commit f014e19582c70a61f4ac09e0d4909d32bf9b3502
parent 03462dc2d8a0270456d1541f608dd308eb18ac58
Author: deurzen <m.deurzen@tum.de>
Date: Thu, 21 Jan 2021 06:43:58 +0100
initial check_files structure
Diffstat:
1 file changed, 397 insertions(+), 75 deletions(-)
diff --git a/mem_forensics/memcheck-gdb.py b/mem_forensics/memcheck-gdb.py
@@ -1,20 +1,21 @@
import os
import re
+from elftools.elf import elffile
v_off_g = 0
file_g = None
-class RkLoadSymbols (gdb.Command):
+class RkLoadSymbols(gdb.Command):
"""Determine the KASLR-Offset and map the symbols."""
v_off = 0
symbol = "native_safe_halt"
- def __init__ (self):
- super (RkLoadSymbols, self).__init__ ("rk-load-symbols", gdb.COMMAND_USER, gdb.COMMAND_DATA)
+ def __init__(self):
+ super(RkLoadSymbols, self).__init__("rk-load-symbols", gdb.COMMAND_USER, gdb.COMMAND_DATA)
- def invoke (self, arg, from_tty):
+ def invoke(self, arg, from_tty):
if not arg:
print("Please provide an argument")
return None
@@ -22,7 +23,7 @@ class RkLoadSymbols (gdb.Command):
self.get_v_off(arg)
self.load_sym(arg)
- def load_sym (self, arg):
+ def load_sym(self, arg):
v_off = hex(self.v_off)
print(f"attempting to load symbols from \"{arg}\" with offset {v_off}")
@@ -32,7 +33,7 @@ class RkLoadSymbols (gdb.Command):
print("error loading symbol file, does it exist?")
return None
- def get_v_off (self, arg):
+ def get_v_off(self, arg):
global file_g
global v_off_g
@@ -54,22 +55,22 @@ class RkLoadSymbols (gdb.Command):
self.v_off = ((real_addr - sym_addr) & (~0xf))
v_off_g = self.v_off
-RkLoadSymbols ()
+RkLoadSymbols()
-class RkKaslrOffset (gdb.Command):
+class RkKaslrOffset(gdb.Command):
"""Output the calculated physical and virtual KASLR offset."""
symbol = "native_safe_halt"
obj_addr = None
- def __init__ (self):
- super (RkKaslrOffset, self).__init__ ("rk-kaslr-offset", gdb.COMMAND_USER, gdb.COMMAND_DATA)
+ def __init__(self):
+ super(RkKaslrOffset, self).__init__("rk-kaslr-offset", gdb.COMMAND_USER, gdb.COMMAND_DATA)
# assuming rk-load-symbols has already been run
- def invoke (self, arg, from_tty):
+ def invoke(self, arg, from_tty):
global file_g
if file_g is None:
@@ -135,7 +136,7 @@ class RkKaslrOffset (gdb.Command):
return None
- def get_off (self, addr):
+ def get_off(self, addr):
global file_g
if self.obj_addr is None:
@@ -146,22 +147,22 @@ class RkKaslrOffset (gdb.Command):
return hex((real_addr - self.obj_addr) & (~0xf))
-RkKaslrOffset ()
+RkKaslrOffset()
-class RKSyscallCheck (gdb.Command):
+class RKSyscallCheck(gdb.Command):
"""Check the integrity of the syscall table. Run rk-load-symbols first."""
