kernel symbol marked with T in /proc/kallsyms is not exported
Mark "T" in /proc/kallsyms
means that symbol is globally visible, and can be used in other kernel's code (e.g. by drivers, compiled built-in).
But for being usable in kernel module's code, symbol is needed to be exported using EXPORT_SYMBOL
or similar. List of exported symbols is maintained separately from list of all symbols in the kernel.
Exported symbols can be found in file /lib/modules/<kernel-version>/build/Module.symvers
.
(this file should exist for possibility to build kernel modules against given kernel).
Trying to modify a kernel
The address is not being shown because you are not running the command under the root user.
This issue has been explained in this answer.
In your case, you need to obtain super-admin rights using either the sudo -s
or su
command. Once admin, your shell prompt should end with a #. On my one plus, the prompt looks like this when I am admin: A0001:/ #
If it does not work, be sure that the file /proc/sys/kernel/kptr_restrict
contains a 0
. You can do so by executing the command cat /proc/sys/kernel/kptr_restrict
.
To set its value to 0
, you should execute the command echo 0 > /proc/sys/kernel/kptr_restrict
with administrative rights.
Hope it helps!
Unable to access sys_call_table
Ok so the answer is like Crhis said "You cannot modify the kernel from a user mode program!"
I compiled it as a LKM and loaded it using insmod
command and it worked
PS: I have also found that only LKM modules can read /proc/kallsyms
. User space programs are no longer to do so due to a kernel patch in Android 4.1. /proc/sys/kernel/kptr_restrict
is introduced to avoid leaking kernel addresses.
So now in order for userspace programs to see the kallsym address, we can either set kptr_restrict to either 0 or 1.
echo 1 > /proc/sys/kernel/kptr_restrict
Info can be found here:
https://blog.duosecurity.com/2012/07/exploit-mitigations-in-android-jelly-bean-4-1/
And here: http://insitusec.blogspot.sg/2013/01/kallsyms-on-android.html
Linux: Detect 64-bit kernel (long mode) from 32-bit user mode program
Call the uname()
function and check the returned machine
string, which will be x86_64
for a 64-bit Intel platform.
One way of reversing the effect of the use of setarch
is to reset the personality:
#include <stdio.h>
#include <sys/utsname.h>
#include <sys/personality.h>
int main()
{
struct utsname u;
personality(PER_LINUX);
uname(&u);
puts(u.machine);
return 0;
}
This shows the right results when compiled in 32-bit mode and run on a 64-bit system:
$ gcc -m32 -o u u.c
$ ./u
x86_64
$ setarch i686 ./u
x86_64
EDIT: Fixed code to reverse effect of setarch
.
Reference.
Related Topics
Why Would the Elf Header of a Shared Library Specify Linux as the Osabi
What Is a Good Linux Exit Error Code Strategy
Shell Script Issue with Filenames Containing Spaces
Get and Use a Password with Special Characters in Bash Shell
Bash Shell: Cannot Use Variable $ as a Path to Run Tar
Gfortran Linking C Libraries with Conda
Linux Zip and Exclude Dir via Bash/Shell Script
Write Failing Without Error on Qspi (Spansion S25Hs512T) - U-Boot
Dockerfile Cmd 'Command Not Found'
Combine Two CSV Files Based on Common Column Using Awk or Sed
Multiple -A with Greater Than/Less Than Break Bash Script
Bash - Concatenating Variable on to Path
What Is the Aligment Requirements for Sys_Brk
Linker Error When Calling Printf from _Start
Can Someone Explain How This "Shellshock" Code Works in Shell