You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. *) open Unix open Printf open ExtList open Virt_mem_gettext.Gettext open Virt_mem_utils module MMap = Virt_mem_mmap type ksym = string type image = string * Virt_mem_utils.architecture * ([`Wordsize], [`Endian]) Virt_mem_mmap.t * (ksym -> Virt_mem_mmap.addr) let start usage_msg = (* Verbose messages. *) let verbose = ref false in (* Default wordsize. *) let def_wordsize = ref None in let set_wordsize = function | "32" -> def_wordsize := Some W32 | "64" -> def_wordsize := Some W64 | "auto" -> def_wordsize := None | str -> failwith (sprintf (f_"set_wordsize: %s: unknown wordsize") str) in (* Default endianness. *) let def_endian = ref None in let set_endian = function | "auto" -> def_endian := None | "le" | "little" | "littleendian" | "intel" -> def_endian := Some Bitmatch.LittleEndian | "be" | "big" | "bigendian" | "motorola" -> def_endian := Some Bitmatch.BigEndian | str -> failwith (sprintf (f_"set_endian: %s: unknown endianness") str) in (* Default architecture. *) let def_architecture = ref None in let set_architecture = function | "auto" -> def_architecture := None | arch -> let arch = architecture_of_string arch in def_architecture := Some arch; def_endian := Some (endian_of_architecture arch); def_wordsize := Some (wordsize_of_architecture arch) in (* Default text address. *) let def_text_addr = ref 0L (* 0 = auto-detect *) in let set_text_addr = function | "auto" -> def_text_addr := 0L | "i386" -> def_text_addr := 0xc010_0000_L (* common for x86 *) | "x86-64"|"x86_64" -> def_text_addr := 0xffffffff_81000000_L (* x86-64? *) | str -> def_text_addr := Int64.of_string str in (* List of kernel images. *) let images = ref [] in let memory_image filename = images := (!def_wordsize, !def_endian, !def_architecture, !def_text_addr, filename) :: !images in let argspec = Arg.align [ "-A", Arg.String set_architecture, "arch " ^ s_"Set kernel architecture, endianness and word size"; "-E", Arg.String set_endian, "endian " ^ s_"Set kernel endianness"; "-T", Arg.String set_text_addr, "addr " ^ s_"Set kernel text address"; "-W", Arg.String set_wordsize, "addr " ^ s_"Set kernel word size"; "-t", Arg.String memory_image, "image " ^ s_"Use saved kernel memory image"; "-verbose", Arg.Set verbose, " " ^ s_"Verbose messages"; ] in let anon_fun str = raise (Arg.Bad (sprintf (f_"%s: unknown parameter") str)) in let usage_msg = usage_msg ^ s_"\n\nOPTIONS" in Arg.parse argspec anon_fun usage_msg; let images = !images in let verbose = !verbose in (* Get the kernel images. *) let images = if images = [] then (* XXX use libvirt to get images *) failwith "libvirt: not yet implemented" else List.map ( fun (wordsize, endian, arch, text_addr, filename) -> (* Quite a lot of limitations on the kernel images we can * handle at the moment ... *) (* XXX We could auto-detect wordsize easily. *) let wordsize = match wordsize with | None -> failwith (sprintf (f_"%s: use -W to define word size for this image") filename); | Some ws -> ws in let endian = match endian with | None -> failwith (sprintf (f_"%s: use -E to define endianness for this image") filename); | Some e -> e in let arch = match arch with | Some I386 -> I386 | Some X86_64 -> X86_64 | _ -> failwith (sprintf (f_"%s: use -A to define architecture (i386/x86-64 only) for this image") filename) in if text_addr = 0L then failwith (sprintf (f_"%s: use -T to define kernel load address for this image") filename); (* Map the virtual memory. *) let fd = openfile filename [O_RDONLY] 0 in let mem = MMap.of_file fd text_addr in (* Force the wordsize and endianness. *) let mem = MMap.set_wordsize mem wordsize in let mem = MMap.set_endian mem endian in (filename, arch, mem) ) images in let images = List.map ( fun (name, arch, mem) -> (* Look for some common entries in the