如何从内核模块中查找动态链接/加载的库的PHDR？

Question

I need to access the program header tables (or alternatively to the section headers) of a process from the kernel in order to find the addresses of .eh_frame and .eh_frame_hdr sections from a linux kernel module. In userspace I would use dl_iterate_phdr(), but I need a kernel-space solution. If possible, it would not need to go through the elf files.

The auxiliary vector has the AT_PHDR field, but it does not help to find the PHDRs of dynamically linked/loaded libraries.

My other idea was to iterate on the vm_areas to find the PHDR address from every file that has an executable mmap in the task's memory. The problem with this solution is that the elf file can be changed or deleted after load.

Is there a way to do this that relies only on memory and not on the elf file?

Answer 1

It looks like the Elf header (which has the file offset to the phdr table - often the same as the offset in memory) is always at the beginning of executable mmaps. It does not seem really reliable as I could not find any documentation about the appearance of the Ehdr but it seems present in practice. This could be because of the fact that it must be at the beginning of Elf files and that the page size and alignment makes the executable segment start at offset 0x0.

We can verify that executable mappings start at offset 0x0 for all running processes and loaded shared object with this bash line:

sudo cat /proc/*/maps | awk '{ print $2 " " $3 " " $6;}' | egrep '^..x.' | grep -vE '.... 0{8}'

It outputs all the executable mappings that do not start at offset 0x0, so no output means that the Ehdrs are at the beginning of executable vm_areas.