volatility icon indicating copy to clipboard operation
volatility copied to clipboard
verified publisher icon volatilityfoundation

Fix getkcore.c when KASLR is enabled

Open v14dz opened this issue 5 years ago • 0 comments

The getkcore.c PoC didn't work with KASLR enabled, this commit fixes the bug. It finds the RAM regions in kcore by using program header's physical addresses instead of using the hard-coded base address 0xffff880000000000.

Without KASLR (kernel booted with the nokaslr option):

# readelf -aW /proc/kcore
  Type           Offset   VirtAddr           PhysAddr           FileSiz  MemSiz   Flg Align
[...]
  LOAD           0x88000003000 0xffff888000001000 0x0000000000001000 0x09e000 0x09e000 RWE 0x1000
  LOAD           0x88000102000 0xffff888000100000 0x0000000000100000 0x3fef0000 0x3fef0000 RWE 0x1000

With KASLR, virtAddr are randomized, the hard-coded value can't be used:

  Type           Offset   VirtAddr           PhysAddr           FileSiz  MemSiz   Flg Align
  LOAD           0x168e00003000 0xffff968e00001000 0x0000000000001000 0x09e000 0x09e000 RWE 0x1000
  LOAD           0x168e00102000 0xffff968e00100000 0x0000000000100000 0x3fef0000 0x3fef0000 RWE 0x1000

v14dz avatar Dec 14 '20 21:12 v14dz