Methods for obtaining unexported symbols from Linux kernel

The kernel introduces the mechanism for exporting symbols from a Linux kernel version 2.6. Only the EXPORT_SYMBOL or EXPORT_SYMBOL_GPL exported symbols in the kernel can be directly used in the kernel module. However, the kernel does not export all of the methods for obtaining the Linux kernel's unexported symbols. starting from a version of Linux kernel 2.6, the kernel introduces the mechanism for exporting symbols. Only the EXPORT_SYMBOL or EXPORT_SYMBOL_GPL exported symbols in the kernel can be directly used in the kernel module. However, the kernel does not export all symbols. For example, in the 3.8.0 kernel, do_page_fault is not exported. What methods do I need to use do_page_fault in my kernel module? What are the advantages and disadvantages of these methods? The following uses do_page_fault as an example to perform one-to-one analysis: modify the kernel and add EXPORT_SYMBOL (do_page_fault) or EXPORT_SYMBOL_GPL (do_page_fault ). This method is applicable when the kernel can be modified. This is the easiest way to modify the kernel. Using kallsyms_lookup_name to read kallsyms_lookup_name is also a kernel symbol. if this symbol is exported, you can call kallsyms_lookup_name ("do_page_fault") in the kernel module to obtain the do_page_fault symbol address. The limitation of this method is that kallsyms_lookup_name itself is not necessarily exported. Read/boot/System. map- And then pass in the kernel module System. map- It is generated when the kernel is compiled. it records the address of the kernel symbol during the compilation. If you can ensure that the currently used kernel and System. map- From System. map- The symbolic address read in is correct. The kernel-version can be obtained through 'uname-R. However, this method also has limitations. When the module is running, System. map- Files may not exist. even if they exist, they cannot be correctly matched with the current kernel. Read/proc/kallsyms and use kernel module parameters to pass in kernel module/proc/kallsyms is a special file, which is not a file stored on the disk. This file is generated by the kernel only when it is read. Because these contents are dynamically generated by the kernel, we can ensure that the address read here is correct without System. map- . It should be noted that, starting from kernel 2.6.37, normal users cannot read the correct value from/proc/kallsyms. In some versions, the file is empty. in newer versions, the address of all symbols in the file is 0. However, the root user can read the correct value from/proc/kallsyms. Fortunately, the module also requires the root permission. you can use the script to obtain the symbolic address when loading the module. Command: # cat/proc/kallsyms | grep "\ "| Awk '{print $1}' however, based on my actual experience, the number of symbols in/proc/kallsyms is greater than that in Systemp. map- Less.