symbol = "sys_call_table"
sys_call_table = 0
- def __init__ (self):
- super (RKSyscallCheck, self).__init__ ("rk-syscall-check", gdb.COMMAND_USER, gdb.COMMAND_DATA)
+ def __init__(self):
+ super(RKSyscallCheck, self).__init__("rk-syscall-check", gdb.COMMAND_USER, gdb.COMMAND_DATA)
- def invoke (self, arg, from_tty):
+ def invoke(self, arg, from_tty):
global v_off_g
global file_g
@@ -220,7 +221,7 @@ class RKSyscallCheck (gdb.Command):
-RKSyscallCheck ()
+RKSyscallCheck()
@@ -240,60 +241,381 @@ def get_symbol_address(file, symbol):
return None
-syscalls = ['__x64_sys_read', '__x64_sys_write', '__x64_sys_open', '__x64_sys_close', '__x64_sys_newstat', '__x64_sys_newfstat', '__x64_sys_newlstat',
- '__x64_sys_poll', '__x64_sys_lseek', '__x64_sys_mmap', '__x64_sys_mprotect', '__x64_sys_munmap', '__x64_sys_brk', '__x64_sys_rt_sigaction',
- '__x64_sys_rt_sigprocmask', '__x64_sys_rt_sigreturn', '__x64_sys_ioctl', '__x64_sys_pread64', '__x64_sys_pwrite64', '__x64_sys_readv',
- '__x64_sys_writev', '__x64_sys_access', '__x64_sys_pipe', '__x64_sys_select', '__x64_sys_sched_yield', '__x64_sys_mremap', '__x64_sys_msync',
- '__x64_sys_mincore', '__x64_sys_madvise', '__x64_sys_shmget', '__x64_sys_shmat', '__x64_sys_shmctl', '__x64_sys_dup', '__x64_sys_dup2',
- '__x64_sys_pause', '__x64_sys_nanosleep', '__x64_sys_getitimer', '__x64_sys_alarm', '__x64_sys_setitimer', '__x64_sys_getpid',
- '__x64_sys_sendfile64', '__x64_sys_socket', '__x64_sys_connect', '__x64_sys_accept', '__x64_sys_sendto', '__x64_sys_recvfrom',
- '__x64_sys_sendmsg', '__x64_sys_recvmsg', '__x64_sys_shutdown', '__x64_sys_bind', '__x64_sys_listen', '__x64_sys_getsockname',
- '__x64_sys_getpeername', '__x64_sys_socketpair', '__x64_sys_setsockopt', '__x64_sys_getsockopt', '__x64_sys_clone', '__x64_sys_fork',
- '__x64_sys_vfork', '__x64_sys_execve', '__x64_sys_exit', '__x64_sys_wait4', '__x64_sys_kill', '__x64_sys_newuname', '__x64_sys_semget',
- '__x64_sys_semop', '__x64_sys_semctl', '__x64_sys_shmdt', '__x64_sys_msgget', '__x64_sys_msgsnd', '__x64_sys_msgrcv', '__x64_sys_msgctl',
- '__x64_sys_fcntl', '__x64_sys_flock', '__x64_sys_fsync', '__x64_sys_fdatasync', '__x64_sys_truncate', '__x64_sys_ftruncate',
- '__x64_sys_getdents', '__x64_sys_getcwd', '__x64_sys_chdir', '__x64_sys_fchdir', '__x64_sys_rename', '__x64_sys_mkdir', '__x64_sys_rmdir',
- '__x64_sys_creat', '__x64_sys_link', '__x64_sys_unlink', '__x64_sys_symlink', '__x64_sys_readlink', '__x64_sys_chmod', '__x64_sys_fchmod',
- '__x64_sys_chown', '__x64_sys_fchown', '__x64_sys_lchown', '__x64_sys_umask', '__x64_sys_gettimeofday', '__x64_sys_getrlimit',
- '__x64_sys_getrusage', '__x64_sys_sysinfo', '__x64_sys_times', '__x64_sys_ptrace', '__x64_sys_getuid', '__x64_sys_syslog', '__x64_sys_getgid',
- '__x64_sys_setuid', '__x64_sys_setgid', '__x64_sys_geteuid', '__x64_sys_getegid', '__x64_sys_setpgid', '__x64_sys_getppid', '__x64_sys_getpgrp',
