open Virt_mem_gettext.Gettext
open Virt_mem_utils
-module MMap = Virt_mem_mmap
-
-let min_kallsyms_tabsize = 1_000L
-let max_kallsyms_tabsize = 250_000L
+open Virt_mem_types
(* Make the kernel size around 16 MB, but just a bit smaller than
* maximum string length so we can still run this on a 32 bit platform.
else 0x100_0000
let max_memory_peek = 65536 (* XXX Use D.max_peek function *)
-type ksym = string
-
-type image =
- int option
- * string
- * Virt_mem_utils.architecture
- * ([`Wordsize], [`Endian], [`HasMapping]) Virt_mem_mmap.t
-
-type image_with_ksyms =
- int option
- * string
- * Virt_mem_utils.architecture
- * ([`Wordsize], [`Endian], [`HasMapping]) Virt_mem_mmap.t
- * (ksym -> MMap.addr)
-
-type kallsyms_compr =
- | Compressed of (string * MMap.addr) list * MMap.addr
- | Uncompressed of (string * MMap.addr) list
-
(* When tools register themselves, they are added to this list.
* Later, we will alphabetize the list.
*)
(* Now begin proper parsing of the command line arguments. *)
let debug = ref false in
- let images = ref [] in
+ let testimages = ref [] in
let uri = ref "" in
let anon_args = ref [] in
(* Handle -t option. *)
let memory_image filename =
- images :=
+ testimages :=
(!def_wordsize, !def_endian, !def_architecture, !def_text_addr, filename)
- :: !images
+ :: !testimages
in
(* Handle --version option. *)
(* Parse the command line. This will exit if --version or --help found. *)
Arg.parse argspec anon_arg usage_msg;
- let images = !images in
+ let testimages = !testimages in
let debug = !debug in
let uri = if !uri = "" then None else Some !uri in
(* Get the kernel images. *)
let images =
- if images = [] then (
+ if testimages = [] then (
let conn =
let name = uri in
try C.connect_readonly ?name ()
);
(* Map the virtual memory. *)
- let mem = MMap.of_string str !def_text_addr in
+ let mem = Virt_mem_mmap.of_string str !def_text_addr in
(* Force the wordsize and endianness. *)
- let mem = MMap.set_wordsize mem wordsize in
- let mem = MMap.set_endian mem endian in
+ let mem = Virt_mem_mmap.set_wordsize mem wordsize in
+ let mem = Virt_mem_mmap.set_endian mem endian in
- ((Some id, name, arch, mem) : image)
+ ((Some id, name, arch, mem) : image0)
) xmls
) else (
(* One or more -t options passed. *)
(* Map the virtual memory. *)
let fd = openfile filename [O_RDONLY] 0 in
- let mem = MMap.of_file fd text_addr in
+ let mem = Virt_mem_mmap.of_file fd text_addr in
(* Force the wordsize and endianness. *)
- let mem = MMap.set_wordsize mem wordsize in
- let mem = MMap.set_endian mem endian in
+ let mem = Virt_mem_mmap.set_wordsize mem wordsize in
+ let mem = Virt_mem_mmap.set_endian mem endian in
- ((None, filename, arch, mem) : image)
- ) images
+ ((None, filename, arch, mem) : image0)
+ ) testimages
) in
(* Optional callback into the tool before we start looking for
*)
if run = None then exit 0;
- (* Now kernel symbol analysis starts ... *)
+ (* Do the kernel symbol analysis. *)
let images =
List.map (
- fun (domid, name, arch, mem) ->
- (* Look for some common entries in the exported symbol table and
- * from that find the symbol table itself. These are just
- * supposed to be symbols which are very likely to be present
- * in any Linux kernel, although we only need one of them to be
- * present to find the symbol table.
- *
- * NB. Must not be __initdata, must be in EXPORT_SYMBOL.
- *)
- let common_ksyms = [
- "init_task"; (* first task_struct *)
- "root_mountflags"; (* flags for mounting root fs *)
- "init_uts_ns"; (* uname strings *)
- "sys_open"; (* open(2) entry point *)
- "sys_chdir"; (* chdir(2) entry point *)
- "sys_chroot"; (* chroot(2) entry point *)
- "sys_umask"; (* umask(2) entry point *)
- "schedule"; (* scheduler entry point *)
- ] in
- (* Searching for <NUL>string<NUL> *)
- let common_ksyms_nul = List.map (sprintf "\000%s\000") common_ksyms in
-
- let start_t = gettimeofday () in
-
- (* Search for these strings in the memory image. *)
- let ksym_strings = List.map (MMap.find_all mem) common_ksyms_nul in
- let ksym_strings = List.concat ksym_strings in
- (* Adjust found addresses to start of the string (skip <NUL>). *)
- let ksym_strings = List.map Int64.succ ksym_strings in
-
- if debug then (
- let end_t = gettimeofday () in
- eprintf "timing: searching for common_ksyms took %f seconds\n%!"
