callrbx/objhunter.py

## objhunter.py
# written by icon
# adapted from work by pagabuc
# change your kernel to be your kernel binary with debug symbols
# change low-high bounds to be the relevant slab you are trying to fit
# gdb --nx -q -x extract_offsets.py | tee offsets

import gdb


KERNEL = "./vmlinux-5.4.0-81-generic"
LOW_SIZE = 1024
HIGH_SIZE = 2048


def collect_all_struct_types():
    types = gdb.execute('info types', to_string=True).split("\n")
    struct_types = set()
    for t in types:
        if "\tstruct" in t:
            t = t.split("\t")[-1]
            t = t.replace(";", '')
            struct_types.add(t.strip())

    # print("Found %d struct types" % (len(struct_types)))
    return struct_types


def is_function_pointer(t):
    t = t.strip_typedefs()
    return (t.code == gdb.TYPE_CODE_PTR) and (t.target().code == gdb.TYPE_CODE_FUNC)


def is_struct(t):
    t = t.strip_typedefs()
    return (t.code == gdb.TYPE_CODE_STRUCT)


def count_function_ptr(t, parent="", offset=0):
    # print("Counting: %s %s" % (str(t), parent))
    pointers = []
    for k, f in gdb.types.deep_items(t):
        if is_struct(f.type):
            newparent = "%s%s." % (parent, str(t))
            pointers += count_function_ptr(f.type, newparent, offset+f.bitpos)
        if is_function_pointer(gdb.types.get_basic_type(f.type)):
            pointers.append("%s%s.%s offset: 0x%x" %
                            (parent, t, str(f.name), int((offset+f.bitpos)/8)))

    return pointers


def main():
    gdb.execute(f"file {KERNEL}", to_string=True)
    structs = dict()
    for s in collect_all_struct_types():
        try:
            t = gdb.lookup_type(s)
        except gdb.error:
            continue
        if t.sizeof > LOW_SIZE and t.sizeof <= HIGH_SIZE:
            pointers = count_function_ptr(t)
            if len(pointers) > 0:
                print("[+] Found %s - Size: %d - %d ptrs" %
                      (str(t), t.sizeof, len(pointers)))
                for i in pointers:
                    print("   %s" % i)
                print()
    exit()


if __name__ == "__main__":
    main()
	# written by icon
	# adapted from work by pagabuc
	# change your kernel to be your kernel binary with debug symbols
	# change low-high bounds to be the relevant slab you are trying to fit
	# gdb --nx -q -x extract_offsets.py \| tee offsets

	import gdb


	KERNEL = "./vmlinux-5.4.0-81-generic"
	LOW_SIZE = 1024
	HIGH_SIZE = 2048


	def collect_all_struct_types():
	types = gdb.execute('info types', to_string=True).split("\n")
	struct_types = set()
	for t in types:
	if "\tstruct" in t:
	t = t.split("\t")[-1]
	t = t.replace(";", '')
	struct_types.add(t.strip())

	# print("Found %d struct types" % (len(struct_types)))
	return struct_types


	def is_function_pointer(t):
	t = t.strip_typedefs()
	return (t.code == gdb.TYPE_CODE_PTR) and (t.target().code == gdb.TYPE_CODE_FUNC)


	def is_struct(t):
	t = t.strip_typedefs()
	return (t.code == gdb.TYPE_CODE_STRUCT)


	def count_function_ptr(t, parent="", offset=0):
	# print("Counting: %s %s" % (str(t), parent))
	pointers = []
	for k, f in gdb.types.deep_items(t):
	if is_struct(f.type):
	newparent = "%s%s." % (parent, str(t))
	pointers += count_function_ptr(f.type, newparent, offset+f.bitpos)
	if is_function_pointer(gdb.types.get_basic_type(f.type)):
	pointers.append("%s%s.%s offset: 0x%x" %
	(parent, t, str(f.name), int((offset+f.bitpos)/8)))

	return pointers


	def main():
	gdb.execute(f"file {KERNEL}", to_string=True)
	structs = dict()
	for s in collect_all_struct_types():
	try:
	t = gdb.lookup_type(s)
	except gdb.error:
	continue
	if t.sizeof > LOW_SIZE and t.sizeof <= HIGH_SIZE:
	pointers = count_function_ptr(t)
	if len(pointers) > 0:
	print("[+] Found %s - Size: %d - %d ptrs" %
	(str(t), t.sizeof, len(pointers)))
	for i in pointers:
	print(" %s" % i)
	print()
	exit()


	if __name__ == "__main__":
	main()