- '__x64_sys_setsid', '__x64_sys_setreuid', '__x64_sys_setregid', '__x64_sys_getgroups', '__x64_sys_setgroups', '__x64_sys_setresuid',
- '__x64_sys_getresuid', '__x64_sys_setresgid', '__x64_sys_getresgid', '__x64_sys_getpgid', '__x64_sys_setfsuid', '__x64_sys_setfsgid',
- '__x64_sys_getsid', '__x64_sys_capget', '__x64_sys_capset', '__x64_sys_rt_sigpending', '__x64_sys_rt_sigtimedwait', '__x64_sys_rt_sigqueueinfo',
- '__x64_sys_rt_sigsuspend', '__x64_sys_sigaltstack', '__x64_sys_utime', '__x64_sys_mknod', 'sys_ni_syscall', '__x64_sys_personality',
- '__x64_sys_ustat', '__x64_sys_statfs', '__x64_sys_fstatfs', '__x64_sys_sysfs', '__x64_sys_getpriority', '__x64_sys_setpriority',
- '__x64_sys_sched_setparam', '__x64_sys_sched_getparam', '__x64_sys_sched_setscheduler', '__x64_sys_sched_getscheduler',
- '__x64_sys_sched_get_priority_max', '__x64_sys_sched_get_priority_min', '__x64_sys_sched_rr_get_interval', '__x64_sys_mlock', '__x64_sys_munlock',
- '__x64_sys_mlockall', '__x64_sys_munlockall', '__x64_sys_vhangup', '__x64_sys_modify_ldt', '__x64_sys_pivot_root', '__x64_sys_sysctl',
- '__x64_sys_prctl', '__x64_sys_arch_prctl', '__x64_sys_adjtimex', '__x64_sys_setrlimit', '__x64_sys_chroot', '__x64_sys_sync',
- '__x64_sys_acct', '__x64_sys_settimeofday', '__x64_sys_mount', '__x64_sys_umount', '__x64_sys_swapon', '__x64_sys_swapoff',
- '__x64_sys_reboot', '__x64_sys_sethostname', '__x64_sys_setdomainname', '__x64_sys_iopl', '__x64_sys_ioperm', 'sys_ni_syscall',
- '__x64_sys_init_module', '__x64_sys_delete_module', 'sys_ni_syscall', 'sys_ni_syscall', '__x64_sys_quotactl', 'sys_ni_syscall',
- 'sys_ni_syscall', 'sys_ni_syscall', 'sys_ni_syscall', 'sys_ni_syscall', 'sys_ni_syscall', '__x64_sys_gettid', '__x64_sys_readahead',
- '__x64_sys_setxattr', '__x64_sys_lsetxattr', '__x64_sys_fsetxattr', '__x64_sys_getxattr', '__x64_sys_lgetxattr', '__x64_sys_fgetxattr',
- '__x64_sys_listxattr', '__x64_sys_llistxattr', '__x64_sys_flistxattr', '__x64_sys_removexattr', '__x64_sys_lremovexattr',
- '__x64_sys_fremovexattr', '__x64_sys_tkill', '__x64_sys_time', '__x64_sys_futex', '__x64_sys_sched_setaffinity', '__x64_sys_sched_getaffinity',
- 'sys_ni_syscall', '__x64_sys_io_setup', '__x64_sys_io_destroy', '__x64_sys_io_getevents', '__x64_sys_io_submit', '__x64_sys_io_cancel',
- 'sys_ni_syscall', '__x64_sys_lookup_dcookie', '__x64_sys_epoll_create', 'sys_ni_syscall', 'sys_ni_syscall', '__x64_sys_remap_file_pages',
- '__x64_sys_getdents64', '__x64_sys_set_tid_address', '__x64_sys_restart_syscall', '__x64_sys_semtimedop', '__x64_sys_fadvise64',
- '__x64_sys_timer_create', '__x64_sys_timer_settime', '__x64_sys_timer_gettime', '__x64_sys_timer_getoverrun', '__x64_sys_timer_delete',
- '__x64_sys_clock_settime', '__x64_sys_clock_gettime', '__x64_sys_clock_getres', '__x64_sys_clock_nanosleep', '__x64_sys_exit_group',
- '__x64_sys_epoll_wait', '__x64_sys_epoll_ctl', '__x64_sys_tgkill', '__x64_sys_utimes', 'sys_ni_syscall', '__x64_sys_mbind',