symbol table and from * that find the symbol table itself. These are just supposed to * be symbols which are very likely to be present in any Linux * kernel, although we only need one of them to be present to * find the symbol table. * * NB. Must not be __initdata. *) let common_ksyms = [ "init_task"; (* first task_struct *) "root_mountflags"; (* flags for mounting root fs *) "init_uts_ns"; (* uname strings *) "sys_open"; (* open(2) entry point *) "sys_chdir"; (* chdir(2) entry point *) "sys_chroot"; (* chroot(2) entry point *) "sys_umask"; (* umask(2) entry point *) "schedule"; (* scheduler entry point *) ] in (* Searching for string *) let common_ksyms = List.map (sprintf "\000%s\000") common_ksyms in (* Search for these strings in the memory image. *) let ksym_strings = List.map (MMap.find_all mem) common_ksyms in let ksym_strings = List.concat ksym_strings in (* Adjust found addresses to start of the string (skip ). *) let ksym_strings = List.map Int64.succ ksym_strings in (* For any we found, try to look up the symbol table * base addr and size. *) let ksymtabs = List.map ( fun addr -> (* Search for 'addr' appearing in the image. *) let addrs = MMap.find_pointer_all mem addr in (* Now consider each of these addresses and search back * until we reach the beginning of the (possible) symbol * table. * * Kernel symbol table struct is: * struct kernel_symbol { * unsigned long value; * const char *name; <-- initial pointer * } symbols[]; *) let pred_long2 addr = MMap.pred_long mem (MMap.pred_long mem addr) in let base_addrs = List.map ( fun addr -> let rec loop addr = (* '*addr' should point to a C identifier. If it does, * step backwards to the previous symbol table entry. *) let addrp = MMap.follow_pointer mem addr in if MMap.is_C_identifier mem addrp then loop (pred_long2 addr) else MMap.succ_long mem addr in loop addr ) addrs in (* Also look for the end of the symbol table and * calculate its size. *) let base_addrs_sizes = List.map ( fun base_addr -> let rec loop addr = let addr2 = MMap.succ_long mem addr in let addr2p = MMap.follow_pointer mem addr2 in if MMap.is_C_identifier mem addr2p then loop (MMap.succ_long mem addr2) else addr in let end_addr = loop base_addr in base_addr, end_addr -^ base_addr ) base_addrs in base_addrs_sizes ) ksym_strings in let ksymtabs = List.concat ksymtabs in (* Simply ignore any symbol table candidates which are too small. *) let ksymtabs = List.filter (fun (_, size) -> size > 64L) ksymtabs in if verbose then ( printf "name %s:\n" name; List.iter ( fun (addr, size) -> printf "\t%Lx\t%Lx\t%!" addr size; printf "first symbol: %s\n%!" (MMap.get_string mem (MMap.follow_pointer mem (MMap.succ_long mem addr))) ) ksymtabs ); (* Vote for the most popular symbol table candidate and from this * generate a function to look up ksyms. *) let lookup_ksym = let freqs = frequency ksymtabs in match freqs with | [] -> eprintf (f_"%s: cannot find start of kernel symbol table\n") name; (fun _ -> raise Not_found) | (_, (ksymtab_addr, ksymtab_size)) :: _ -> if verbose then printf "%s: Kernel symbol table found at %Lx, size %Lx bytes\n%!" name ksymtab_addr ksymtab_size; (* Load the whole symbol table as a bitstring. *) let ksymtab = Bitmatch.bitstring_of_string (MMap.get_bytes mem ksymtab_addr (Int64.to_int ksymtab_size)) in (* Function to look up an address in the symbol table. *) let lookup_ksym sym = let bits = bits_of_wordsize (MMap.get_wordsize mem) in let e = MMap.get_endian mem in let rec loop bs = bitmatch bs with | { value : bits : endian(e); name_ptr : bits : endian(e) } when MMap.get_string mem name_ptr = sym -> value | { _ : bits : endian(e); _ : bits : endian(e); bs : -1 : bitstring } -> loop bs | { _ } -> raise Not_found in loop ksymtab in lookup_ksym in ((name, arch, mem, lookup_ksym) : image) ) images in verbose, images