- loop addr
- ) addrs in
-
- (* Also look for the end of the symbol table and
- * calculate its size.
- *)
- let base_addrs_sizes = List.map (
- fun base_addr ->
- let rec loop addr =
- let addr2 = MMap.succ_long mem addr in
- let addr2p = MMap.follow_pointer mem addr2 in
- if MMap.is_C_identifier mem addr2p then
- loop (MMap.succ_long mem addr2)
- else
- addr
- in
- let end_addr = loop base_addr in
- base_addr, end_addr -^ base_addr
- ) base_addrs in
-
- base_addrs_sizes
- ) ksym_strings in
- let ksymtabs = List.concat ksymtabs in
-
- (* Simply ignore any symbol table candidates which are too small. *)
- let ksymtabs = List.filter (fun (_, size) -> size > 64L) ksymtabs in
-
- if debug then (
- eprintf "%s: candidate symbol tables at:\n" name;
- List.iter (
- fun (addr, size) ->
- eprintf "\t%Lx\t%Lx\t%!" addr size;
- eprintf "first symbol: %s\n%!"
- (MMap.get_string mem
- (MMap.follow_pointer mem
- (MMap.succ_long mem addr)))
- ) ksymtabs
- );
-
- (* Vote for the most popular symbol table candidate and from this
- * generate a function to look up ksyms.
- *)
- let lookup_ksym =
- let freqs = frequency ksymtabs in
- match freqs with
- | [] ->
- eprintf (f_"%s: cannot find start of kernel symbol table\n") name;
- (fun _ -> raise Not_found)
-
- | (_, (ksymtab_addr, ksymtab_size)) :: _ ->
- if debug then
- eprintf
- "%s: Kernel symbol table found at %Lx, size %Lx bytes\n%!"
- name ksymtab_addr ksymtab_size;
-
- (* Load the whole symbol table as a bitstring. *)
- let ksymtab =
- Bitmatch.bitstring_of_string
- (MMap.get_bytes mem ksymtab_addr
- (Int64.to_int ksymtab_size)) in
-
- (* Function to look up an address in the symbol table. *)
- let lookup_ksym sym =
- let bits = bits_of_wordsize (MMap.get_wordsize mem) in
- let e = MMap.get_endian mem in
- let rec loop bs =
- bitmatch bs with
- | { value : bits : endian(e);
- name_ptr : bits : endian(e) }
- when MMap.get_string mem name_ptr = sym ->
- value
- | { _ : bits : endian(e);
- _ : bits : endian(e);
- bs : -1 : bitstring } ->
- loop bs
- | { _ } -> raise Not_found
- in
- loop ksymtab
- in
-
- lookup_ksym
- in
-
- if debug then (
- let end_t = gettimeofday () in
- eprintf "timing: searching for ordinary ksyms took %f seconds\n%!"
- (end_t -. start_t)
- );
-
- let start_t = gettimeofday () in
-
- (* Now try to find the /proc/kallsyms table. This is in an odd
- * compressed format (but not a very successful compression
- * format). However if it exists we know that it will contain
- * addresses of the common ksyms above, and it has some
- * characteristics which make it easy to detect in the
- * memory.
- *
- * kallsyms contains a complete list of symbols so is much
- * more useful than the basic list of exports.
- *)
- let ksym_addrs = List.filter_map (
- fun ksym -> try Some (lookup_ksym ksym) with Not_found -> None
- ) common_ksyms in
-
- (* Search for those kernel addresses in the image. We're looking
- * for the table kallsyms_addresses followed by kallsyms_num_syms
- * (number of symbols in the table).
- *)
- let ksym_addrs = List.map (MMap.find_pointer_all mem) ksym_addrs in
- let ksym_addrs = List.concat ksym_addrs in
-
- (* Test each one to see if it's a candidate list of kernel
- * addresses followed by length of list.
- *)
- let kallsymtabs = List.filter_map (
- fun addr ->
- (* Search upwards from address until we find the length field.
- * If found, jump backwards by length and check all addresses.
- *)
- if debug then
- eprintf "%s: testing candidate kallsyms at %Lx\n" name addr;
- let rec loop addr =
- let addrp = MMap.follow_pointer mem addr in
- if MMap.is_mapped mem addrp then
- loop (MMap.succ_long mem addr) (* continue up the table *)
- else
- if addrp >= min_kallsyms_tabsize &&
- addrp <= max_kallsyms_tabsize then (
- (* addrp might be the symbol count. Count backwards and
- * check the full table.
- *)
- let num_entries = Int64.to_int addrp in
- let entry_size = bytes_of_wordsize (MMap.get_wordsize mem) in
- let start_addr =
- addr -^ Int64.of_int (entry_size * num_entries) in
- let end_addr = addr in
- let rec loop2 addr =
- if addr < end_addr then (
- let addrp = MMap.follow_pointer mem addr in
- if MMap.is_mapped mem addrp then
- loop2 (MMap.succ_long mem addr)
- else
- None (* can't verify the full address table *)
- ) else
- (* ok! *)
- let names_addr = MMap.succ_long mem end_addr in
- if debug then
- eprintf "%s: candidate kallsyms found at %Lx (names_addr at %Lx, num_entries %d)\n"
- name start_addr names_addr num_entries;
- Some (start_addr, num_entries, names_addr)
- in
- loop2 start_addr