- '__x64_sys_set_mempolicy', '__x64_sys_get_mempolicy', '__x64_sys_mq_open', '__x64_sys_mq_unlink', '__x64_sys_mq_timedsend',
- '__x64_sys_mq_timedreceive', '__x64_sys_mq_notify', '__x64_sys_mq_getsetattr', '__x64_sys_kexec_load', '__x64_sys_waitid',
- '__x64_sys_add_key', '__x64_sys_request_key', '__x64_sys_keyctl', '__x64_sys_ioprio_set', '__x64_sys_ioprio_get', '__x64_sys_inotify_init',
- '__x64_sys_inotify_add_watch', '__x64_sys_inotify_rm_watch', '__x64_sys_migrate_pages', '__x64_sys_openat', '__x64_sys_mkdirat',
- '__x64_sys_mknodat', '__x64_sys_fchownat', '__x64_sys_futimesat', '__x64_sys_newfstatat', '__x64_sys_unlinkat', '__x64_sys_renameat',
- '__x64_sys_linkat', '__x64_sys_symlinkat', '__x64_sys_readlinkat', '__x64_sys_fchmodat', '__x64_sys_faccessat', '__x64_sys_pselect6',
- '__x64_sys_ppoll', '__x64_sys_unshare', '__x64_sys_set_robust_list', '__x64_sys_get_robust_list', '__x64_sys_splice', '__x64_sys_tee',
- '__x64_sys_sync_file_range', '__x64_sys_vmsplice', '__x64_sys_move_pages', '__x64_sys_utimensat', '__x64_sys_epoll_pwait',
- '__x64_sys_signalfd', '__x64_sys_timerfd_create', '__x64_sys_eventfd', '__x64_sys_fallocate', '__x64_sys_timerfd_settime',
- '__x64_sys_timerfd_gettime', '__x64_sys_accept4', '__x64_sys_signalfd4', '__x64_sys_eventfd2', '__x64_sys_epoll_create1', '__x64_sys_dup3',
- '__x64_sys_pipe2', '__x64_sys_inotify_init1', '__x64_sys_preadv', '__x64_sys_pwritev', '__x64_sys_rt_tgsigqueueinfo',
- '__x64_sys_perf_event_open', '__x64_sys_recvmmsg', '__x64_sys_fanotify_init', '__x64_sys_fanotify_mark', '__x64_sys_prlimit64',
- '__x64_sys_name_to_handle_at', '__x64_sys_open_by_handle_at', '__x64_sys_clock_adjtime', '__x64_sys_syncfs', '__x64_sys_sendmmsg',
- '__x64_sys_setns', '__x64_sys_getcpu', '__x64_sys_process_vm_readv', '__x64_sys_process_vm_writev', '__x64_sys_kcmp', '__x64_sys_finit_module',
- '__x64_sys_sched_setattr', '__x64_sys_sched_getattr', '__x64_sys_renameat2', '__x64_sys_seccomp', '__x64_sys_getrandom',
- '__x64_sys_memfd_create', '__x64_sys_kexec_file_load', '__x64_sys_bpf', '__x64_sys_execveat', '__x64_sys_userfaultfd', '__x64_sys_membarrier',
- '__x64_sys_mlock2', '__x64_sys_copy_file_range', '__x64_sys_preadv2', '__x64_sys_pwritev2', '__x64_sys_pkey_mprotect', '__x64_sys_pkey_alloc',
- '__x64_sys_pkey_free', '__x64_sys_statx', '__x64_sys_io_pgetevents', '__x64_sys_rseq']
+syscalls = [
+ '__x64_sys_read',
+ '__x64_sys_write',
+ '__x64_sys_open',
+ '__x64_sys_close',
+ '__x64_sys_newstat',
+ '__x64_sys_newfstat',
+ '__x64_sys_newlstat',
+ '__x64_sys_poll',
+ '__x64_sys_lseek',
+ '__x64_sys_mmap',
+ '__x64_sys_mprotect',
+ '__x64_sys_munmap',
+ '__x64_sys_brk',
+ '__x64_sys_rt_sigaction',
+ '__x64_sys_rt_sigprocmask',
+ '__x64_sys_rt_sigreturn',
+ '__x64_sys_ioctl',
+ '__x64_sys_pread64',
+ '__x64_sys_pwrite64',
+ '__x64_sys_readv',
+ '__x64_sys_writev',
+ '__x64_sys_access',
+ '__x64_sys_pipe',
+ '__x64_sys_select',
+ '__x64_sys_sched_yield',
+ '__x64_sys_mremap',
+ '__x64_sys_msync',
