You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+6-11Lines changed: 6 additions & 11 deletions
Original file line number
Diff line number
Diff line change
@@ -198,17 +198,12 @@ steps:
198
198
4. Use [GDB](#gdb) to attach to the [QEMU](#qemu) instance
199
199
5. Build the vulnerability trigger and push it to the virtual device
200
200
6. Break in GDB
201
-
202
-
load the custom python script([dynamic-analysis.py](https://github.com/cloudfuzz/android-kernel-exploitation/blob/master/gdb/dynamic-analysis.py) in repo) :
203
-
204
-
205
-
To trace function calls and dump the binder_thread structure chunk before and after it's freed. Also dump the same binder_thread structure before and after the unlink operation has been done.
206
-
207
-
208
-
In this file we first [delete all breakpoints](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L157) and the put 2 breakpoints(BP); The first symbol is “[binder_free_thread](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L164)” (will trace binder_free_thread function)before binder_thread is freed stop function will be called so parameters and symbol will be shown with ([gb.write(....)](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L96) ) and then the call back method(we set it [set_dump_binder_thread ](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L34)) will be called; in this function binder_thread_address will be set in our global variable and gdb.execute send any output produced by command to GDB’s standard output .
209
-
210
-
211
-
The second symbol is “[remove_wait_queue](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L175)”(will trace remove_wait_queue function) the parameters which we want to observe are "wq_head", "wq_entry" and for exit wait.c:52 breakpoint will be set. their callbacks are [dump_binder_thread ](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L42).these breakpoints will show what happens before and after the unlink operation
201
+
load the custom python script([dynamic-analysis.py](https://github.com/cloudfuzz/android-kernel-exploitation/blob/master/gdb/dynamic-analysis.py) in repo) :
202
+
To trace function calls and dump the binder_thread structure chunk before and after it's freed. Also dump the same binder_thread structure before and after the unlink operation has been done.
203
+
204
+
In this file we first [delete all breakpoints](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L157) and the put 2 breakpoints(BP); The first symbol is “[binder_free_thread](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L164)” (will trace binder_free_thread function)before binder_thread is freed stop function will be called so parameters and symbol will be shown with ([gb.write(....)](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L96) ) and then the call back method(we set it [set_dump_binder_thread ](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L34)) will be called; in this function binder_thread_address will be set in our global variable and gdb.execute send any output produced by command to GDB’s standard output .
205
+
206
+
The second symbol is “[remove_wait_queue](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L175)”(will trace remove_wait_queue function) the parameters which we want to observe are "wq_head", "wq_entry" and for exit wait.c:52 breakpoint will be set. their callbacks are [dump_binder_thread ](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L42).these breakpoints will show what happens before and after the unlink operation
0 commit comments