-
Notifications
You must be signed in to change notification settings - Fork 132
TheLibKernsh
The Kernel shell library is the kernel accessibility library of the Kernel shell. Libkernsh allows static operations on the kernel image as well as runtime operations on the kernel memory. Libkernsh currently works only for Linux operating system. It can be used outside Kernsh or even outside the ERESI framework.
The main features of the Kernel shell library are :
- Read/Write anywhere in the kernel (static/memory ((/dev/(k)mem, /proc/kcore, lkm (/proc, syscall))), direcly in ERESI language
- Consultation and modification of Linux 2.4 and 2.6 kernel structures (syscall table, etc) and symbols
- Consultation and modification of INTEL specific kernel structures (IDT, GDT, etc)
- Disassembling kernel memory
- Read and modify the static kernel image
- Alloc/Free kernel memory (contiguous and non contiguous)
- Inject new compiled LKM code (ET_REL) into a static kernel or kernel memory
- Make hash of kernel function and portion of code
- Redirect initialisation of loadable kernel module
- Kernel function redirection
- Read/Write into process virtual memory (/proc, syscall)
- Dump Virtual Memory Areas of process id (/proc, syscall)
This list shows major modifications in Kernsh since the first version:
- March 29 2008 - Kernsh update (process virtual memory, vma, hash).
- September 2 2007 - Kernel function md5.
- August 26 2007 - Static kernel modules modifications.
- August 6 2007 - ET_REL injection in kernel memory.
- July 28 2007 - Initial version of libkernsh.
For the moment, libkernsh is unable to use compressed kernel and only works on Linux/IA32. We are currently working on improvements and portability.
| Features | Linux IA32 | Freebsd IA32 | Netbsd IA32 | Solaris IA32 | Linux SPARC | Freebsd SPARC | Netbsd SPARC | Solaris SPARC |
|---|---|---|---|---|---|---|---|---|
| Memory access | Yes | WIP | WIP | No | No | No | No | No |
| Handling of kernel structures | Yes | WIP | WIP | No | No | No | No | No |
| Static kernel patching | Yes | WIP | WIP | No | No | No | No | No |
| Static LKM patching | Yes | WIP | WIP | No | No | No | No | No |
| Kernel memory allocation | Yes | WIP | WIP | No | No | No | No | No |
| Compiled code injection in kernel | Yes | WIP | WIP | No | No | No | No | No |
| Function redirection in kernel | Yes | WIP | WIP | No | No | No | No | No |
| Hash of kernel memory | Yes | WIP | WIP | No | No | No | No | No |
| Read/Write into process virtual memory | Yes | WIP | WIP | No | No | No | No | No |
| Virtual Memory Area | Yes | WIP | WIP | No | No | No | No | No |
Unavailable features are the subject of contributions, if someone else has not taken over the implementation of the feature on the bts.
The Kernel shell library depends on other components from the ERESI framework :
- libelfsh: the binary manipulation library, for binary injection, function redirection and argument counting.
- libasm: the disassembly engine, for argument counting algorithm.
- libaspect : The Eresi aspect library.
There is currently no article featuring the Kernel shell library.