+ '__x64_sys_mincore',
+ '__x64_sys_madvise',
+ '__x64_sys_shmget',
+ '__x64_sys_shmat',
+ '__x64_sys_shmctl',
+ '__x64_sys_dup',
+ '__x64_sys_dup2',
+ '__x64_sys_pause',
+ '__x64_sys_nanosleep',
+ '__x64_sys_getitimer',
+ '__x64_sys_alarm',
+ '__x64_sys_setitimer',
+ '__x64_sys_getpid',
+ '__x64_sys_sendfile64',
+ '__x64_sys_socket',
+ '__x64_sys_connect',
+ '__x64_sys_accept',
+ '__x64_sys_sendto',
+ '__x64_sys_recvfrom',
+ '__x64_sys_sendmsg',
+ '__x64_sys_recvmsg',
+ '__x64_sys_shutdown',
+ '__x64_sys_bind',
+ '__x64_sys_listen',
+ '__x64_sys_getsockname',
+ '__x64_sys_getpeername',
+ '__x64_sys_socketpair',
+ '__x64_sys_setsockopt',
+ '__x64_sys_getsockopt',
+ '__x64_sys_clone',
+ '__x64_sys_fork',
+ '__x64_sys_vfork',
+ '__x64_sys_execve',
+ '__x64_sys_exit',
+ '__x64_sys_wait4',
+ '__x64_sys_kill',
+ '__x64_sys_newuname',
+ '__x64_sys_semget',
+ '__x64_sys_semop',
+ '__x64_sys_semctl',
+ '__x64_sys_shmdt',
+ '__x64_sys_msgget',
+ '__x64_sys_msgsnd',
+ '__x64_sys_msgrcv',
+ '__x64_sys_msgctl',
+ '__x64_sys_fcntl',
+ '__x64_sys_flock',
+ '__x64_sys_fsync',
+ '__x64_sys_fdatasync',
+ '__x64_sys_truncate',
+ '__x64_sys_ftruncate',
+ '__x64_sys_getdents',
+ '__x64_sys_getcwd',
+ '__x64_sys_chdir',
+ '__x64_sys_fchdir',
+ '__x64_sys_rename',
+ '__x64_sys_mkdir',
+ '__x64_sys_rmdir',
+ '__x64_sys_creat',
+ '__x64_sys_link',
+ '__x64_sys_unlink',
+ '__x64_sys_symlink',
+ '__x64_sys_readlink',
+ '__x64_sys_chmod',
+ '__x64_sys_fchmod',
+ '__x64_sys_chown',
+ '__x64_sys_fchown',
+ '__x64_sys_lchown',
+ '__x64_sys_umask',
+ '__x64_sys_gettimeofday',
+ '__x64_sys_getrlimit',
+ '__x64_sys_getrusage',
+ '__x64_sys_sysinfo',
+ '__x64_sys_times',
+ '__x64_sys_ptrace',
+ '__x64_sys_getuid',
+ '__x64_sys_syslog',
+ '__x64_sys_getgid',
+ '__x64_sys_setuid',
+ '__x64_sys_setgid',
+ '__x64_sys_geteuid',
+ '__x64_sys_getegid',
+ '__x64_sys_setpgid',
+ '__x64_sys_getppid',
+ '__x64_sys_getpgrp',
+ '__x64_sys_setsid',
+ '__x64_sys_setreuid',
+ '__x64_sys_setregid',
+ '__x64_sys_getgroups',
+ '__x64_sys_setgroups',
+ '__x64_sys_setresuid',
+ '__x64_sys_getresuid',
+ '__x64_sys_setresgid',
+ '__x64_sys_getresgid',
+ '__x64_sys_getpgid',
+ '__x64_sys_setfsuid',
+ '__x64_sys_setfsgid',
+ '__x64_sys_getsid',
+ '__x64_sys_capget',
+ '__x64_sys_capset',
+ '__x64_sys_rt_sigpending',
+ '__x64_sys_rt_sigtimedwait',
+ '__x64_sys_rt_sigqueueinfo',
+ '__x64_sys_rt_sigsuspend',
+ '__x64_sys_sigaltstack',
+ '__x64_sys_utime',
+ '__x64_sys_mknod',
+ 'sys_ni_syscall',
+ '__x64_sys_personality',
+ '__x64_sys_ustat',
+ '__x64_sys_statfs',
+ '__x64_sys_fstatfs',
+ '__x64_sys_sysfs',
+ '__x64_sys_getpriority',
+ '__x64_sys_setpriority',
+ '__x64_sys_sched_setparam',
+ '__x64_sys_sched_getparam',
+ '__x64_sys_sched_setscheduler',
+ '__x64_sys_sched_getscheduler',
+ '__x64_sys_sched_get_priority_max',
+ '__x64_sys_sched_get_priority_min',
+ '__x64_sys_sched_rr_get_interval',
+ '__x64_sys_mlock',
+ '__x64_sys_munlock',
+ '__x64_sys_mlockall',
