Perfect! Let's dive deep into symbol resolution - this is absolutely crucial for rootkit development.
Part 1: What Are Symbols?
1.1 Understanding Symbols
Symbols are names given to memory addresses in programs. They make code readable for humans.
Example in C:
// You write this:int my_variable =42;voidmy_function(){printk("Hello\n");}// Compiler converts to this (simplified):// Address 0xffffffffa1234000: value = 42// Address 0xffffffffa1234100: <function code>
Symbols map names to addresses:
my_variable → 0xffffffffa1234000
my_function → 0xffffffffa1234100
1.2 Why Symbols Matter in Kernel
In userspace programs, you rarely worry about symbols. In kernel development (especially rootkits), symbols are critical:
For Normal Development:
Debugging with GDB
Linking kernel modules
Understanding crash dumps
For Rootkit Development:
Finding functions to hook (like sys_call_table)
Locating kernel data structures
Hiding your rootkit from detection
Bypassing protections
1.3 Types of Symbols
Global Symbols (Exported):
Local Symbols (Static):
External Symbols:
Part 2: The Kernel Symbol Table
2.1 What is the Symbol Table?
The kernel maintains a symbol table that lists:
Every function name
Every global variable name
Their memory addresses
Their types
Think of it as a phone book for the kernel: "To call function X, dial address Y"
2.2 Why the Kernel Needs a Symbol Table
1. Module Loading: When you load a module with insmod, the kernel needs to resolve symbols:
2. Dynamic Linking: Modules don't contain all code - they reference kernel functions. The symbol table connects these references.
3. Debugging: When kernel crashes, the symbol table translates addresses back to function names in the crash dump.
Part 3: /proc/kallsyms - The Live Symbol Table
3.1 What is /proc/kallsyms?
/proc/kallsyms is a pseudo-file that shows all kernel symbols at runtime.
ADDRESS: Memory location (64-bit hex) TYPE: Symbol type (letter code) NAME: Symbol name
3.3 Symbol Types (The Letters)
Type
Meaning
Example
T
Text (code) in .text section
ffffffffc0000000 T sys_open
t
Local text (static function)
ffffffffc0001000 t helper_function
D
Initialized data in .data
ffffffffc0002000 D sys_call_table
d
Local initialized data
ffffffffc0003000 d local_var
R
Read-only data (.rodata)
ffffffffc0004000 R version_string
r
Local read-only data
ffffffffc0005000 r const_value
B
Uninitialized data (.bss)
ffffffffc0006000 B global_buffer
b
Local uninitialized data
ffffffffc0007000 b static_buffer
U
Undefined (external symbol)
U printk
W
Weak symbol
W some_optional_func
A
Absolute (address won't change)
0000000000000000 A _text
Uppercase = Global (exported)Lowercase = Local (static, not exported)
3.4 Practical Examples
Finding a function:
Why the '$' in grep?
$ means "end of line"
Prevents matching commit_creds_2 or my_commit_creds
Only matches exact name
Finding all syscalls:
Finding module symbols:
3.5 Security Restrictions on /proc/kallsyms
The kptr_restrict Setting:
Values:
0: Everyone can see addresses (insecure, useful for debugging)
1: Root can see addresses, users see zeros (default)
2: Even root sees zeros (maximum security)
Example with kptr_restrict=1:
Changing kptr_restrict:
Part 4: System.map - The Static Symbol Table
4.1 What is System.map?
System.map is a file created when the kernel is compiled. It contains the symbol table for that specific kernel build.
Location:
Multiple files: One for each installed kernel version.
4.2 System.map vs /proc/kallsyms
Feature
System.map
/proc/kallsyms
When created
Kernel compile time
Runtime (dynamic)
Updates
Never changes
Updates when modules load
Shows modules
No
Yes
Location
/boot/ (file)
/proc/ (pseudo-file)
Root needed
No (it's a file)
Depends on kptr_restrict
Use case
Debugging crashes
Finding runtime addresses
4.3 Viewing System.map
4.4 When to Use System.map
Use System.map for:
Analyzing kernel crash dumps (vmcore)
Understanding kernel layout at compile time
When /proc/kallsyms is restricted
Reverse engineering specific kernel builds
Use /proc/kallsyms for:
Runtime symbol lookup (preferred for rootkits!)
