LKM structure

Let me save you from going the same long way of digging for information, reversing the structure of other kernel modules and examining kernel sources in order to see how exactly a module is loaded. Instead, let us proceed directly to the structure of an LKM.

A loadable kernel module is, in fact, an ELF object file with a few additional sections and some information, which we neither meet in object files nor in executables created for user-space. We should point out at least five sections that we do not usually have in regular files:

  • .init.text: This section contains all the code required for module initialization. In terms of Windows, for example, the content of this section may be compared to the DllMain() function and all the functions that it references. In terms of Linux, it may be considered a section containing constructors (Windows executables may have that too).
  • .exit.text: This section contains all the code needed to be executed before the module is unloaded.
  • .modinfo: This section contains information about the module itself, the version of kernel it is written for, and so on.
  • .gnu.linkonce.this_module: This section contains the this_module structure, which, in turn, contains the name of the module and pointers to module initialization and de-initialization procedures. While the structure itself is a bit obscure for us in this case, we are interested in certain offsets only, which, in case of lack of sources, may be found with a reverse engineering tool such as IDA Pro. We may, however, check for offsets of the .init.text and .exit.text pointers within the structure, by running the readelf command in the terminal, as follows:
    readelf- sr name_of_the_mofule.ko
    Then, we see the offsets in the output:
    As we see, the pointer to .init.text is at the offset 0x150 and the pointer to .exit.text is at the offset 0x248 into the this_module structure.
  • __versions: This section contains the names of external symbols prepended with their version numbers. This table is used by the kernel in order to verify compatibility of the module in question.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset