Add switch to override relative symbols

Add a switch to override discovery of relative offsets in the kallsyms table. If the binary under analysis has an absolute base in the upper half of the virtual address range, all the addresses appear to be negative numbers. For 64-bit systems a 50-50 split would put kernel addresses at 0x80000000-00000000 and for 32 bit systems with a 3G/1G split, the kernel addresses start at 0xC0000000
marin-m · Jan 16, 2025 · 9f88c33 · 9f88c33
1 parent 8693be8
commit 9f88c33
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/vmlinux_to_elf/kallsyms_finder.py b/vmlinux_to_elf/kallsyms_finder.py
@@ -168,8 +168,9 @@ class KallsymsFinder:
         We'll find kallsyms_token_table and infer the rest
     """
 
-    def __init__(self, kernel_img : bytes, bit_size : int = None):
+    def __init__(self, kernel_img : bytes, bit_size : int = None, override_relative_base : bool = True):
 
+        self.override_relative_base = override_relative_base
         self.kernel_img = kernel_img
 
         # -
@@ -869,10 +870,11 @@ def find_kallsyms_addresses_or_symbols(self):
 
         # Try different possibilities heuristically:
 
+        heuristic_search_parameters = [(True, True), (False, False)] if likely_has_base_relative else [(False, True), (False, False)]
+        if self.override_relative_base:
+            heuristic_search_parameters = [(False,False)]
         for (has_base_relative, can_skip) in (
-            [(True, True), (False, False)]
-            if likely_has_base_relative else
-            [(False, True), (False, False)]
+            heuristic_search_parameters
         ):
 
 
@@ -980,6 +982,7 @@ def find_kallsyms_addresses_or_symbols(self):
                 self.has_absolute_percpu = False
 
             number_of_null_items = len([address for address in tentative_addresses_or_offsets if address == 0])
+
 
             logging.info('[i] Null addresses overall: %g %%' % (number_of_null_items / len(tentative_addresses_or_offsets) * 100))
 
@@ -1114,6 +1117,7 @@ def print_symbols_debug(self):
         "addresses")
 
     args.add_argument('input_file', help = "Path to the kernel file to extract symbols from")
+    args.add_argument('--override-relative', help = 'Assume kallsyms offsets are absolute addresses' , action="store_true")
     args.add_argument('--bit-size', help = 'Force overriding the input kernel ' +
         'bit size, providing 32 or 64 bit (rather than auto-detect)', type = int)
 
@@ -1123,7 +1127,7 @@ def print_symbols_debug(self):
     with open(args.input_file, 'rb') as kernel_bin:
 
         try:
-            kallsyms = KallsymsFinder(obtain_raw_kernel_from_file(kernel_bin.read()), args.bit_size)
+            kallsyms = KallsymsFinder(obtain_raw_kernel_from_file(kernel_bin.read()), args.bit_size, args.override_relative)
 
         except ArchitectureGuessError:
            exit('[!] The architecture of your kernel could not be guessed ' +