- (end_t -. start_t)
- );
-
- let start_t = gettimeofday () in
-
- (* For any we found, try to look up the symbol table
- * base addr and size.
- *)
- let ksymtabs = List.map (
- fun addr ->
- (* Search for 'addr' appearing in the image. *)
- let addrs = MMap.find_pointer_all mem addr in
-
- (* Now consider each of these addresses and search back
- * until we reach the beginning of the (possible) symbol
- * table.
- *
- * Kernel symbol table struct is:
- * struct kernel_symbol {
- * unsigned long value;
- * const char *name; <-- initial pointer
- * } symbols[];
- *)
- let pred_long2 addr =
- MMap.pred_long mem (MMap.pred_long mem addr)
- in
- let base_addrs = List.map (
- fun addr ->
- let rec loop addr =
- (* '*addr' should point to a C identifier. If it does,
- * step backwards to the previous symbol table entry.
- *)
- let addrp = MMap.follow_pointer mem addr in
- if MMap.is_C_identifier mem addrp then
- loop (pred_long2 addr)
- else
- MMap.succ_long mem addr
- in
- loop addr
- ) addrs in
-
- (* Also look for the end of the symbol table and
- * calculate its size.
- *)
- let base_addrs_sizes = List.map (
- fun base_addr ->
- let rec loop addr =
- let addr2 = MMap.succ_long mem addr in
- let addr2p = MMap.follow_pointer mem addr2 in
- if MMap.is_C_identifier mem addr2p then
- loop (MMap.succ_long mem addr2)
- else
- addr
- in
- let end_addr = loop base_addr in
- base_addr, end_addr -^ base_addr
- ) base_addrs in
-
- base_addrs_sizes
- ) ksym_strings in
- let ksymtabs = List.concat ksymtabs in
-
- (* Simply ignore any symbol table candidates which are too small. *)
- let ksymtabs = List.filter (fun (_, size) -> size > 64L) ksymtabs in
-
- if debug then (
- eprintf "%s: candidate symbol tables at:\n" name;
- List.iter (
- fun (addr, size) ->
- eprintf "\t%Lx\t%Lx\t%!" addr size;
- eprintf "first symbol: %s\n%!"
- (MMap.get_string mem
- (MMap.follow_pointer mem
- (MMap.succ_long mem addr)))
- ) ksymtabs
- );
-
- (* Vote for the most popular symbol table candidate and from this
- * generate a function to look up ksyms.
- *)
- let lookup_ksym =
- let freqs = frequency ksymtabs in
- match freqs with
- | [] ->
- eprintf (f_"%s: cannot find start of kernel symbol table\n") name;
- (fun _ -> raise Not_found)
-
- | (_, (ksymtab_addr, ksymtab_size)) :: _ ->
- if debug then
- eprintf
- "%s: Kernel symbol table found at %Lx, size %Lx bytes\n%!"
- name ksymtab_addr ksymtab_size;
-
- (* Load the whole symbol table as a bitstring. *)
- let ksymtab =
- Bitstring.bitstring_of_string
- (MMap.get_bytes mem ksymtab_addr
- (Int64.to_int ksymtab_size)) in
-
- (* Function to look up an address in the symbol table. *)
- let lookup_ksym sym =
- let bits = bits_of_wordsize (MMap.get_wordsize mem) in
- let e = MMap.get_endian mem in
- let rec loop bs =
- bitmatch bs with
- | { value : bits : endian(e);
- name_ptr : bits : endian(e) }
- when MMap.get_string mem name_ptr = sym ->
- value
- | { _ : bits : endian(e);
- _ : bits : endian(e);
- bs : -1 : bitstring } ->
- loop bs
- | { _ } -> raise Not_found
- in
- loop ksymtab
- in
-
- lookup_ksym
- in
-
- if debug then (
- let end_t = gettimeofday () in
- eprintf "timing: searching for ordinary ksyms took %f seconds\n%!"
- (end_t -. start_t)
- );
-
- let start_t = gettimeofday () in
-
- (* Now try to find the /proc/kallsyms table. This is in an odd
- * compressed format (but not a very successful compression
- * format). However if it exists we know that it will contain
- * addresses of the common ksyms above, and it has some
- * characteristics which make it easy to detect in the
- * memory.
