I’m trying to reverse engineer a linux kernel module (kernel version 4.19). Ghidra does recognize correctly all function names such as:
misc_register etc, but it cannot determinate their exact signatures.
Let’s take as an example function copy_from_user with signature:
unsigned long copy_from_user (void *to, const void __user *from, unsigned long n);
and here’s how Ghidra sees it:
undefined _copy_from_user (void)
I believe that it won’t be the last kernel module for me to reverse engineer and so I would like to learn how to load all missing kernel structures to the program.
Moreover I am aware that I can edit the function signature by hand, but I would then need to add plenty of structures by hand as well (such as struct file) and this would be very ineffective.
What I’ve tried so far
(I’m super new to Ghidra and if you know better way, please just share)
I’ve downloaded headers from debian repository:
$ wget linux-headers-4.19.0-6-common_4.19.67-2+deb10u2_all.deb . $ ls linux-headers-4.19.0-6-common_4.19.67-2+deb10u2_all.deb usr $ ls /usr/src/ linux-headers-4.19.0-6-common
I extracted and then tried to load them using File>>Parse C Source option by specifying the path to the extracted folder..
and got an error. What can I do to make Ghidra aware of the correct function signatures?
Update: As MechMK1 has pointed out I have provided a directory instead of header files. I’ve corrected my mistake and this time I’ve just copied the whole content of all files into all_headers.h
$ cat `find . | grep .h` > all_headers.h $ cat all_headers.h | wc -c 29824650
And I’ve provided all_headers.h to get parsed. This time there was no error, but Ghidra has only added around 20 defines and no function signatures.
enter image description here