Lets see what happens:
zimage_start = (unsigned long)(&__image_begin);
zimage_size = (unsigned long)(&__image_end) -
(unsigned long)(&__image_begin);
...
/* Decompress the kernel with according algorithm */
__decompress((char *)zimage_start, zimage_size, 0, 0,
(void *)VMLINUX_LOAD_ADDRESS_ULL, 0, 0, error);
The problem is that System.map does not contain symbols __image_begin & __image_end. Investigation showed that compressed body of kernel located in .data section so the only unknown parameters for unpacking are start address and size of unpacked data. Fortunately used algo lzma puts size of unpacked data as last DWORD in data. And address you can extract from System.map for symbol _text
So logic of plugin is
- get filename of input file
- make right name for System.map from it
- read this System.map
- try to find xrefs in .data section - the only two will be __image_begin & __image_end
- unpack
- add new segment (and this was most terrible part of development - ida pro failed several times with memory dumps)
- put unpacked data to newly added segment
- profit
Link to github
Комментариев нет:
Отправить комментарий