- *
- * kallsyms contains a complete list of symbols so is much
- * more useful than the basic list of exports.
- *)
- let ksym_addrs = List.filter_map (
- fun ksym -> try Some (lookup_ksym ksym) with Not_found -> None
- ) common_ksyms in
+ fun image ->
- (* Search for those kernel addresses in the image. We're looking
- * for the table kallsyms_addresses followed by kallsyms_num_syms
- * (number of symbols in the table).
- *)
- let ksym_addrs = List.map (MMap.find_pointer_all mem) ksym_addrs in
- let ksym_addrs = List.concat ksym_addrs in
+ (* Look for ordinary kernel symbols: *)
+ let image = Virt_mem_ksyms.find_kernel_symbols debug image in
+ (* Look for kallsyms: *)
+ let image = Virt_mem_kallsyms.find_kallsyms debug image in
- (* Test each one to see if it's a candidate list of kernel
- * addresses followed by length of list.
- *)
- let kallsymtabs = List.filter_map (
- fun addr ->
- (* Search upwards from address until we find the length field.
- * If found, jump backwards by length and check all addresses.
- *)
- if debug then
- eprintf "%s: testing candidate kallsyms at %Lx\n" name addr;
- let rec loop addr =
- let addrp = MMap.follow_pointer mem addr in
- if MMap.is_mapped mem addrp then
- loop (MMap.succ_long mem addr) (* continue up the table *)
- else
- if addrp >= min_kallsyms_tabsize &&
- addrp <= max_kallsyms_tabsize then (
- (* addrp might be the symbol count. Count backwards and
- * check the full table.
- *)
- let num_entries = Int64.to_int addrp in
- let entry_size = bytes_of_wordsize (MMap.get_wordsize mem) in
- let start_addr =
- addr -^ Int64.of_int (entry_size * num_entries) in
- let end_addr = addr in
- let rec loop2 addr =
- if addr < end_addr then (
- let addrp = MMap.follow_pointer mem addr in
- if MMap.is_mapped mem addrp then
- loop2 (MMap.succ_long mem addr)
- else
- None (* can't verify the full address table *)
- ) else
- (* ok! *)
- let names_addr = MMap.succ_long mem end_addr in
- if debug then
- eprintf "%s: candidate kallsyms found at %Lx (names_addr at %Lx, num_entries %d)\n"
- name start_addr names_addr num_entries;
- Some (start_addr, num_entries, names_addr)
- in
- loop2 start_addr
- )
- else
- None (* forget it *)
- in
- match loop addr with
- | None -> None
- | Some (start_addr, num_entries, names_addr) ->
- (* As an additional verification, check the list of
- * kallsyms_names.
- *)
- try
- (* If the first byte is '\000' and is followed by a
- * C identifier, then this is old-school list of
- * symbols with prefix compression as in 2.6.9.
- * Otherwise Huffman-compressed kallsyms as in
- * 2.6.25.
- *)
- if MMap.get_byte mem names_addr = 0 &&
- MMap.is_C_identifier mem (names_addr+^1L) then (
- let names = ref [] in
- let prev = ref "" in
- let rec loop names_addr start_addr num =
- if num > 0 then (
- let prefix = MMap.get_byte mem names_addr in
- let prefix = String.sub !prev 0 prefix in
- let name = MMap.get_string mem (names_addr+^1L) in
- let len = String.length name in
- let name = prefix ^ name in
- prev := name;
- let names_addr = names_addr +^ Int64.of_int len +^ 2L in
- let sym_value = MMap.follow_pointer mem start_addr in
- let start_addr = MMap.succ_long mem start_addr in
- (*eprintf "%S -> %Lx\n" name sym_value;*)
- names := (name, sym_value) :: !names;
- loop names_addr start_addr (num-1)
- )
- in
- loop names_addr start_addr num_entries;
- let names = List.rev !names in
-
- Some (start_addr, num_entries, names_addr,
- Uncompressed names)
- )
- else ( (* new-style "compressed" names. *)
- let compressed_names = ref [] in
- let rec loop names_addr start_addr num =
- if num > 0 then (
- let len = MMap.get_byte mem names_addr in
- let name = MMap.get_bytes mem (names_addr+^1L) len in
- let names_addr = names_addr +^ Int64.of_int len +^ 1L in
- let sym_value = MMap.follow_pointer mem start_addr in
- let start_addr = MMap.succ_long mem start_addr in
- compressed_names :=
- (name, sym_value) :: !compressed_names;
- loop names_addr start_addr (num-1)
- ) else
- names_addr
- in
- let markers_addr = loop names_addr start_addr num_entries in
- let markers_addr = MMap.align mem markers_addr in
- let compressed_names = List.rev !compressed_names in
-
- Some (start_addr, num_entries, names_addr,
- Compressed (compressed_names, markers_addr))
- )
- with
- Invalid_argument _ -> None (* bad names list *)
- ) ksym_addrs in
-
- if debug then (
- eprintf "%s: candidate kallsyms at:\n" name;
- List.iter (
- function
- | (start_addr, num_entries, names_addr, Uncompressed _) ->
- eprintf "\t%Lx %d entries names_addr=%Lx old-style\n%!"
