cmd: g++ parse.cpp -o kparse -lstdc++fs

parse_dump.cpp

#include <iostream>
#include <cstdio>
#include <cstdlib>
#include <experimental/filesystem>

namespace fs = std::experimental::filesystem;
FILE *main_dump = nullptr;

bool parseFileToDump(const std::string& f) {
	unsigned char *tmpBuff = nullptr;
	FILE *module_dump = fopen (f.c_str(), "rb");

	std::size_t hex_start = f.find("0x");

	if (module_dump == nullptr) {
		std::cout << "Failed to open the kernel module dump" << std::endl;
		return false;
	}

	if (hex_start == std::string::npos) {
		std::cout << "Not a valid kernel module dump !" << std::endl;
		fclose(module_dump);
		return false;
	}

	std::string  hex_value = f.substr(hex_start+2, 8);
	unsigned int hex_pos  = std::stoi(hex_value, nullptr, 16);
	std::cout << "starts at: " << hex_start << std::endl;
	printf("data: 0x%08X\n", hex_pos );
	std::cout << f << std::endl;

	fseek(module_dump, 0, SEEK_END);
	unsigned int fSize = ftell(module_dump);
	rewind(module_dump);

	tmpBuff = new unsigned char[fSize];

	unsigned int readBytes = fread(tmpBuff, 1, fSize, module_dump);

	if (readBytes != fSize) {
		fclose(module_dump);
		delete [] tmpBuff;
		std::cout << "Failed to load the kernel module dump" << std::endl;
		return false;
	}

	fseek(main_dump, hex_pos, SEEK_SET);
	fwrite(tmpBuff, sizeof(unsigned char), fSize, main_dump);

	if (tmpBuff != nullptr)
		delete [] tmpBuff;


	fclose(module_dump);
	return true;
}

int main(int argc, const char*argv[]) {

	if (argc > 1) {
		std::string path_to_dir = argv[1];
		main_dump = fopen("full_dump.bin", "wb");

		for (auto &p : fs::directory_iterator(path_to_dir)) {
			if(!parseFileToDump(p.path().string())) {
				fclose(main_dump);
				std::cout << "An error occured on parseFileToDump, invalid full_dump" << std::endl;
				return 0;
			}
		}

		std;:cout << "Check the full_dump.bin and have fun with IDA Pro ;) " << std::endl;
		fclose(main_dump);
	} else {
		std::cout << "input: specify the kernel modules path" << std::endl;
	}

	return 0;
}