SkillAgentSearch skills...

Lkcd

ugly code to check linux kernel memory and dump some internal structures

GenerateConvertImprove

Install / Use

/learn @redplait/Lkcd
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

lkcd

Small pet project to find and dump some linux kernel guts like

  • notification chains (https://0xax.gitbooks.io/linux-insides/content/Concepts/linux-cpu-4.html)
  • function pointers in .data section
  • check them with -c option (you need load driver lkcd first)
  • function pointers in .bss section - with some disasm magic
  • ftrace addresses (-f option)
  • check ftrace prologs (-f option)
  • kernel tracepoints (-t option)
  • kernel timers and workqueues (-T option)
  • per-cpu user_return_notifiers (-c -d)
  • kprobes - with pre_handler & post_handler (-k)
  • uprobes (including uprobe_consumer) (-k option)
  • filesystem notifications (-F option) (see http://redplait.blogspot.com/2021/09/filesystem-notifications-in-linux-kernel.html)
  • security hooks (-d -S options)
  • keys (-K options)
  • eBPF programs (-c -B options, to disasm use also -d)
  • bpf_verifier_ops (see https://redplait.blogspot.com/2024/08/bpfverifierops.html)
  • ebpf kind_ops (see https://redplait.blogspot.com/2024/07/dumping-ebpf-kindops.html)
  • cgroups (-g options)
  • registered consoles (-C options)
  • input_devs & their handlers (-S option) (see http://redplait.blogspot.com/2024/05/linux-input-handles.html)
  • executable pages in kernel (-M option) (see https://redplait.blogspot.com/2024/09/hidden-executable-pages-in-linux-kernel.html)

etc etc

Sure contains poorly written buggy driver

Sample of checking on x64 5.15.0-52

registered consoles: 1
[0] tty at 0xffffffffbd6fbde0 flags 7 index 0
   write: 0xffffffffbbde6510 - kernel!vt_console_print
   device: 0xffffffffbbde30a0 - kernel!vt_console_device
   unblank: 0xffffffffbbde5a70 - kernel!unblank_screen
...
uprobes: 1
[0] addr 0xffffa008c309bc00 inode 0xffffa008c12d61a0 ino 1043126 clnts 1 offset 4710 flags 0 
 consumer[0] at 0xffffffffc0605100
   handler: 0xffffffffc0603b13 - lkcd
   ret_handler: 0xffffffffc0603af3 - lkcd
...
timers for cpu 1 7:
 0xffff9e5e41049690 flags A000001 0xffffffffa43f5fe0 0xffffffffa43f5fe0 - kernel!blk_stat_timer_fn
 0xffff9e5e5de8c440 wq 0xffff9e5e5de8c420 flags 12600001 0xffffffffa3f345c0 0xffffffffa3f345c0 - kernel!psi_avgs_work
 0xffff9e5e57414440 wq 0xffff9e5e57414420 flags 1A600001 0xffffffffa3f345c0 0xffffffffa3f345c0 - kernel!psi_avgs_work
 0xffff9e5e5025a3c8 wq 0xffff9e5e5025a3a8 flags 1F600001 0xffffffffc0600390 0xffffffffc0600390 - r8169
 0xffff9e5e50c877f0 flags 21C00001 0xffffffffa43e2cd0 0xffffffffa43e2cd0 - kernel!blk_rq_timed_out_timer
 0xffff9e5e50c78a10 wq 0xffff9e5e50c789f0 flags 23E00001 0xffffffffa41c2e80 0xffffffffa41c2e80 - kernel!wb_workfn
 0xffff9e618e45fc20 flags 42D00001 0xffffffffa3e605d0 0xffffffffa3e605d0 - kernel!mce_timer_fn
...
mem at 0xffffffff8b633058 (x86_cpuinit+8) patched to 0xffffffff8a075d50 (kvm_setup_secondary_clock)
mem at 0xffffffff8b6331c0 (i8259A_chip+40) patched to 0xffffffff8a0373a0 (disable_8259A_irq)
mem at 0xffffffff8b6365c8 (machine_check_vector) patched to 0xffffffff8ab74bf0 (do_machine_check)
mem at 0xffffffff8b6365d0 (mce_adjust_timer) patched to 0xffffffff8a04f200 (cmci_intel_adjust_timer)
mem at 0xffffffff8b638848 (__acpi_register_gsi) patched to 0xffffffff8a060d40 (acpi_register_gsi_ioapic)
mem at 0xffffffff8b641a28 (pv_ops+8) patched to 0xffffffff8a075cb0 (kvm_sched_clock_read)
mem at 0xffffffff8b652c08 (alg+8) patched to 0xffffffff8a089550 (crc32c_pcl_intel_update)
mem at 0xffffffff8b652c18 (alg+18) patched to 0xffffffff8a089530 (crc32c_pcl_intel_finup)
mem at 0xffffffff8b652c20 (alg+20) patched to 0xffffffff8a089510 (crc32c_pcl_intel_digest)
mem at 0xffffffff8b7d2d70 (ecap_perms+30) patched to 0xffffffff8a82f0f0 (vfio_default_config_read)
mem at 0xffffffff8b7d2dd0 (ecap_perms+90) patched to 0xffffffff8a82f0f0 (vfio_default_config_read)
mem at 0xffffffff8b7d3230 (cap_perms+10) patched to 0xffffffff8a82f320 (vfio_basic_config_read)
mem at 0xffffffff8b7d3250 (cap_perms+30) patched to 0xffffffff8a82f0f0 (vfio_default_config_read)
mem at 0xffffffff8b7d3290 (cap_perms+70) patched to 0xffffffff8a82f0f0 (vfio_default_config_read)
mem at 0xffffffff8b7d3310 (cap_perms+F0) patched to 0xffffffff8a82f0f0 (vfio_default_config_read)
mem at 0xffffffff8b7d3430 (cap_perms+210) patched to 0xffffffff8a82f0f0 (vfio_default_config_read)
mem at 0xffffffff8b7d3490 (cap_perms+270) patched to 0xffffffff8a82f0f0 (vfio_default_config_read)
mem at 0xffffffff8b81f1e0 (pcibios_disable_irq) patched to 0xffffffff8a643760 (acpi_pci_irq_disable)
mem at 0xffffffff8b81f1e8 (pcibios_enable_irq) patched to 0xffffffff8a6434d0 (acpi_pci_irq_enable)

As you can see for uprobes you have only inode number so you should use "find -inum 1043126" to find on which file uprobe was installed

dependencies

  • elfio (https://github.com/serge1/ELFIO)
  • libudis86 (https://github.com/vmt/udis86) for x64 disasm
  • armpatched (https://github.com/redplait/armpatched/tree/master/source) for arm64 disasm

Related Skills

node-connect

339.5k

Diagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps

frontend-design

83.9k

Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.

openai-whisper-api

339.5k

Transcribe audio via OpenAI Audio Transcriptions API (Whisper).

commit-push-pr

83.9k

Commit, push, and open a PR

redplait

View profile

View on GitHub
GitHub Stars48
CategoryDevelopment
Updated6mo ago
Forks9
redplait/lkcd

Languages

C

Security Score

67/100

Audited on Sep 28, 2025

No findings