ksfinder - Retrieve exported kernel symbols from physical memory dumps
Python Shell
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
README.md Updated doc Sep 28, 2016
elfize.sh elfize Jul 1, 2015
kfinder.py remove old comments Sep 28, 2016


=== USAGE ===

    emdel -> time python kfinder.py 
    [-] Usage: kfinder.py <memory_dump> [symbol]

symbol is not mandatory. In the case it is not provided, kfinder runs in recursive mode and carves out all the possible symbols.

=== HOW ===

This is possible by parsing the __ksymtab_strings and __ksymtab of the Linux kernel image (aka vmlinux). kfinder analyzes the physical memory dump, locates the kernel .text segment and from there the two interesting sections: __ksymtab_strings and __ksymtab.

=== EXAMPLES ===

    08:38:53 emdel -> python kfinder.py /home/emdel/Downloads/fmem_1.6-0/vm-ksfinder-fmem.raw init_task
    Page: b8349000
             - ei_class: 64bit format
             - ABI: System V
             - e_type: shared
             - e_machine x86_64
    Page: b9d77000
             - ei_class: 64bit format
             - ABI: System V
             - e_type: relocatable
             - e_machine x86_64

    :: Architecture identified: x86_64
    :: init_task found at offset: 0x1b8243f
    :: __ksymtab_strings found at offset: 0x1b82436
    :: Symbol init_task found at offset: 0x01b82436
    :: Symbol Virtual Address: 0xffffffff81b82436
    :: Packing the symbol_va
    :: __ksymtab offset guess: 0x01a8243c
    :: symbol_va packed found at 0x01b5aa40
    :: init_task at 0xffffffff81c1d4e0

Old example - x86_32 bit only (missing x86_64 support and the check to identify the architecture):

    emdel -> time python kfinder.py kernelexp.ram init_task
    :: __ksymtab_strings found at offset: 0x017e172d
    :: Symbol init_task found at offset: 0x017e1724
    :: Symbol Virtual Address: 0xc17e1724
    :: Packing the symbol_va
    :: __ksymtab offset guess: 0x016e172c
    :: symbol_va packed found at 0x017d2060
    :: init_task at 0xc180b020

    real    0m3.813s
    user    0m3.632s
    sys     0m0.172s

    emdel -> cat System.map-3.2.0-23-generic-pae | grep -w init_task
    c180b020 D init_task

    emdel -> time python kfinder.py kernelexp.ram > carved_sysmap.log

    real    12m18.355s
    user    12m17.326s
    sys     0m0.372s

    emdel -> cat System.map-3.2.0-23-generic-pae | wc -l

    emdel -> cat carved_sysmap.log | wc -l

    emdel -> head carved_sysmap.log 
    :: __ksymtab_strings found at offset: 0x017e172d
    [+] Retrived 6333 symbols
    c180b020 ? init_task
    c180c460 ? loops_per_jiffy
    c193e004 ? reset_devices
    c18742c0 ? system_state
    c180c5c0 ? init_uts_ns
    c1003580 ? populate_rootfs_wait
    c17fdf20 ? x86_hyper_xen_hvm
    c1003f70 ? xen_hvm_need_lapic


It has been tested on very few memory dumps. I used 'fmem' to dump the memory. I tried with 'Lime' in the raw format, but there are some offset issues. Contact me if you want to discuss about it.

Happy hacking,