Skip to content

get_kernel_syms

Intro

get_kernel_syms - export the symbol table of the kernel for use by other programs.

Description

The get_kernel_syms system call declares, to a calling user program, the current set of symbols exported by the running Linux kernel. This system call is not often used, as most of its work has been supplanted by /proc/kallsyms, /boot/System.map and other interfaces that enable applications to easily reach the symbols they need.

Arguments

  • symtab:struct kernel_symbol *[K] - a pointer to a structure containing an array of symbol information.
  • strtab:char *[K] - a pointer to a string table corresponding to the symbols in the array.
  • _syscalls:struct sysent *[K] - a pointer to a table of system call descriptions.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_get_kernel_syms

Type

kprobe

Purpose

To introduce a hook for the purpose of tracing the get_kernel_syms system call.

Example Use Case

The get_kernel_syms syscall can be used by an application to obtain symbol information from the kernel. The returned symbols can be used to better understand the behavior of the kernel, or for further debugging purposes.

Issues

This system call may be subject to TOCTOU (Time Of Check, Time Of Use) attacks, as the symbol table and string table return by the system call may change during the use of the call.

  • kprobed/sys_get_kernel_syms - this event is used to trace the get_kernel_syms system call.
  • sys_set_kernel_syms - this system call is used to modify the symbol table and string table of the kernel.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.