Skip to content

Instantly share code, notes, and snippets.

@st4rk
Last active May 28, 2017
Embed
What would you like to do?
cmd: g++ parse.cpp -o kparse -lstdc++fs
#include <iostream>
#include <cstdio>
#include <cstdlib>
#include <experimental/filesystem>
namespace fs = std::experimental::filesystem;
FILE *main_dump = nullptr;
bool parseFileToDump(const std::string& f) {
unsigned char *tmpBuff = nullptr;
FILE *module_dump = fopen (f.c_str(), "rb");
std::size_t hex_start = f.find("0x");
if (module_dump == nullptr) {
std::cout << "Failed to open the kernel module dump" << std::endl;
return false;
}
if (hex_start == std::string::npos) {
std::cout << "Not a valid kernel module dump !" << std::endl;
fclose(module_dump);
return false;
}
std::string hex_value = f.substr(hex_start+2, 8);
unsigned int hex_pos = std::stoi(hex_value, nullptr, 16);
std::cout << "starts at: " << hex_start << std::endl;
printf("data: 0x%08X\n", hex_pos );
std::cout << f << std::endl;
fseek(module_dump, 0, SEEK_END);
unsigned int fSize = ftell(module_dump);
rewind(module_dump);
tmpBuff = new unsigned char[fSize];
unsigned int readBytes = fread(tmpBuff, 1, fSize, module_dump);
if (readBytes != fSize) {
fclose(module_dump);
delete [] tmpBuff;
std::cout << "Failed to load the kernel module dump" << std::endl;
return false;
}
fseek(main_dump, hex_pos, SEEK_SET);
fwrite(tmpBuff, sizeof(unsigned char), fSize, main_dump);
if (tmpBuff != nullptr)
delete [] tmpBuff;
fclose(module_dump);
return true;
}
int main(int argc, const char*argv[]) {
if (argc > 1) {
std::string path_to_dir = argv[1];
main_dump = fopen("full_dump.bin", "wb");
for (auto &p : fs::directory_iterator(path_to_dir)) {
if(!parseFileToDump(p.path().string())) {
fclose(main_dump);
std::cout << "An error occured on parseFileToDump, invalid full_dump" << std::endl;
return 0;
}
}
std;:cout << "Check the full_dump.bin and have fun with IDA Pro ;) " << std::endl;
fclose(main_dump);
} else {
std::cout << "input: specify the kernel modules path" << std::endl;
}
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment