Issue
I'm currently working on a LKM to intercept some syscalls for printing statistics about them system-wide.
I've come across different ways of getting the sys_call_table address, but have yet to find a way that works on newer kernels (5.11). Before wouldn't we have used kallsyms_lookup_name? But it looks like that symbol is no longer exported.
I could just look at /proc/kallsyms but this seems like a bad idea and not generalizable.
Thank you for any guidance or suggested alternatives!
Solution
Before wouldn't we have used
kallsyms_lookup_name? But it looks like that symbol is no longer exported.
Yes, that's what you would have used before 5.7.0, when the symbol stopped being exported because nobody was using it outside of core kernel code, and it was just there to be abused by modules to find and use other non-exported symbols.
You don't have many options (these are just "hacks"):
- If you are compiling the kernel already, just re-add the export directives after the functions in
kernel/kallsyms.c. - If you are just playing around for educational purposes, you can use an
unsigned longmodule parameter or simply hardcode the symbol address in your module before compiling (taking it from/proc/kallsyms) and then cast it to the appropriate type. - You could also re-implement the functionality by yourself in your module looking at
kernel/kallsyms.cto see how it works. - You technically could also open and read
/proc/kallsymsfrom kernel space usingfilp_open(), though that'd be kind of insane to be honest. - If you are writing an actual serious kernel module, avoid using the function (or re-implementing it). You shouldn't use it anyway.
Answered By - Marco Bonelli Answer Checked By - Senaida (WPSolving Volunteer)
