文章目录
- 前言
- 一、centos7 给 vmlinux 添加符号
- 二、ubuntu22.04 给 vmlinux 添加符号
前言
使用内核源码下的script文件:scripts/extract-vmlinux 可以从/boot/vmlinuz 提取出来 内核镜像文件vmlinux:
# ./extract-vmlinux vmlinuz-3.10.0-693.el7.x86_64 > vmlinux
# nm vmlinux
nm: vmlinux:无符号
Linux 给 vmlinux 添加符号 这里有两个开源的项目,这里我分别已centos7 和 ubuntu22.04演示。
一、centos7 给 vmlinux 添加符号
# cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"# uname -r
3.10.0-693.el7.x86_64
参考:https://github.com/elfmaster/kdress
# git clone https://github.com/elfmaster/kdress
# cd kdress/
# make
gcc -O2 build_ksyms.c -o build_ksyms
gcc -O2 kunpress.c -o kunpress
# ./kdress vmlinuz-3.10.0-693.el7.x86_64 vmlinux System.map-3.10.0-693.el7.x86_64[+] vmlinux has been successfully extracted
[+] vmlinux has been successfully instrumented with a complete ELF symbol table.
# nm vmlinux | grep '\<sys_call_table\>'
ffffffff816beee0 R sys_call_table
# cat /boot/System.map-3.10.0-693.el7.x86_64 | grep '\<sys_call_table\>'
ffffffff816beee0 R sys_call_table
# gdb -q vmlinux
Reading symbols from /root/vmlinux/kdress/vmlinux...(no debugging symbols found)...done.
(gdb) print &sys_call_table
$1 = (<data variable, no debug info> *) 0xffffffff816beee0 <sys_call_table>
(gdb) x/gx 0xffffffff816beee0
0xffffffff816beee0 <sys_call_table>: 0xffffffff812019e0
(gdb) x/10i 0xffffffff812019e00xffffffff812019e0 <sys_read>: callq 0xffffffff816b6c80 <__fentry__>0xffffffff812019e5 <sys_read+5>: push %rbp0xffffffff812019e6 <sys_read+6>: mov %rsp,%rbp0xffffffff812019e9 <sys_read+9>: push %r140xffffffff812019eb <sys_read+11>: mov %rdx,%r140xffffffff812019ee <sys_read+14>: push %r130xffffffff812019f0 <sys_read+16>: mov %rsi,%r130xffffffff812019f3 <sys_read+19>: lea -0x30(%rbp),%rsi0xffffffff812019f7 <sys_read+23>: push %r120xffffffff812019f9 <sys_read+25>: push %rbx
(gdb) x/gx 0xffffffff816beee0+8
0xffffffff816beee8 <sys_call_table+8>: 0xffffffff81201ac0
(gdb) x/10i 0xffffffff81201ac00xffffffff81201ac0 <sys_write>: callq 0xffffffff816b6c80 <__fentry__>0xffffffff81201ac5 <sys_write+5>: push %rbp0xffffffff81201ac6 <sys_write+6>: mov %rsp,%rbp0xffffffff81201ac9 <sys_write+9>: push %r140xffffffff81201acb <sys_write+11>: mov %rdx,%r140xffffffff81201ace <sys_write+14>: push %r130xffffffff81201ad0 <sys_write+16>: mov %rsi,%r130xffffffff81201ad3 <sys_write+19>: lea -0x30(%rbp),%rsi0xffffffff81201ad7 <sys_write+23>: push %r120xffffffff81201ad9 <sys_write+25>: push %rbx
系统调用编号请参考:https://elixir.bootlin.com/linux/v3.10/source/arch/x86/syscalls/syscall_64.tbl
二、ubuntu22.04 给 vmlinux 添加符号
# cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.4 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"# uname -r
5.15.0-122-generic
参考项目:https://github.com/marin-m/vmlinux-to-elf
sudo apt install python3-pip liblzo2-dev
sudo pip3 install --upgrade lz4 zstandard git+https://github.com/clubby789/python-lzo@b4e39df
sudo pip3 install --upgrade git+https://github.com/marin-m/vmlinux-to-elf
Usage:
./vmlinux-to-elf <input_kernel.bin> <output_kernel.elf>
# whereis vmlinux-to-elf
vmlinux-to-elf: /usr/local/bin/vmlinux-to-elf
x# vmlinux-to-elf vmlinuz-5.15.0-122-generic vmlinux_sym
[+] Kernel successfully decompressed in-memory (the offsets that follow will be given relative to the decompressed binary)
[+] Version string: Linux version 5.15.0-122-generic (buildd@lcy02-amd64-034) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #132-Ubuntu SMP Thu Aug 29 13:45:52 UTC 2024 (Ubuntu 5.15.0-122.132-generic 5.15.163)
[+] Guessed architecture: x86_64 successfully in 9.65 seconds
[+] Found kallsyms_token_table at file offset 0x017b69d0
[+] Found kallsyms_token_index at file offset 0x017b6d80
[+] Found kallsyms_markers at file offset 0x017b60c0
[+] Found kallsyms_names at file offset 0x015e3c98
[+] Found kallsyms_num_syms at file offset 0x015e3c90
[i] Negative offsets overall: 99.736 %
[i] Null addresses overall: 0.00135036 %
[+] Found kallsyms_offsets at file offset 0x01553250
[+] Successfully wrote the new ELF kernel to vmlinux_sym
# nm vmlinux_sym | grep '\<sys_call_table\>'
ffffffff82200320 D sys_call_table
# cat /boot/System.map-5.15.0-122-generic | grep '\<sys_call_table\>'
ffffffff82200320 D sys_call_table