- start_addr num_entries names_addr
- | (start_addr, num_entries, names_addr,
- Compressed (_, markers_addr)) ->
- eprintf "\t%Lx %d entries names_addr=%Lx markers_addr=%Lx\n%!"
- start_addr num_entries names_addr markers_addr
- ) kallsymtabs
- );
-
- (* Vote for the most popular symbol table candidate and
- * enhance the function for looking up ksyms.
- *)
- let lookup_ksym =
- let freqs = frequency kallsymtabs in
- match freqs with
- | [] ->
- (* Can't find any kallsymtabs, just return the lookup_ksym
- * function generated previously from the exported symbols.
- *)
- lookup_ksym
-
- | (_, (_, _, _, Uncompressed names)) :: _ ->
- let lookup_ksym name =
- try (* first look it up in kallsyms table. *)
- List.assoc name names
- with Not_found -> (* try the old exports table instead *)
- lookup_ksym name
- in
- lookup_ksym
-
- | (_, (start_addr, num_entries, names_addr,
- Compressed (compressed_names, markers_addr))) :: _ ->
- (* Skip the markers and look for the token table. *)
- let num_markers = Int64.of_int ((num_entries + 255) / 256) in
- let marker_size =
- Int64.of_int (bytes_of_wordsize (MMap.get_wordsize mem)) in
- let tokens_addr = markers_addr +^ marker_size *^ num_markers in
-
- (* Now read out the compression tokens, which are just
- * 256 ASCIIZ strings that map bytes in the compression
- * names to substrings.
- *)
- let tokens = Array.make 256 "" in
- let rec loop i addr =
- if i < 256 then (
- let str = MMap.get_string mem addr in
- let len = String.length str in
- let addr = addr +^ Int64.of_int (len+1) in
- tokens.(i) <- str;
- loop (i+1) addr
- )
- in
- loop 0 tokens_addr;
-
- (* Expand the compressed names using the tokens. *)
- let names = List.filter_map (
- fun (name, sym_value) ->
- let f c = tokens.(Char.code c) in
- let name = String.replace_chars f name in
- (* First character in uncompressed output is the symbol
- * type, eg. 'T'/'t' for text etc.
- *)
- (* NOTE: Symbol names are NOT unique
- * (eg. 'con_start' is both a function and data in
- * some kernels). XXX We need to handle this situation
- * better.
- *)
- (*let typ = name.[0] in*)
- let name = String.sub name 1 (String.length name - 1) in
- (*eprintf "%S -> %Lx\n" name sym_value;*)
- Some (name, sym_value)
- ) compressed_names in
-
- let lookup_ksym name =
- try (* first look it up in kallsyms table. *)
- List.assoc name names
- with Not_found -> (* try the old exports table instead *)
- lookup_ksym name
- in
-
- lookup_ksym in
-
- if debug then (
- let end_t = gettimeofday () in
- eprintf "timing: searching for kallsyms took %f seconds\n%!"
- (end_t -. start_t)
- );
-
- (* Just wrap the lookup_ksym call in something which prints
- * the query when debug is set.
+ (* Finally, just wrap the lookup_ksym call in something
+ * which prints the query when debug is set.
*)
- let lookup_ksym =
+ let image =
if debug then
+ let (domid, name, arch, mem, lookup_ksym) = image in
let lookup_ksym sym =
try
let value = lookup_ksym sym in
eprintf "lookup_ksym %S failed\n%!" sym;
raise Not_found
in
- lookup_ksym
+ (domid, name, arch, mem, lookup_ksym)
else
- lookup_ksym
- in
+ image in
- ((domid, name, arch, mem, lookup_ksym) : image_with_ksyms)
+ image
) images in
(* Run the tool's main function. *)
git.annexia.org / virt-mem.git / blobdiff