Skip to content

Instantly share code, notes, and snippets.

@darkarnium

darkarnium/ida-procedures-from-kallsyms.py

Last active November 14, 2022 15:33
Show Gist options
  • Save darkarnium/fa7be5363de2cdfa0a08376fc57b2f9e to your computer and use it in GitHub Desktop.
Save darkarnium/fa7be5363de2cdfa0a08376fc57b2f9e to your computer and use it in GitHub Desktop.
Download ZIP
IDA - Uses kallsyms to mark procedures and names.
Raw
ida-procedures-from-kallsyms.py
'''
Attempts to mark all addresses indicated by kallsyms as procedures, and renames
to match.
This script assumes that the contents of /proc/kallsyms from the target device
has been copied into the same directory as this script. It also assumes that
the relocation base / offset is properly set below.
Author: Peter Adkins (@Darkarnium)
'''
import os
import sys
RELA_OFFSET = 0xFFFFFFFF
KALLSYMS_FILE = 'kallsyms'
try:
kallsyms_raw = []
kallsyms_path = os.path.join(
os.path.dirname(os.path.realpath(os.path.expanduser(__file__))),
KALLSYMS_FILE
)
with open(kallsyms_path, 'r') as fin:
kallsyms_raw = fin.read().split('\n')
except IOError as err:
print('[!] Unable to read from {0}: {1}'.format(kallsyms_path, err))
sys.exit(-1)
# Process kallsyms, ignoring modules and fixing offset.
for symbol in kallsyms_raw:
if not symbol:
continue
# Split into components, and skip if a module or malformed.
symbol_parts = symbol.strip('\n').split(' ')
if len(symbol_parts) != 3 or '[' in symbol_parts[2]:
continue
# Calculate the address before relocation.
# addr = int(symbol_parts[0], 16) ^ RELA_OFFSET
addr = int(symbol_parts[0], 16)
name = '{0}_{1:0x}'.format(symbol_parts[2], addr)
# Attempt to set the name.
if idc.set_name(addr, name, idc.SN_NOWARN) != 1:
print('[!] Unable to set name for {0} (0x{1:0x})'.format(name, addr))
# Attempt to mark as a procedure, and wait for AA.
ida_auto.auto_make_proc(addr)
ida_auto.auto_wait()
if not ida_bytes.is_code(ida_bytes.get_full_flags(addr)):
print('[!] Unable to mark {0} (0x{1:0x}) as code'.format(name, addr))
continue
@darkarnium
Copy link
Author

darkarnium commented Nov 14, 2022
edited
Loading

Super shitty Binary Ninja version:

'''
Attempts to mark all addresses indicated by kallsyms as procedures, and renames
to match.

This script assumes that the contents of /proc/kallsyms from the target device
has been copied into the same directory as this script. It also assumes that
the relocation base / offset is properly set below.

Author: Peter Adkins (@Darkarnium)
'''
import os
import sys


RELA_OFFSET = 0xffffff8008000000
KALLSYMS_FILE = 'kallsyms'


print('[-] Reading and parsing symbols from kallsyms')
try:
    kallsyms_raw = []
    kallsyms_path = os.path.join(
        os.path.dirname(os.path.realpath(os.path.expanduser(__file__))),
        KALLSYMS_FILE
    )
    with open(kallsyms_path, 'r') as fin:
        kallsyms_raw = fin.read().split('\n')
except IOError as err:
    print('[!] Unable to read from {0}: {1}'.format(kallsyms_path, err))
    sys.exit(-1)

# Process kallsyms, ignoring modules and fixing offset.
print('[-] Processing parsed symbols from kallsyms')

for symbol in kallsyms_raw:
    if not symbol:
        continue

    # Split into components, and skip if a module or malformed.
    symbol_parts = symbol.strip('\n').split(' ')
    if len(symbol_parts) != 3 or '[' in symbol_parts[2]:
        continue

    # Calculate the address before relocation.
    addr = int(symbol_parts[0], 16) ^ RELA_OFFSET
    # addr = int(symbol_parts[0], 16)
    name = '{0}_{1:0x}'.format(symbol_parts[2], addr)

    # Attempt to set the name.
    bv.define_user_symbol(binaryninja.Symbol("FunctionSymbol", addr, name))

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment