/proc/kcore and GDB exploration
The /proc/kcore
technique is an interface for accessing kernel memory, and is conveniently in the form of an ELF core file that can be easily navigated with GDB.
Using GDB with /proc/kcore
is a priceless technique that can be expanded to very in-depth forensics for the skilled analyst. Here is a brief example that shows how to navigate sys_call_table
.
An example of navigating sys_call_table
$ sudo gdb -q vmlinux /proc/kcore Reading symbols from vmlinux... [New process 1] Core was generated by `BOOT_IMAGE=/vmlinuz-3.16.0-49-generic root=/dev/mapper/ubuntu--vg-root ro quiet'. #0 0x0000000000000000 in ?? () (gdb) print &sys_call_table $1 = (<data variable, no debug info> *) 0xffffffff81801460 <sys_call_table> (gdb) x/gx &sys_call_table 0xffffffff81801460 <sys_call_table>: 0xffffffff811d5260 (gdb) x/5i 0xffffffff811d5260 0xffffffff811d5260 <sys_read>: data32 data32 data32 xchg %ax,%ax 0xffffffff811d5265 <sys_read+5>...