+ '__x64_sys_munlockall',
+ '__x64_sys_vhangup',
+ '__x64_sys_modify_ldt',
+ '__x64_sys_pivot_root',
+ '__x64_sys_sysctl',
+ '__x64_sys_prctl',
+ '__x64_sys_arch_prctl',
+ '__x64_sys_adjtimex',
+ '__x64_sys_setrlimit',
+ '__x64_sys_chroot',
+ '__x64_sys_sync',
+ '__x64_sys_acct',
+ '__x64_sys_settimeofday',
+ '__x64_sys_mount',
+ '__x64_sys_umount',
+ '__x64_sys_swapon',
+ '__x64_sys_swapoff',
+ '__x64_sys_reboot',
+ '__x64_sys_sethostname',
+ '__x64_sys_setdomainname',
+ '__x64_sys_iopl',
+ '__x64_sys_ioperm',
+ 'sys_ni_syscall',
+ '__x64_sys_init_module',
+ '__x64_sys_delete_module',
+ 'sys_ni_syscall',
+ 'sys_ni_syscall',
+ '__x64_sys_quotactl',
+ 'sys_ni_syscall',
+ 'sys_ni_syscall',
+ 'sys_ni_syscall',
+ 'sys_ni_syscall',
+ 'sys_ni_syscall',
+ 'sys_ni_syscall',
+ '__x64_sys_gettid',
+ '__x64_sys_readahead',
+ '__x64_sys_setxattr',
+ '__x64_sys_lsetxattr',
+ '__x64_sys_fsetxattr',
+ '__x64_sys_getxattr',
+ '__x64_sys_lgetxattr',
+ '__x64_sys_fgetxattr',
+ '__x64_sys_listxattr',
+ '__x64_sys_llistxattr',
+ '__x64_sys_flistxattr',
+ '__x64_sys_removexattr',
+ '__x64_sys_lremovexattr',
+ '__x64_sys_fremovexattr',
+ '__x64_sys_tkill',
+ '__x64_sys_time',
+ '__x64_sys_futex',
+ '__x64_sys_sched_setaffinity',
+ '__x64_sys_sched_getaffinity',
+ 'sys_ni_syscall',
+ '__x64_sys_io_setup',
+ '__x64_sys_io_destroy',
+ '__x64_sys_io_getevents',
+ '__x64_sys_io_submit',
+ '__x64_sys_io_cancel',
+ 'sys_ni_syscall',
+ '__x64_sys_lookup_dcookie',
+ '__x64_sys_epoll_create',
+ 'sys_ni_syscall',
+ 'sys_ni_syscall',
+ '__x64_sys_remap_file_pages',
+ '__x64_sys_getdents64',
+ '__x64_sys_set_tid_address',
+ '__x64_sys_restart_syscall',
+ '__x64_sys_semtimedop',
+ '__x64_sys_fadvise64',
+ '__x64_sys_timer_create',
+ '__x64_sys_timer_settime',
+ '__x64_sys_timer_gettime',
+ '__x64_sys_timer_getoverrun',
+ '__x64_sys_timer_delete',
+ '__x64_sys_clock_settime',
+ '__x64_sys_clock_gettime',
+ '__x64_sys_clock_getres',
+ '__x64_sys_clock_nanosleep',
+ '__x64_sys_exit_group',
+ '__x64_sys_epoll_wait',
+ '__x64_sys_epoll_ctl',
+ '__x64_sys_tgkill',
+ '__x64_sys_utimes',
+ 'sys_ni_syscall',
+ '__x64_sys_mbind',
+ '__x64_sys_set_mempolicy',
+ '__x64_sys_get_mempolicy',
+ '__x64_sys_mq_open',
+ '__x64_sys_mq_unlink',
+ '__x64_sys_mq_timedsend',
+ '__x64_sys_mq_timedreceive',
+ '__x64_sys_mq_notify',
+ '__x64_sys_mq_getsetattr',
+ '__x64_sys_kexec_load',
+ '__x64_sys_waitid',
+ '__x64_sys_add_key',
+ '__x64_sys_request_key',
+ '__x64_sys_keyctl',
+ '__x64_sys_ioprio_set',
+ '__x64_sys_ioprio_get',
+ '__x64_sys_inotify_init',
+ '__x64_sys_inotify_add_watch',
+ '__x64_sys_inotify_rm_watch',
+ '__x64_sys_migrate_pages',
+ '__x64_sys_openat',
+ '__x64_sys_mkdirat',
+ '__x64_sys_mknodat',
+ '__x64_sys_fchownat',
+ '__x64_sys_futimesat',
+ '__x64_sys_newfstatat',
+ '__x64_sys_unlinkat',
+ '__x64_sys_renameat',
+ '__x64_sys_linkat',
+ '__x64_sys_symlinkat',
+ '__x64_sys_readlinkat',
+ '__x64_sys_fchmodat',
+ '__x64_sys_faccessat',
