-
Notifications
You must be signed in to change notification settings - Fork 132
TheKernelShell
Kernsh is an interactive, modular, and scriptable interpreter of the ERESI language dedicated to static and runtime accessibility of the kernel ondisk image and the kernel memory. Kernsh can apply most of the userland ERESI features at the kernel level. Additionally, kernsh makes it possible to obtain and modify kernel information directly from userland using ERESI scripting. It can access syscall table, IDT, GDT, symbol table, insert modules in memory without LKM support, and so on. Because Kernsh is completely integrated in the ERESI framework, it can create new type definitions and annotate the kernel memory, so that potentially all kernel objects can be accessed from ERESI scripts once their format has been defined by the user. Kernsh comes with an important configuration file predefining all the most popular kernel structures for the Linux 2.4 and 2.6 kernel versions.
- Read/Write anywhere in the kernel (static/memory ((/dev/(k)mem, /proc/kcore, lkm (/proc, syscall))), direcly in ERESI language
- Consultation and modification of Linux 2.4 and 2.6 kernel structures (syscall table, etc) and symbols
- Consultation and modification of INTEL specific kernel structures (IDT, GDT, etc)
- Disassembling kernel memory
- Read and modify the static kernel image
- Alloc/Free kernel memory (contiguous and non contiguous)
- Inject new compiled LKM code (ET_REL) into a static kernel or kernel memory
- Make hash of kernel function and portion of code
- Redirect initialisation of loadable kernel module
- Kernel function redirection
- Read/Write into process virtual memory (/proc, syscall)
- Dump Virtual Memory Areas of process id (/proc, syscall)
This list shows major modifications in Kernsh since the first version:
- July 28 2007 - Kernsh available for Linux ia32
| Features | Linux IA32 | Freebsd IA32 | Netbsd IA32 | Solaris IA32 | Linux SPARC | Freebsd SPARC | Netbsd SPARC | Solaris SPARC |
|---|---|---|---|---|---|---|---|---|
| Kernel memory allocation | Yes | WIP | WIP | No | No | No | No | No |
| Kernel memory read/write | Yes | WIP | WIP | No | No | No | No | No |
| Display and modification of kernel objects | Yes | WIP | WIP | No | No | No | No | No |
| Disassembling kernel code | Yes | WIP | WIP | No | No | No | No | No |
| Static kernel manipulation | Yes | WIP | WIP | No | No | No | No | No |
| LKM injection in memory | Yes | WIP | WIP | No | No | No | No | No |
| Function redirection | Yes | WIP | WIP | No | No | No | No | No |
| Kernel memory fingerprinting | Yes | WIP | WIP | No | No | No | No | No |
| Static kernel module patching | Yes | WIP | WIP | No | No | No | No | No |
| Process Virtual Memory(read/write, vma) | Yes | WIP | WIP | No | No | No | No | No |
Unavailable features are the subject of contributions, if someone else has not taken over the implementation of the feature on the bts.
The Kernel shell depends on other components from the ERESI framework:
- the Reverse Engineering Vector Machine, for trace interface.
- The Kernel shell library.
- The ERESI standard library.
- The ERESI aspect library.
- ERESI: une plate-forme d'analyse binaire au niveau noyau (SSTIC'08) by Anthony Desnos, Sebastien Roy, and Julien Vanegue
This article gives a good tutorial to the kernel shell, as well as some project modeling information and articulation using other components of the ERESI framework.