volatility3.framework.symbols.linux.kallsyms module

class KASConfig(num_syms_address, names_address, token_table_address, token_index_address, offsets_address, relative_base_address, _stext, markers_address=None, addresses_address=None, _sinittext=None, _einittext=None, _etext=None, _end=None, mod_tree=None, module_addr_min=None, module_addr_max=None, start_ksymtab=None, stop_ksymtab=None, bpf_tree_address=None, seqs_of_names_address=None, num_syms_type_size=None, markers_type_size=None, kernel_symbol_size=None)[source]

Bases: object

Kallsyms configuration class

addresses_address: int = None

bpf_tree_address: int = None

kernel_symbol_size: int = None

markers_address: int = None

markers_type_size: int = None

mod_tree: int = None

module_addr_max: int = None

module_addr_min: int = None

names_address: int

classmethod new_from_isf(context, layer_name, module_name)[source]

num_syms_address: int

num_syms_type_size: int = None

offsets_address: int

relative_base_address: int

seqs_of_names_address: int = None

start_ksymtab: int = None

stop_ksymtab: int = None

token_index_address: int

token_table_address: int

class KASFilter(name, type)[source]

Bases: object

name: str

type: str

class KASSymbol(name, type, address, size, module_name, exported=False, subsystem=None)[source]

Bases: KASSymbolBasic

address: int

exported: bool = False

module_name: str

name: str

set_exported_from_type()[source]

Updates the ‘export’ member based on the symbol’s type.

This method evaluates the symbol’s type and sets the ‘export’ member to indicate whether the object is exported. This code and Linux kernel follows the nm symbol type logic.

Return type:: None

size: int

subsystem: str = None

type: str

property type_description: str | None

Returns the interpreted meaning of the symbol type based on the nm tool.

Returns:: A string with the type description.

class KASSymbolBasic(name, type)[source]

Bases: object

name: str

type: str

class Kallsyms(context, layer_name, module_name, kas_config=None, progress_callback=None)[source]

Bases: VersionableInterface

Kallsyms API class

Initialize the Kallsyms API

Parameters:

context (ContextInterface) – The context used to access memory layers and symbols
layer_name (str) – The name of layer within the context in which the module exists
module_name (str) – The name of the kernel module on which to operate
kas_config (KASConfig) – The KAllSyms configuration
progress_callback (Optional[Callable[[float, str], None]]) – Method that is called periodically during scanning to update progress

bpf_lookup_address(address)[source]

Search for a BPF symbol based on its memory address.

Based on bpf_address_lookup() and __bpf_address_lookup()

Parameters:: address (int) – The memory address to search for
Return type:: Optional[KASSymbol]
Returns:: The matching KASSymbol if found; otherwise, returns None

core_lookup_address(address)[source]

Search for a symbol by its memory address within the kernel core.

Based on kallsyms_lookup_buildid.

Parameters:: address (int) – The memory address to search for.
Return type:: Optional[KASSymbol]
Returns:: The matching symbol if found, or None if no match is found.

ftrace_lookup_address(address)[source]

Search for a ftrace symbol based on its address.

Based on ftrace_mod_address_lookup()

Parameters:: address (int) – The memory address to search for
Return type:: Optional[KASSymbol]
Returns:: The matching KASSymbol if found, or None if no match is found.

get_all_symbols()[source]

Enumerates each kallsym symbol

Yields:: KASSymbol objects
Return type:: Iterator[KASSymbol]

get_bpf_symbols()[source]

Yield each kernel BPF symbol

Based on bpf_get_kallsym()

Yields:: KASSymbol objects
Return type:: Iterator[KASSymbol]

get_core_symbols(progress_callback=None)[source]

Yield each kernel core symbol

Parameters:: progress_callback (Optional[Callable[[float, str], None]]) – Method that is called periodically during scanning to update progress
Return type:: Iterator[KASSymbol]

Based on kallsyms_on_each_symbol()

Yields:: KASSymbol objects

get_ftrace_symbols()[source]

Yield each kernel ftrace symbol

Yields:: KASSymbol objects
Return type:: Iterator[KASSymbol]

get_modules_symbols(name=None)[source]

Yield each symbol from the kernel modules. This function iterates over the symbols of the kernel modules and yields them as KASSymbol objects.

name (optional): If specified, the symbol name used to filter the symbols.

Yields:: KASSymbol objects
Return type:: Iterator[KASSymbol]

lookup_address(address)[source]

Search for a symbol by its memory address.

This function scans kernel core, module symbols, BPF symbols, and Ftrace symbols to locate the first symbol matching the specified address. Note that multiple symbols (aliased symbols) can share the same memory address, so this method returns the first match found.

Based on kallsyms_lookup.

Parameters:: address (int) – The memory address to search for.
Return type:: Optional[KASSymbol]
Returns:: The matching symbol if found, or None if no match is found.

lookup_name(name)[source]

Search symbols by name. WARNING: This function is super slow. The kernel does not index the symbols by name, so the it is a linear search.

Based on kallsyms_lookup_name

Parameters:: name (str) – The symbol name to search for.
Return type:: Optional[KASSymbol]
Returns:: A KASSymbol object

module_lookup_address(address, module=None)[source]

Search for a symbol within kernel modules based on its memory address. If a module object is provided, it will only search in that module. Otherwise, it will try to first find the module to where the provided address belong to.

Based on module_address_lookup.

Parameters:

address (int) – The memory address of the symbol to search for
[optional] (module) – The module to search within. If not provided, the module containing the address will be automatically determined

Return type:

Optional[KASSymbol]

Returns:

The matching KASSymbol if found; otherwise, returns None

version = (1, 0, 0)