{"id":254,"date":"2018-02-19T16:49:28","date_gmt":"2018-02-20T00:49:28","guid":{"rendered":"https:\/\/sysprogs.com\/tutorials\/?p=254"},"modified":"2018-02-19T16:49:28","modified_gmt":"2018-02-20T00:49:28","slug":"debugging-linux-kernels-with-kaslr","status":"publish","type":"post","link":"https:\/\/sysprogs.com\/VisualKernel\/tutorials\/kaslr\/","title":{"rendered":"Debugging Linux Kernels with KASLR"},"content":{"rendered":"

This tutorial shows how to use VisualKernel to debug Linux kernels with KASLR enabled.<\/p>\n

KASLR (Kernel Address Space Layout Randomization) is a technique that\u00a0provides an extra layer of protection\u00a0against certain types of attacks by changing the\u00a0kernel load address each time the system is started. Although it increases the system security, it complicates debugging a KASLR-enabled kernel, as the debugger would require extra steps in order to map\u00a0the functions and data in memory to the corresponding debug symbols, that won’t have matching addresses anymore, as the addresses of kernel symbols change after each restart:\"\"<\/p>\n

In this tutorial we will\u00a0create a basic kernel module under a KASLR-enabled kernel and will show how to debug it in both regular and post-mortem modes. Before you begin, install VisualKernel 3.0 or later.<\/p>\n

    \n
  1. Start Visual Studio and open the\u00a0VisualKernel Module Project Wizard:
    \n\"\"<\/li>\n
  2. Select “Create a new kernel module” -> “Hello, World”:\"\"<\/li>\n
  3. Select the\u00a0target machine running a KASLR-enabled kernel:\"\"<\/li>\n
  4. Proceed with the default file access settings (store sources on Windows, upload modified sources on build):\"\"<\/li>\n
  5. Finally select the debugging settings that match your system.\u00a0In this tutorial we will demonstrate debugging a crashed kernel, so we will use the direct VMWare debug connection that\u00a0runs on top of the kernel itself and won’t be affected by the kernel crash:
    \n\"\"<\/li>\n
  6. Press “Finish” to create the project. Build it by pressing Ctrl-Shift-B and,\u00a0set a\u00a0breakpoint in the init() function and start your module.\u00a0VisualKernel will load the module and the breakpoint will trigger:\"\"<\/li>\n
  7. Despite the use of KASLR, VisualKernel was able to\u00a0map the\u00a0code addresses in the memory to the meaningful symbol names and source file locations. This is achieved by querying the \/proc\/kallsyms<\/strong> file before starting the debug session, comparing\u00a0its\u00a0contents with the actual kernel symbols and adjusting the\u00a0section offsets\u00a0automatically:\"\"<\/li>\n
  8. Now we will show how to debug a crashed kernel with KASLR enabled. Replace the main\u00a0source file contents with the following code:\n
    #include <linux\/init.h>\r\n#include <linux\/module.h>\r\n#include <linux\/timer.h>\r\n\r\nMODULE_LICENSE(\"Proprietary\");\r\n\r\nstruct timer_list s_Timer;\r\n\r\nvoid timer_callback(unsigned long unused) \r\n{\r\n panic(\"Attach debugger now!\");\r\n}\r\n\r\nstatic int __init KASLRDemo_init(void)\r\n{\r\n printk(\"KASLRDemo: Hello, world!\\n\");\r\n init_timer(&s_Timer);\r\n setup_timer(&s_Timer, timer_callback, 0);\r\n mod_timer(&s_Timer, jiffies + msecs_to_jiffies(200));\r\n return 0;\r\n}\r\n\r\nstatic void __exit KASLRDemo_exit(void)\r\n{\r\n printk(\"KASLRDemo: Goodbye, world!\\n\");\r\n}\r\n\r\nmodule_init(KASLRDemo_init);\r\nmodule_exit(KASLRDemo_exit);<\/pre>\n<\/li>\n
  9. Then open VisualKernel Project properties and enable debugging of crashed kernels and\u00a0the use of offline kallsyms dumps. Click “create\/update” to automatically create a dump\u00a0of the kallsyms<\/strong> file:\"\"<\/li>\n
  10. The dump\u00a0simply contains the raw contents of the \/proc\/kallsyms<\/strong> file.\u00a0If you restart your target system often, you can configure it to\u00a0simply\u00a0read \/proc\/kallsyms<\/strong> to a text file on each start and upload its contents\u00a0to a location where VisualKernel can access it:
    \n\"\"<\/li>\n
  11. Build the modified kernel module and load it without starting a debug session:\"\"<\/li>\n
  12. The\u00a0Linux system will crash.\u00a0Go back to the\u00a0Visual Studio window and start debugging by pressing F5. VisualKernel will use the dump file you created to\u00a0adjust the symbol offsets for the kernel and will recover the call stack. Right-click on the “KASLRDemo + <address>” line and select “Load Symbols”:\"\"<\/li>\n
  13. VisualKernel will\u00a0load the symbols for your module and will show the location in the source file that caused the crash:\"\"<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"
    This tutorial shows how to use VisualKernel to debug Linux kernels with KASLR enabled. KASLR (Kernel Address Space Layout Randomization)<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19],"tags":[44],"_links":{"self":[{"href":"https:\/\/sysprogs.com\/tutorials\/wp-json\/wp\/v2\/posts\/254"}],"collection":[{"href":"https:\/\/sysprogs.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sysprogs.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sysprogs.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sysprogs.com\/tutorials\/wp-json\/wp\/v2\/comments?post=254"}],"version-history":[{"count":1,"href":"https:\/\/sysprogs.com\/tutorials\/wp-json\/wp\/v2\/posts\/254\/revisions"}],"predecessor-version":[{"id":270,"href":"https:\/\/sysprogs.com\/tutorials\/wp-json\/wp\/v2\/posts\/254\/revisions\/270"}],"wp:attachment":[{"href":"https:\/\/sysprogs.com\/tutorials\/wp-json\/wp\/v2\/media?parent=254"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sysprogs.com\/tutorials\/wp-json\/wp\/v2\/categories?post=254"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sysprogs.com\/tutorials\/wp-json\/wp\/v2\/tags?post=254"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}