Finding module symbols
Getting current addresses (KASLR might change them)
Part 5: Finding Symbols in Kernel Modules
5.1 Exported vs Non-Exported Symbols
Exported symbols are intentionally made available to modules:
Non-exported symbols are hidden from modules (but still in kallsyms):
5.2 Checking if a Symbol is Exported
Method 1: Check /proc/kallsyms
Method 2: Check Module.symvers
Method 3: Try to use it
5.3 Using Exported Symbols in Your Module
The kernel automatically resolves this symbol when loading your module.
Part 6: Finding Unexported Symbols (Rootkit Technique!)
6.1 Why Find Unexported Symbols?
Many interesting kernel internals are not exported:
sys_call_table (the syscall table - CRITICAL for rootkits!)
Internal kernel functions
Security-sensitive structures
Rootkits need to find these anyway!
6.2 Method 1: Read /proc/kallsyms at Runtime
The most common rootkit technique:
This is THE standard way rootkits find unexported symbols.
6.3 Method 2: Pattern Scanning (Advanced)
If kallsyms_lookup_name is disabled, scan kernel memory:
This is how advanced rootkits work when kallsyms is restricted!
6.4 Method 3: Read System.map from Disk
From kernel module code, read /boot/System.map:
Less common because it requires filesystem access from kernel module.
Part 7: Symbol Resolution in Action
7.1 How Kernel Modules Use Symbols
When you load a module:
This is called "symbol resolution" or "linking"
7.2 Viewing Module Dependencies
7.3 Symbol Conflicts
What if two modules export the same symbol?
Result: Module B fails to load with "symbol conflict" error!
Solution: Use unique prefixes
Part 8: Rootkit Symbol Hiding Techniques
8.1 Why Hide Symbols?
When your rootkit loads, its symbols appear in /proc/kallsyms:
This reveals your rootkit to detection tools!
8.2 Technique 1: Remove Module from List
Problem: Symbols still visible in /proc/kallsyms!
8.3 Technique 2: Hide Symbols from kallsyms
More advanced - need to manipulate kallsyms data structures:
8.4 Technique 3: Use Static Functions
Static functions show as lowercase letters in kallsyms (less obvious).
8.5 Detection: How to Find Hidden Rootkits
For defenders:
Part 9: Practical Examples
Example 1: Finding sys_call_table
This is essential for syscall hooking (next topic!):
Test it:
Example 2: Listing All Symbols Starting with "sys_"
Example 3: Resolving Symbol at Runtime
Part 10: Symbol Resolution Tools
Tool 1: nm (Name list)
Tool 2: objdump
Tool 3: readelf
Tool 4: modinfo
Part 11: Common Issues and Troubleshooting
Issue 1: "Unknown symbol" Error
Cause: Module uses a symbol that kernel doesn't export
Debug:
Solution:
Check if symbol exists: grep some_function /proc/kallsyms
If exists but not exported, use kallsyms_lookup_name()
If doesn't exist, you're calling wrong function
Issue 2: kallsyms_lookup_name Returns NULL
Causes:
Symbol name is wrong (typo)
Symbol doesn't exist in this kernel
kallsyms_lookup_name itself is not exported (newer kernels!)
Solution for #3 (modern kernels disable kallsyms_lookup_name):
// Visible to all modules
EXPORT_SYMBOL(my_function);
// Only visible within this file
static void my_function() { }
// Defined elsewhere
extern void some_other_function();
// Your module calls:
printk("Hello");
// Kernel thinks:
// "Where is printk? Let me check my symbol table..."
