
+
+    def find_markers(self) -> int | None:
+        """
+        This function searches for the kallsyms_markers structure in the kernel memory
+        starting at kallsyms_token_table and search backwards. The markers table contains
+        offsets to the corresponding symbol name for each kernel symbol.
+        The kallsyms_markers table is typically located immediately before the kallsyms_token_table
+        in the kernel's read-only data section.
+        Example structure:
+        0xffffffff827b2430:	0x00000000	0x00000b2a	0x00001762	0x000023f6
+        0xffffffff827b2440:	0x00002fe4	0x00003c9d	0x0000487c	0x000056fd
+        0xffffffff827b2450:	0x00006597	0x000073b9	0x000081be	0x00008f21
+        0xffffffff827b2460:	0x00009c94	0x0000a958	0x0000b632	0x0000c193
+        0xffffffff827b2470:	0x0000ce0b	0x0000db98	0x0000ea3e	0x0000f80a
+        0xffffffff827b2480:	0x000105be	0x000112d3	0x00011f8c	0x00012d75
+        0xffffffff827b2490:	0x0001384d	0x0001446e	0x00015138	0x00015d8c
+        """
+        if self.kernel_version < (4, 20):
+            elem_size = pwndbg.aglib.arch.ptrsize
+        else:
+            elem_size = 4
+
+        seq_to_find = b"\0" * elem_size
+
+        position = self.token_table - 1
+
+        while position > 0 and self.kernel_ro_mem[position] == 0:
+            position -= 1
+
+        for _ in range(32):
+            position = self.kernel_ro_mem.rfind(seq_to_find, 0, position)
+
+            if position == -1:
+                print(M.error("Failed to find kallsyms_markers"))
+                return None
+
+            position -= position % elem_size  # aligning
+            size_marker = {4: "I", 8: "Q"}[elem_size]
+
+            entries = unpack_from(f"<4{size_marker}", self.kernel_ro_mem, position)
+
+            if entries[0] != 0:
+                continue
+
+            for i in range(1, len(entries)):
+                if entries[i - 1] + 0x200 > entries[i] or entries[i - 1] + 0x4000 < entries[i]:
+                    break
+            else:
+                return position
+
+        return None
+
+    def find_num_syms(self):
+        """
+        This function searches for the kallsyms_num_syms variable in the kernel memory
+        starting at kallsyms_markers. The kallsyms_num_syms holds the number of kernel symbols
+        in the symbol table.
+        The kallsyms_num_syms variable is typically located before the kallsyms_names table in the kernel's
+        read-only data section.
+        In newer kernel versions the kallsyms_num_syms is immediately behind the linux_banner and in older version
+        its behind kallsyms_base_relative or kallsyms_addresses (it depends on CONFIG_KALLSYMS_BASE_RELATIVE y/n)
+        """
+        if self.kernel_version < (6, 4):
+            # try to find num_syms by walking backwards and looking
+            # for data like this: a kernel address followed by num_syms
+            # 0xffffffff823f8000	0x000000000001417c
+            position = self.markers - 8
+
+            while True:
+                qword = u64(self.kernel_ro_mem[position : position + 8])
+                if (qword >> 32) & 0xFFFFFFFF == 0 and qword > 0:
+                    before_qword = u64(self.kernel_ro_mem[position - 8 : position])
+                    if (before_qword >> 48) & 0xFFFF == 0xFFFF and (before_qword & 0xFFF) == 0:
+                        # should be kallsyms_num_syms
+                        return position
+
+                position -= 8
+        else:
+            # search from kallsyms_markers backwards and look for the linux_banner symbol
+            # the kallsyms_num_syms should be behind the linux_banner string
+            position = self.kernel_ro_mem.rfind(b"Linux version", 0, self.markers - 8)
+
+            if position == -1:
+                return None
+
+            while True:
+                position = position + 1
+                if self.kernel_ro_mem[position] == 0:
+                    break
+
+            position = (position + 7) & ~7  # alignment
+            return position
+
+    def find_offsets(self):
+        """
+        This function searches for the kallsyms_offsets/kallsyms_addresses table in the kernel memory
+        starting at kallsyms_token_index. The offsets/addresses table containts offsets / addresses of each
+        symbol in the kernel.
+        The kallsyms_addresses is typically located before the kallsyms_num_syms variable in the kernel's read-only
+        data section.
