drakvuf_init() →drakvuf_init_os() → _drakvuf_init_os() → set_os_linux() → find_kernbase()
The KASLR offset is handled on _drakvuf_init_os() when vmi_init_os() is called.
Check :
The symbol will also be resolved using system.map or json profile.
static bool find_kernbase(drakvuf_t drakvuf)
{
if ( VMI_FAILURE == vmi_translate_ksym2v(drakvuf->vmi, "_text", &drakvuf->kernbase) )
return 0;
return !!drakvuf->kernbase;
}status_t vmi_translate_ksym2v(vmi_instance_t vmi, const char *symbol, addr_t *vaddr)
{
status_t status = VMI_FAILURE;
addr_t address = 0;
#ifdef ENABLE_SAFETY_CHECKS
if (!vmi || !symbol || !vaddr)
return VMI_FAILURE;
#endif
status = sym_cache_get(vmi, 0, 0, symbol, &address);
if ( VMI_FAILURE == status ) {
if (vmi->os_interface && vmi->os_interface->os_ksym2v) {
addr_t _base_vaddr;
status = vmi->os_interface->os_ksym2v(vmi, symbol, &_base_vaddr, &address);
if ( VMI_SUCCESS == status ) {
address = canonical_addr(address);
sym_cache_set(vmi, 0, 0, symbol, address);
}
}
}
*vaddr = address;
return status;
}status_t
linux_symbol_to_address(
vmi_instance_t vmi,
const char *symbol,
addr_t* UNUSED(__unused),
addr_t* address)
{
status_t ret = VMI_FAILURE;
linux_instance_t linux_instance = vmi->os_data;
if (linux_instance == NULL) {
errprint("VMI_ERROR: OS instance not initialized\n");
goto done;
}
if (!linux_instance->sysmap && !json_profile(vmi)) {
errprint("VMI_WARNING: No linux sysmap and Rekall profile configured\n");
goto done;
}
if (linux_instance->sysmap)
ret = linux_system_map_symbol_to_address(vmi, symbol, address);
else
ret = json_profile_lookup(vmi, symbol, NULL, address);
if ( VMI_SUCCESS == ret )
*address += linux_instance->kaslr_offset;
done:
return ret;
}