// "Found it! printk is at 0xffffffff81234567"
// "Link the module to that address"
cat /proc/kallsyms | head -20
```
**Example output:**
```
0000000000000000 A fixed_percpu_data
0000000000000000 A __per_cpu_start
ffffffffc0000000 T commit_creds
ffffffffc0001234 T prepare_kernel_cred
ffffffffc0002000 t sys_read
ffffffffc0003000 D sys_call_table
ffffffffc0004000 r __ksymtab_printk
```
### 3.2 Understanding the Format
Each line has three parts:
```
[ADDRESS] [TYPE] [NAME]
cat /proc/kallsyms | grep " sys_"
# Shows all system call functions
# Load your module
sudo insmod mymodule.ko
# Find its symbols
cat /proc/kallsyms | grep "\[mymodule\]"
# Shows all symbols from your module
cat /proc/sys/kernel/kptr_restrict
# As normal user
cat /proc/kallsyms | head -5
# 0000000000000000 A fixed_percpu_data
# 0000000000000000 A __per_cpu_start
# 0000000000000000 T commit_creds
# All addresses are zeros!
# As root
sudo cat /proc/kallsyms | head -5
# ffffffffa1234567 A fixed_percpu_data
# ffffffffa1235000 A __per_cpu_start
# ffffffffa1236000 T commit_creds
# Real addresses shown!
# Make addresses visible (TESTING ONLY!)
echo 0 | sudo tee /proc/sys/kernel/kptr_restrict
# Secure setting
echo 2 | sudo tee /proc/sys/kernel/kptr_restrict
ls -la /boot/System.map*
# /boot/System.map-5.15.0-91-generic
# /boot/System.map-5.15.0-92-generic
# View System.map for current kernel
cat /boot/System.map-$(uname -r) | head -20
# Search for a symbol
grep commit_creds /boot/System.map-$(uname -r)
# ffffffffa1234567 T commit_creds
// In kernel source
int my_function(void) {
return 42;
}
EXPORT_SYMBOL(my_function); // Now modules can use it
// In kernel source
static int hidden_function(void) {
return 42;
}
// No EXPORT_SYMBOL - modules can't easily use this
cat /proc/kallsyms | grep commit_creds
# ffffffffa1234567 T commit_creds
# Capital 'T' means it's likely exported
// In your module
extern int commit_creds(void); // Declare external
// Try to compile
// If it links successfully, it's exported
// If you get "undefined reference", it's not exported
#include <linux/module.h>
#include <linux/kernel.h>
// Declare external kernel function
extern void (*my_kernel_function)(void);
static int __init my_init(void) {
// Use the kernel function
my_kernel_function();
return 0;
}
module_init(my_init);
MODULE_LICENSE("GPL");
#include <linux/module.h>
#include <linux/kallsyms.h>
unsigned long find_symbol(const char *name) {
return kallsyms_lookup_name(name);
}
static int __init my_init(void) {
unsigned long addr;
// Find sys_call_table (not exported!)
addr = kallsyms_lookup_name("sys_call_table");
printk(KERN_INFO "sys_call_table is at: 0x%lx\n", addr);
return 0;
}
module_init(my_init);
MODULE_LICENSE("GPL");
unsigned long find_sys_call_table(void) {
unsigned long offset;
unsigned long **sct;
// Scan kernel memory from _stext to _etext
for (offset = PAGE_OFFSET; offset < ULLONG_MAX; offset += sizeof(void *)) {
sct = (unsigned long **)offset;
// Check if this looks like sys_call_table
// (has pointers to sys_read, sys_write, etc.)