+        Example structure:
+        0xffffffff827b3488:	0x00000000	0x00000000	0x00001000	0x00002000
+        0xffffffff827b3498:	0x00006000	0x0000b000	0x0000c000	0x0000d000
+        0xffffffff827b34a8:	0x00015000	0x00015008	0x00015010	0x00015018
+        0xffffffff827b34b8:	0x00015020	0x00015022	0x00015030	0x00015050
+        0xffffffff827b34c8:	0x00015450	0x00015460	0x00015860	0x00015888
+        0xffffffff827b34d8:	0x00015890	0x00015898	0x000158a0	0x000159c0
+        """
+        forward_search = self.kernel_version >= (6, 4)
+
+        if forward_search:
+            position = self.token_index
+            self.is_offsets = True
+        else:
+            # kallsyms_offsets is at the top
+            position = self.num_syms
+            nsyms = u64(self.kernel_ro_mem[position : position + 8])
+
+            if (
+                self.kbase - 0x20000
+                < u64(self.kernel_ro_mem[position - 8 : position])
+                <= self.kbase
+            ):
+                # it should be kallsyms_offsets
+                self.is_offsets = True
+                position -= 8
+
+                dword = u32(self.kernel_ro_mem[position - 4 : position])
+
+                if dword == 0x0:
+                    position -= 4
+
+                return position - (nsyms * 4)
+
+            return position - (nsyms * 8)
+
+        while True:
+            qword = u64(self.kernel_ro_mem[position : position + 8])
+            if qword & 0xFFFFFFFF == 0:
+                return position
+
+            position += 8
+
+    def find_relative_base(self):
+        """
+        This function searches for the kallsyms_relative_base variable in the kernel memory.
+        The relative base is used to calculate the actual virtual addresses of symbols from
+        their offsets in the kallsyms_offsets table.
+        The kallsyms_relative_base variable is typically located after the kallsyms_offsets table
+        in the kernel's read-only data section.
+        """
+        position = self.offsets
+        nsyms = u64(self.kernel_ro_mem[self.num_syms : self.num_syms + 8])
+
+        position = position + (nsyms * 4)
+        position = (position + 7) & ~7
+
+        return position
+
+    def find_names(self):
+        return self.num_syms + 8
+
+    def get_kernel_addresses(self):
+        kernel_addresses = []
+
+        rbase = u64(self.kernel_ro_mem[self.rbase_offset : self.rbase_offset + 8])
+        # TODO: nsyms is 4 bytes long not 8
+        nsyms = u64(self.kernel_ro_mem[self.num_syms : self.num_syms + 8])
+        size_marker = "i" if self.is_offsets else "Q"
+        kernel_addresses = list(
+            unpack_from(f"<{nsyms}{size_marker}", self.kernel_ro_mem, self.offsets)
+        )
+
+        if not self.is_offsets:
+            return kernel_addresses
+
+        number_of_negative_items = len([offset for offset in kernel_addresses if offset < 0])
+        abs_percpu = number_of_negative_items / len(kernel_addresses) >= 0.5
+
+        for idx, offset in enumerate(kernel_addresses):
+            if abs_percpu:
+                if offset < 0:
+                    offset = rbase - 1 - offset
+                else:
+                    offset = rbase + offset
+            else:
+                offset = rbase + offset
+
+            kernel_addresses[idx] = offset
+
+        return kernel_addresses
+
+    def parse_symbol_table(self):
+        tokens = self.get_token_table()
+        symbol_names = []
+        position = self.names
+        numsyms = u64(self.kernel_ro_mem[self.num_syms : self.num_syms + 8])
+
+        for _ in range(numsyms):
+            length = self.kernel_ro_mem[position]
+            position += 1
+
+            symbol_name = ""
+            for _ in range(length):
+                symbol_token_index = self.kernel_ro_mem[position]
+                symbol_token = tokens[symbol_token_index]
+                position += 1
+                symbol_name += symbol_token
+            symbol_names.append(symbol_name)
+
+        for addr, name in zip(self.kernel_addresses, symbol_names):
+            self.kallsyms[name[1:]] = (addr, name[0])
+
+    def get_token_table(self):
+        tokens = []
+        position = self.token_table
+
+        for num_token in range(256):
+            token = ""
+            while self.kernel_ro_mem[position]:
+                token += chr(self.kernel_ro_mem[position])
+                position += 1
+            position += 1
+            tokens.append(token)
+
+        return tokens
--- a/tests/qemu-tests/tests/system/test_gdblib_kernel.py
+++ b/tests/qemu-tests/tests/system/test_gdblib_kernel.py
@ -58,3 +58,9 @@ def test_gdblib_kernel_kbase():
    assert base == pwndbg.gdblib.symbol.address("_text") or base == pwndbg.gdblib.symbol.address(
        "_stext"
    )
+
+
+@pytest.mark.skipif(not pwndbg.gdblib.kernel.has_debug_syms(), reason="test requires debug symbols")
+def test_gdblib_kernel_kallsyms():
+    ks = pwndbg.gdblib.kernel.kallsyms.get()
+    assert ks["commit_creds"][0] == pwndbg.gdblib.symbol.address("commit_creds")