Skip to content

Add support for search in kernel modules #2496

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Arusekk merged 10 commits into from
Mar 28, 2025
Merged

Add support for search in kernel modules #2496

Arusekk merged 10 commits into from
Mar 28, 2025

Conversation

@zt20xx
Copy link
Contributor

@zt20xx zt20xx commented Oct 27, 2024

There are so many parts related to the elf header, so I just put it at the end of the search function, which would be awesome if you had a better way to handle it.

┌──(zt㉿pwntools)-[~/study/kernel/test-config]
└─$ cat t.py && python t.py
from pwn import ELF,asm
test=ELF("./rop.ko")
test_ret=test.search(asm("ret"))
print(hex(test_ret.__next__()))
print(hex(test_ret.__next__()))
print(hex(test_ret.__next__()))
print(hex(test_ret.__next__()))

[*] '/home/zt/study/kernel/test-config/rop.ko'
    Arch:       amd64-64-little
    RELRO:      No RELRO
    Stack:      No canary found
    NX:         NX enabled
    PIE:        No PIE (0x0)
    Stripped:   No
    Debuginfo:  Yes
0x13
0x33
0x5d
0x7a

┌──(zt㉿pwntools)-[~/study/kernel/test-config]
└─$ objdump -d ./rop.ko|grep 'ret'
  13:   c3                      ret
  33:   c3                      ret
  5d:   c3                      ret
  7a:   c3                      ret

@peace-maker
Copy link
Member

peace-maker commented Oct 28, 2024

Can you uplaod a test file where this is necessary? It looks like you're dealing with kernel modules?

@zt20xx
Copy link
Contributor Author

zt20xx commented Oct 29, 2024
edited
Loading

Can you uplaod a test file where this is necessary? It looks like you're dealing with kernel modules?

Yes, I build it with v4.19.322.
rop.zip

@Arusekk
Copy link
Member

Arusekk commented Nov 7, 2024

Great job! I never thought of Linux modules to be honest.

IMO if this is to be useful, it should handle writable and executable as well.

Note that relocatable object files in general lack segments, but contain some sections, and all sections are offset from zero. I believe Linux modules are the only relocatable ELFs where searching is useful for hacking, so hardcoding its linking behaviour seems right (e.g. if .rodata always comes right after .text, followed by .data, aligned to one page), but it should be noted what are the absolute offsets, why, and how it uses self.address.

@zt20xx
Copy link
Contributor Author

zt20xx commented Nov 16, 2024

I think it is useful now
https://gist.github.com/zt20xx/1dfbd4927d2381b7e2382570bf8d086e
rop.zip

text ret : 0xffffffffc0000013
0xdeadbeef : 0xffffffffc0002000
0xdead : 0xffffffffc0002002
note GUN : 0xffffffffc000100c
note linux : 0xffffffffc0001030
rodata kernel-module : 0xffffffffc000104d
rodata abcd : 0xffffffffc0001099

[ 3.126233] test_data_addr :ffffffffc0002000
[ 3.130211] test_data_value:00000000deadbeef
[ 3.133158] test_rodata:ffffffffc0001099
[ 3.136035] test_rodata:abcd
(gdb) x/i 0xffffffffc0000013
0xffffffffc0000013 <backdoor+19>: ret
(gdb) x/s 0xffffffffc000100c
0xffffffffc000100c: "GNU"
(gdb) x/s 0xffffffffc0001030
0xffffffffc0001030: "Linux"

Arusekk
Arusekk reviewed Mar 1, 2025
View reviewed changes
@zt20xx @Arusekk
fix spelling mistakes
07ac17f 
Co-authored-by: Arusekk <[email protected]>
@Arusekk Arusekk changed the title add_ko_file_search_support Add support for search in kernel modules Mar 24, 2025
@Arusekk
Copy link
Member

Arusekk commented Mar 24, 2025

There is no standard page size (4K is common, but some systems use 16K for example M1 aarch64 cpus). Newest elftools removed the constant.

@zt20xx
Copy link
Contributor Author

zt20xx commented Mar 28, 2025

There is no standard page size (4K is common, but some systems use 16K for example M1 aarch64 cpus). Newest elftools removed the constant.

Thank you for your reminder; your advice is truly invaluable to a beginner like me. ( ゚∀゚) ノ♡

@Arusekk
Copy link
Member

Arusekk commented Mar 28, 2025

Thanks! I think your heuristic is the best we can do just looking at the file. Let's keep it this way and hope it works.

@Arusekk Arusekk merged commit 8928cdf into Gallopsled:dev Mar 28, 2025
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Arusekk Arusekk Arusekk left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@zt20xx @peace-maker @Arusekk @zzttbak