How do I modify the Neighbor Solicitation/ Neighbor Advertisement Message header with option filed added in Linux existing kernel and recompile it.
Related
I work in a system that does not allow me to enable tracepoints at runtime. To work around this, I manually add printks near a trace point to during debugging. This seems to be very inefficient and I am looking for methods to enable a tracepoint at compile time and have it pushed to the kernel log ring buffer.
You can use the kernel kprobes to dynamically register probe functions into the kernel. probe functions are just kernel modules that are dynamically inserted into your kernel and from there you can print to ring buffer. kprobes are automatically enabled on nearly all major linux distro's by default. see the documentation to know how to register and unregister kprobes.
Can I manually insert ImageBase value of PE file?
Basically..
ImageBase of DLL = 10000000
ImageBase of EXE = 00400000
If can, I want change ImageBase to random address.
I wonder How to do.
You can easily change the base address AND prevent Windows from relocating your executable module to a random base. I should stress that if you have access to the build environment, you should prefer specifying the base address and preventing the DYNAMICBASE flag from being placed in the module to begin with at build time, allowing the linker to make the proper optimizations. To do this with MSVC, you'd specify linker flags:
/BASE:400000
/DYNAMICBASE:NO
Altering the image base after the fact CAN be done and will work for simple modules, but in some instances could result in crashes depending on how the code was generated. Sometimes there is little choice when one does not have access to the original source code.
The code and data accesses may hardcode values based on the original ImageBase linked with. If you want to modify a module after it has been build, read on.
While Address Space Layout Randomization (ASLR) behavior was introduced in Windows Vista, the modifications suggested here WILL work on ANY version of Windows.
NOTE: The preceding statement assumes Microsoft, in the future, doesn't start randomizing image base addresses without regard to the relevant PE flags in the header or refuse to load these modules altogether. As of the present versions of Windows 10, Windows currently honors images that DO NOT contain IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE flag, preventing dynamic relocation.
Using a hex editor, a tool like MSVC's editbin, or even your own code, the following modifications should be made to the PE headers of the desired module to set a FIXED base-load address:
-set desired IMAGE_OPTIONAL_HEADER -> ImageBase (e.g. 0x400000)
i.e. editbin.exe /rebase:base=0x400000 <YOUR_MODULE>
-remove the the 0x0040 (DYNAMIC_BASE) bit from the IMAGE_OPTIONAL_HEADER -> DllCharacteristics flags or use editbin:
i.e.: editbin /dynamicbase:no <YOUR_MODULE>
-if not using editbin, you will need to recalculate the header checksum or just leave at zero for any non-driver or start-up Windows service; editbin updates the checksum automatically.
NOTES:
-manually changing the module's base address may require that you walk the .reloc section entries and perform manual fixups for your new base address either statically or at runtime (simulating what the Windows loader does); not doing so could result in crashes. To avoid this hassle, just remove the DYNAMIC_BASE flag and leave the base address the same as when the module was built. Then you still prevent ASLR, even if the original base address doesn't change.
-the editbin version must have come from MSVC 2005 SP1 (8.0.50727.161) to support the /dynamicbase argument; any free modern version of the MSVC C++ toolset's editbin will have this feature; my experience is that the /rebase option might report the cryptic "LNK1175: failed to rebase ; error 487" even for modules without a .reloc section - this ultimately forces you to use a PE editor to change ImgBase.
-The changes above may break embedded digital signature checks or anything that verifies the integrity of the original file since we've modified it.
As far as I remember, windows PE loader decides on base loading address(ImageBase in your question) and you cannot select it manually unless you write PE loader yourself.
Starting Windows Vista, windows uses address randomizer for selecting a random base loading address. So it is not like 0x10000000 or 0x00400000 anymore and it changes in every run unless the process is started in special situations like debug mode.
As a part of an experiment i need to make a read-only page writable in kernel address space from a non-IOKit kext. In user mode i can do vm_protect, but there is surprisingly little info on how this can be done in kernel mode (or i am completely blind). Is there a call to do this?
In the kernel, it's declared in <mach/vm_map.h>, and is part of the "unsupported" KPI. (Add com.apple.kpi.unsupported to OSBundleRequired of your kext's info.plist) I unfortunately haven't used this function from the kernel before, so I can't really comment beyond that. vm_map_t appears to be a Mach Port reference, but I'm not sure where you'd get it from.
I want to be able to monitor kernel panics - know if and when they have happened.
Is there a way to know, after the machine has booted, that it went down due to a kernel panic (and not, for example, an ordered reboot or a power failure)?
The machine may be configured with KDUMP and/or KDB, but I prefer not to assume that either is or is not installed.
Patching the kernel is an option, though I prefer to avoid it. But even if I do it, I'm not sure what can the patch do.
I'm using kernel 2.6.18 (ancient, I know). Solutions for newer kernels may be interesting too.
Thanks.
The kernel module 'netconsole' may help you to log kernel printk messages over UDP.
You can view the log message in remote syslog server, event if the machine is rebooted.
Introduction:
=============
This module logs kernel printk messages over UDP allowing debugging of
problem where disk logging fails and serial consoles are impractical.
It can be used either built-in or as a module. As a built-in,
netconsole initializes immediately after NIC cards and will bring up
the specified interface as soon as possible. While this doesn't allow
capture of early kernel panics, it does capture most of the boot
process.
Check kernel document for more information: https://www.kernel.org/doc/Documentation/networking/netconsole.txt
Is there a way to add an ACE to the DACL of a file/directory from kernel mode in windows?
I'm found a reference about ZwQuerySecurityObject/ZwSetSecurityObject routines, but it is not defined in WINDDK headers.
I would appreciate any information of this question.