+ '__x64_sys_pselect6',
+ '__x64_sys_ppoll',
+ '__x64_sys_unshare',
+ '__x64_sys_set_robust_list',
+ '__x64_sys_get_robust_list',
+ '__x64_sys_splice',
+ '__x64_sys_tee',
+ '__x64_sys_sync_file_range',
+ '__x64_sys_vmsplice',
+ '__x64_sys_move_pages',
+ '__x64_sys_utimensat',
+ '__x64_sys_epoll_pwait',
+ '__x64_sys_signalfd',
+ '__x64_sys_timerfd_create',
+ '__x64_sys_eventfd',
+ '__x64_sys_fallocate',
+ '__x64_sys_timerfd_settime',
+ '__x64_sys_timerfd_gettime',
+ '__x64_sys_accept4',
+ '__x64_sys_signalfd4',
+ '__x64_sys_eventfd2',
+ '__x64_sys_epoll_create1',
+ '__x64_sys_dup3',
+ '__x64_sys_pipe2',
+ '__x64_sys_inotify_init1',
+ '__x64_sys_preadv',
+ '__x64_sys_pwritev',
+ '__x64_sys_rt_tgsigqueueinfo',
+ '__x64_sys_perf_event_open',
+ '__x64_sys_recvmmsg',
+ '__x64_sys_fanotify_init',
+ '__x64_sys_fanotify_mark',
+ '__x64_sys_prlimit64',
+ '__x64_sys_name_to_handle_at',
+ '__x64_sys_open_by_handle_at',
+ '__x64_sys_clock_adjtime',
+ '__x64_sys_syncfs',
+ '__x64_sys_sendmmsg',
+ '__x64_sys_setns',
+ '__x64_sys_getcpu',
+ '__x64_sys_process_vm_readv',
+ '__x64_sys_process_vm_writev',
+ '__x64_sys_kcmp',
+ '__x64_sys_finit_module',
+ '__x64_sys_sched_setattr',
+ '__x64_sys_sched_getattr',
+ '__x64_sys_renameat2',
+ '__x64_sys_seccomp',
+ '__x64_sys_getrandom',
+ '__x64_sys_memfd_create',
+ '__x64_sys_kexec_file_load',
+ '__x64_sys_bpf',
+ '__x64_sys_execveat',
+ '__x64_sys_userfaultfd',
+ '__x64_sys_membarrier',
+ '__x64_sys_mlock2',
+ '__x64_sys_copy_file_range',
+ '__x64_sys_preadv2',
+ '__x64_sys_pwritev2',
+ '__x64_sys_pkey_mprotect',
+ '__x64_sys_pkey_alloc',
+ '__x64_sys_pkey_free',
+ '__x64_sys_statx',
+ '__x64_sys_io_pgetevents',
+ '__x64_sys_rseq'
+]
+
+
+
+
+class RkCheckFunctions(gdb.Command):
+ """Check the integrity of the functions in the kernel."""
+
+ f = None
+ s = None
+ d = None
+
+ def __init__(self):
+ super(RkCheckFunctions, self).__init__("rk-check-functions", gdb.COMMAND_USER, gdb.COMMAND_DATA)
+
+ # assuming rk-load-symbols has already been run
+ def invoke(self, arg, from_tty):
+ global file_g
+
+ if file_g is None:
+ print("no object file has been read in to calculate offsets, please run `rk-load-symbols` first.")
+ return None
+
+ self.f = elffile.ELFFile(open(file_g, "rb"))
+ self.s = self.f.get_section_by_name(".symtab")
+ self.d = self.f.get_section_by_name(".data")
+
+ for i in self.s.iter_symbols():
+ if i.entry["st_info"]["type"] == "STT_FUNC":
+ print(i.name, i.entry["st_info"]["type"], i.entry["st_size"], hex(i.entry["st_value"]))
+ self.compare_function(i.name, i.entry["st_size"], i.entry["st_value"])
+
+ def compare_function(self, name, size, value):
+ # TODO: compare `size` number of bytes starting from `value` in ELF
+ # with `size` number of bytes starting from address of symbol
+ # on running machine
+ # NOTE: what if first `size` bytes are the same, but after that,
+ # malicious code is defined on running machine?
+ pass
+
+
+RkCheckFunctions()
