Linux4 8 kaslr support, take2

[bneuburg]

This is an updated version of Linux > 4.8 KASLR detection and dismisses the linux_kaslr_shift plugin entirely.

@atcuno implemented KASLR detection and calculation in upstreams Linux overlay, however at various spots incorrect calculations were done regarding which shift (physical vs virtual) was used.

I tested the attached patches with kernel 4.9 amd64 memory dumps that had KASLR en- and disabled.

Moreover a small typo is fixed.

One upstream change since my PR #385 made the DTB finder skip the only valid DTB in the images I checked, therefore I commented those lines (the active_mm checks).

@atcuno found a nicer way to determine the virtual shift; instead of walking through the paging levels, looking up the path to a target physical page and then calculating the diff between observed and expected virtual address, he simply used the virtual address stored in the files member of init_tasks task_struct that points to the randomized address of symbol init_files. By calculating the difference to the init_files value in System.map you can also determine the virtual_shift.

I'd like to note that even though KASLR detection possibly finds the correct values with this PR the linux_kaslr_shift plugin might still come in handy, since in contrast to the way it is handled now it will not stop DTB finding after the first possible hit but looks further to find additional DTBs, so in cases where the first found DTB is not correct it can still help out.
However I'd like to use the more elegant init_files approach for the plugin as well and will refactor this first before resubmitting.

[koromodako]

Also work on a 4.9.0 kernel, thank you very much ! Eager to see this pull request merged ! 👍