forked from dtrace4linux/linux
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathkcore.c
More file actions
114 lines (97 loc) · 2.79 KB
/
kcore.c
File metadata and controls
114 lines (97 loc) · 2.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
/*
Tool to get old_rsp from the running kernel. Some kernels
dont export this in /proc/kallsyms or /boot/System.map. You
cannot get it from the kernel headers, so we can only
get it from the syscalls that we are intercepting.
Paul Fox Feb 2015
*/
#define _LARGEFILE64_SOURCE
# include <stdio.h>
# include <stdlib.h>
# include <unistd.h>
# include <string.h>
# include <fcntl.h>
static int debug = 0;
static int do_read(char *fname, unsigned long ptr, int remap);
int main(int argc, char **argv)
{ FILE *fp;
unsigned char buf[BUFSIZ];
unsigned long ptr;
int ret;
char *name = "stub_execve";
//printf("18\n");
//exit(0);
if (argc > 1 && strcmp(argv[1], "-d") == 0)
debug = 1;
snprintf(buf, sizeof buf,
"grep %s /proc/kallsyms",
name);
if ((fp = popen(buf, "r")) == NULL) {
perror("grep");
exit(1);
}
if (fgets(buf, sizeof buf, fp) == NULL) {
fprintf(stderr, "Failed to find %s\n", name);
exit(1);
}
pclose(fp);
sscanf(buf, "%lx", &ptr);
if (debug)
printf("%s=0x%lx\n", name, ptr);
/***********************************************/
/* Centos 5.6 /proc/kcore is broken and */
/* unusable. So we try our optional driver. */
/***********************************************/
if (do_read("/proc/kcore", ptr, 1))
exit(0);
/***********************************************/
/* Centos 5.6 wont let us seek to a kernel */
/* address, so truncate the number, and */
/* hack it back in in the kmem_read */
/* function. */
/***********************************************/
/***********************************************/
/* Load the driver if we got this far. */
/***********************************************/
snprintf(buf, sizeof buf, "/sbin/insmod build/driver-kmem/dtrace_kmem.ko");
system(buf);
ptr &= 0xffffffff;
ret = do_read("/proc/dtrace_kmem", ptr, 0);
system("/sbin/rmmod dtrace_kmem");
if (ret)
exit(0);
fprintf(stderr, "Failed to find offset\n");
exit(1);
}
static int do_read(char *fname, unsigned long ptr, int remap)
{ int fd, i, n;
unsigned char buf[BUFSIZ];
if ((fd = open64(fname, O_RDONLY | O_LARGEFILE)) < 0)
return 0;
/***********************************************/
/* Not sure why we have to do this - but we */
/* reflect the virtual addr to a physical */
/* one. */
/***********************************************/
if (remap)
ptr &= ~0xffff800000000000L;
if (lseek64(fd, ptr, SEEK_SET) == -1) {
perror("lseek");
return 0;
}
if ((n = read(fd, buf, sizeof buf)) != sizeof buf) {
close(fd);
if (debug)
fprintf(stderr, "Failed to read buffer from %s, n=%d\n", fname, n);
return 0;
}
for (i = 0; i < n; i++) {
// mov %gs:nnnn,%r11
if (memcmp(buf + i, "\x65\x4c\x8b\x1c\x25", 5) == 0) {
printf("%x\n",
*(int *) (buf + i + 5));
exit(0);
}
}
return 0;
}