if (sct[__NR_close] == (unsigned long *)sys_close) {
return (unsigned long)sct;
}
}
return 0;
}
#include <linux/fs.h>
#include <linux/uaccess.h>
unsigned long parse_system_map(const char *symbol_name) {
struct file *f;
char buf[256];
// Open /boot/System.map-$(uname -r)
// Parse line by line
// Find symbol_name
// Extract address
return address;
}
// Your module code
extern int printk(const char *fmt, ...);
static int __init my_init(void) {
printk("Hello\n"); // Calls kernel's printk
return 0;
}
```
**What happens during insmod:**
```
1. Kernel reads your module.ko file
2. Finds "printk" in module's symbol table
3. Looks up "printk" in kernel symbol table
→ Found at 0xffffffffa1234567
4. Patches your module's code:
call printk → call 0xffffffffa1234567
5. Module now calls the real kernel printk
# See what symbols your module needs
nm mymodule.ko | grep "U "
# U printk
# U kmalloc
# U kfree
# 'U' = Undefined (needs to be resolved)
# Check if module has dependencies
modinfo mymodule.ko | grep depends
// Module A
int my_function(void) { return 1; }
EXPORT_SYMBOL(my_function);
// Module B
int my_function(void) { return 2; }
EXPORT_SYMBOL(my_function);
// Module A
int module_a_my_function(void) { return 1; }
EXPORT_SYMBOL(module_a_my_function);
cat /proc/kallsyms | grep myroot
# ffffffffa3000000 t myroot_init [myroot]
# ffffffffa3001000 t myroot_hide [myroot]
// In your rootkit
static int __init rootkit_init(void) {
// Remove from module list
list_del(&__this_module.list);
// Now invisible to lsmod
// But symbols still in kallsyms!
return 0;
}
// Find and modify kallsyms internal structures
// This is complex and kernel-version-specific
// Covered in advanced rootkit development
make
sudo insmod find_sct.ko
dmesg | tail
# Found sys_call_table at: 0xffffffffa1234000
#include <linux/module.h>
#include <linux/kallsyms.h>
static int print_callback(void *data, const char *name,
struct module *mod, unsigned long addr) {
// Check if symbol starts with "sys_"
if (strncmp(name, "sys_", 4) == 0) {
printk(KERN_INFO "%s: 0x%lx\n", name, addr);
}
return 0; // Continue iteration
}
static int __init list_syscalls_init(void) {
printk(KERN_INFO "Listing all syscalls:\n");
// Iterate through all kernel symbols
kallsyms_on_each_symbol(print_callback, NULL);
return 0;
}
module_init(list_syscalls_init);
MODULE_LICENSE("GPL");
#include <linux/module.h>
#include <linux/kallsyms.h>
typedef int (*commit_creds_fn)(void *);
static int __init resolve_init(void) {
commit_creds_fn my_commit_creds;
// Get the function pointer
my_commit_creds = (commit_creds_fn)kallsyms_lookup_name("commit_creds");
if (my_commit_creds) {
printk(KERN_INFO "commit_creds function found at: %p\n",
my_commit_creds);
// Now we can call it!
// my_commit_creds(some_creds);
}
return 0;
}
module_init(resolve_init);
MODULE_LICENSE("GPL");
# List all symbols in a binary
nm mymodule.ko
# Show only undefined symbols (need resolution)
nm -u mymodule.ko
# Show only defined symbols (exported by module)
nm -g mymodule.ko
# Human-readable format
nm -C mymodule.ko # Demangle C++ names
# Disassemble and show symbols
objdump -t mymodule.ko
# Show dynamic symbols
objdump -T mymodule.ko
# Show symbol table
readelf -s mymodule.ko
# Show all sections
readelf -S mymodule.ko
# Show module information including dependencies
modinfo mymodule.ko
# Show what symbols module provides
modinfo -F exports mymodule.ko
sudo insmod mymodule.ko
# insmod: ERROR: could not insert module mymodule.ko: Unknown symbol in module
dmesg | tail
# mymodule: Unknown symbol some_function (err -2)
# In module
addr = kallsyms_lookup_name("sys_call_table");
// addr is NULL!
// Use kprobes as workaround
#include <linux/kprobes.h>
static unsigned long lookup_name(const char *name) {
struct kprobe kp = {
.symbol_name = name
};
register_kprobe(&kp);
unsigned long addr = (unsigned long)kp.addr;
unregister_kprobe(&kp);
return addr;
}
cat /proc/kallsyms
# 0000000000000000 T sys_read
# 0000000000000000 T sys_write
# Temporarily disable (testing only!)
echo 0 | sudo tee /proc/sys/kernel/kptr_restrict
# Then check again
cat /proc/kallsyms
