- List.iter (
- fun (name, (arch, mem)) ->
- (* Look for some common entries in the symbol table and from
- * that find the symbol table itself. These are just supposed to
- * be symbols which are very likely to be present in any Linux
- * kernel, although we only need one of them to be present to
- * find the symbol table.
- *
- * NB. Must not be __initdata.
- *)
- let common_ksyms = [
- "init_task"; (* first task_struct *)
- "root_mountflags"; (* flags for mounting root fs *)
- "init_uts_ns"; (* uname strings *)
- "sys_open"; (* open(2) entry point *)
- "sys_chdir"; (* chdir(2) entry point *)
- "sys_chroot"; (* chroot(2) entry point *)
- "sys_umask"; (* umask(2) entry point *)
- "schedule"; (* scheduler entry point *)
- ] in
- (* Searching for <NUL>string<NUL> *)
- let common_ksyms = List.map (sprintf "\000%s\000") common_ksyms in
-
- (* Search for these strings in the memory image. *)
- let ksym_strings = List.map (MMap.find_all mem) common_ksyms in
- let ksym_strings = List.concat ksym_strings in
- (* Adjust found addresses to start of the string (skip <NUL>). *)
- let ksym_strings = List.map Int64.succ ksym_strings in
-
- (* For any we found, try to look up the symbol table
- * base addr and size.
- *)
- let ksymtabs = List.map (
- fun addr ->
- (* Search for 'addr' appearing in the image. *)
- let addrs = MMap.find_pointer_all mem addr in
-
- (* Now consider each of these addresses and search back
- * until we reach the beginning of the (possible) symbol
- * table.
- *
- * Kernel symbol table struct is:
- * struct kernel_symbol {
- * unsigned long value;
- * const char *name; <-- initial pointer
- * } symbols[];
- *)
- let pred_long2 addr = MMap.pred_long mem (MMap.pred_long mem addr) in
- let base_addrs = List.map (
- fun addr ->
- let rec loop addr =
- (* '*addr' should point to a C identifier. If it does,
- * step backwards to the previous symbol table entry.
- *)
- let addrp = MMap.follow_pointer mem addr in
- if MMap.is_C_identifier mem addrp then
- loop (pred_long2 addr)
- else
- MMap.succ_long mem addr
+ let images =
+ List.map (
+ fun (name, arch, mem) ->
+ (* Look for some common entries in the symbol table and from
+ * that find the symbol table itself. These are just supposed to
+ * be symbols which are very likely to be present in any Linux
+ * kernel, although we only need one of them to be present to
+ * find the symbol table.
+ *
+ * NB. Must not be __initdata.
+ *)
+ let common_ksyms = [
+ "init_task"; (* first task_struct *)
+ "root_mountflags"; (* flags for mounting root fs *)
+ "init_uts_ns"; (* uname strings *)
+ "sys_open"; (* open(2) entry point *)
+ "sys_chdir"; (* chdir(2) entry point *)
+ "sys_chroot"; (* chroot(2) entry point *)
+ "sys_umask"; (* umask(2) entry point *)
+ "schedule"; (* scheduler entry point *)
+ ] in
+ (* Searching for <NUL>string<NUL> *)
+ let common_ksyms = List.map (sprintf "\000%s\000") common_ksyms in
+
+ (* Search for these strings in the memory image. *)
+ let ksym_strings = List.map (MMap.find_all mem) common_ksyms in
+ let ksym_strings = List.concat ksym_strings in
+ (* Adjust found addresses to start of the string (skip <NUL>). *)
+ let ksym_strings = List.map Int64.succ ksym_strings in
+
+ (* For any we found, try to look up the symbol table
+ * base addr and size.
+ *)
+ let ksymtabs = List.map (
+ fun addr ->
+ (* Search for 'addr' appearing in the image. *)
+ let addrs = MMap.find_pointer_all mem addr in
+
+ (* Now consider each of these addresses and search back
+ * until we reach the beginning of the (possible) symbol
+ * table.
+ *
+ * Kernel symbol table struct is:
+ * struct kernel_symbol {
+ * unsigned long value;
+ * const char *name; <-- initial pointer
+ * } symbols[];
+ *)
+ let pred_long2 addr =
+ MMap.pred_long mem (MMap.pred_long mem addr)
+ in
+ let base_addrs = List.map (
+ fun addr ->
+ let rec loop addr =
+ (* '*addr' should point to a C identifier. If it does,
+ * step backwards to the previous symbol table entry.
+ *)
+ let addrp = MMap.follow_pointer mem addr in
+ if MMap.is_C_identifier mem addrp then
+ loop (pred_long2 addr)
+ else
+ MMap.succ_long mem addr
+ in
+ loop addr
+ ) addrs in
+
+ (* Also look for the end of the symbol table and
+ * calculate its size.
+ *)
+ let base_addrs_sizes = List.map (
+ fun base_addr ->
+ let rec loop addr =
+ let addr2 = MMap.succ_long mem addr in
+ let addr2p = MMap.follow_pointer mem addr2 in
+ if MMap.is_C_identifier mem addr2p then
+ loop (MMap.succ_long mem addr2)
+ else
+ addr
+ in
+ let end_addr = loop base_addr in
+ base_addr, end_addr -^ base_addr
+ ) base_addrs in
+
+ base_addrs_sizes
+ ) ksym_strings in
+ let ksymtabs = List.concat ksymtabs in
+
+ (* Simply ignore any symbol table candidates which are too small. *)
+ let ksymtabs = List.filter (fun (_, size) -> size > 64L) ksymtabs in
+
+ if verbose then (
+ printf "name %s:\n" name;
+ List.iter (
+ fun (addr, size) ->
+ printf "\t%Lx\t%Lx\t%!" addr size;
+ printf "first symbol: %s\n%!"
+ (MMap.get_string mem
+ (MMap.follow_pointer mem
+ (MMap.succ_long mem addr)))
+ ) ksymtabs
+ );
+
+ (* Vote for the most popular symbol table candidate and from this
+ * generate a function to look up ksyms.
+ *)
+ let lookup_ksym =
+ let freqs = frequency ksymtabs in
+ match freqs with
+ | [] ->
+ eprintf (f_"%s: cannot find start of kernel symbol table\n") name;
+ (fun _ -> raise Not_found)
+
+ | (_, (ksymtab_addr, ksymtab_size)) :: _ ->
+ if verbose then
+ printf
+ "%s: Kernel symbol table found at %Lx, size %Lx bytes\n%!"
+ name ksymtab_addr ksymtab_size;
+
+ (* Load the whole symbol table as a bitstring. *)
+ let ksymtab =
+ Bitmatch.bitstring_of_string
+ (MMap.get_bytes mem ksymtab_addr
+ (Int64.to_int ksymtab_size)) in
+
+ (* Function to look up an address in the symbol table. *)
+ let lookup_ksym sym =
+ let bits = bits_of_wordsize (MMap.get_wordsize mem) in
+ let e = MMap.get_endian mem in
+ let rec loop bs =
+ bitmatch bs with
+ | { value : bits : endian(e);
+ name_ptr : bits : endian(e) }
+ when MMap.get_string mem name_ptr = sym ->
+ value
+ | { _ : bits : endian(e);
+ _ : bits : endian(e);
+ bs : -1 : bitstring } ->
+ loop bs
+ | { _ } -> raise Not_found
+ in
+ loop ksymtab