快速读出linux 内核中全局变量
查问题时发现全局变量能读出来会提高效率,于是考虑从怎么读出内核态的全局变量,脚本如下
f = open("/proc/kcore", 'rb')
f.seek(4) # skip magic
assert f.read(1) == b'\x02' # 64 位def read_number(bytes):return int.from_bytes(bytes, 'little', signed=False)elf_header_len = 64
f.seek(elf_header_len - 10)
sec_header_size = read_number(f.read(2))
sec_header_num = read_number(f.read(2))f.seek(elf_header_len + sec_header_size) # ignore note section
sections = []
for i in range(1, sec_header_num):sec_header = f.read(sec_header_size)sections.append({'offset': hex(read_number(sec_header[8:16])),'vaddr': hex(read_number(sec_header[16:24])),'size': hex(read_number(sec_header[32:40])),})print(f"section {i}: " + str(sections[-1]))def addr_to_offset(addr):for sec in sections:vaddr = int(sec['vaddr'], 16)size = int(sec['size'], 16)if addr >= vaddr and addr < vaddr + size:return int(sec['offset'], 16) + (addr - vaddr)raise Exception("ilegel_addr: " + hex(addr))def read_offset_value(offset, type):support_types = ['u8', 'u16', 'u32', 'u64', 's8', 's16', 's32', 's64', 'string','x8','x16','x32','x64']if type not in support_types:raise Exception("type should be in " + str())f.seek(offset)if type == 'string':ret = b''ch = f.read(1)while ch != b'\x00':ret += chch = f.read(1)return retelif type.startswith('s'):return int.from_bytes(f.read(int(type[1:]) // 8), 'little', signed=True)elif type.startswith('u'):return int.from_bytes(f.read(int(type[1:]) // 8), 'little', signed=False)else: # 'x'return hex(int.from_bytes(f.read(int(type[1:]) // 8), 'little', signed=False))def split_to_three_part(path):path = path.strip()prefixes = []suffixes = []prefix_bound = path.find('(')suffix_bound = path.rfind(')')while prefix_bound != -1:prefix = eval(path[:prefix_bound])prefixes.append(prefix)if suffix_bound == -1:raise Exception(f"unmatch backet for {path}")suffix = path[suffix_bound+1:]suffix = eval(suffix) if suffix else 0suffixes.append(suffix)path = path[prefix_bound+1:suffix_bound].strip()prefix_bound = path.find('(')suffix_bound = path.rfind(')')plus_start = path.find('+')if plus_start == -1:plus_start = len(path)minus_start = path.find('-')if minus_start == -1:minus_start = len(path)middle = path[:min(plus_start, minus_start)].strip()middle_part2 = path[len(middle):]middle_part2 = eval(middle_part2) if middle_part2 else 0prefixes.reverse()suffixes.reverse()return prefixes, middle, middle_part2, suffixeswhile True:import sysimport reimport ossys.stdin.flush()msg = input("输入:").strip()try:path, type = msg.split(':')prefixes, middle, middle_part2, suffixes = split_to_three_part(path)if middle.startswith('0x') or re.search(r'[a-z,A-Z]+', middle) is None:start_addr = eval(middle)else: # is variable nameret = os.popen("cat /proc/kallsyms | grep \"" + middle + "\" | awk '{print $1,$3}'").read().strip()if ret == '':raise Exception("no symbol " + middle + " found, please load module first")ret = [i.split(' ') for i in ret.split('\n')]if len(ret) == 1:start_addr = int(ret[0][0], 16)else:find_exact = Falsefor it in ret:if it[1] == start_addr:start_addr = int(it[0], 16)find_exact = Truebreakif not find_exact:print(f"maybe you means:")for it in ret:print(f" {it[1]}")print(f"find {len(ret)} candidates.")continuestart_offset = addr_to_offset(start_addr + middle_part2)for pre, suf in zip(prefixes, suffixes):start_addr = read_offset_value(start_offset, 'u64')start_offset = pre + addr_to_offset(start_addr) + sufprint(read_offset_value(start_offset, type))except Exception as e:print(e)输入的格式与 kprobe 的格式类似:+/-偏移(地址)+/-偏移:输出类型
输出类型有:‘u8’, ‘u16’, ‘u32’, ‘u64’, ‘s8’, ‘s16’, ‘s32’, ‘s64’, ‘string’,‘x8’,‘x16’,‘x32’,‘x64’
使用效果如下:
