想要做linux内核逆向题,qemu这一工具必不可少,本篇记录如何搭建一个最小化的Linux内核

制作根文件系统

工具

  • busybox
  1. 下载 BusyBox,解压

    wget https://busybox.net/downloads/busybox-1.33.0.tar.bz2
    
  2. 编译BusyBox

cd busybox-1.33.0
mkdir build

make O=build ARCH=arm64 defconfig
make O=build ARCH=arm64 menuconfig

进入菜单配置以下三个地方

[*] Don't use /usr
[*] Build static binary (no shared libs)
(aarch64-linux-gnu-) Cross compiler prefix

然后保存退出,运行

make O=build # -j8
make O=build install
cd build/_install

此时的文件目录如下

$ tree -L 1 .
.
├── bin
├── linuxrc -> bin/busybox
└── sbin

2 directories, 1 file

下面补充一些空目录

mkdir -pv {etc,proc,sys,usr/{bin,sbin}}

然后创建一个 init 文件,内容如下

#!/bin/sh

mount -t proc none /proc
mount -t sysfs none /sys

echo -e "\nBoot took $(cut -d' ' -f1 /proc/uptime) seconds\n"

exec /bin/sh

修改 init 文件为可执行

chmod +x init

此时目录(build/_install)内容如下

$ tree -L 1 .
.
├── bin
├── etc
├── init
├── linuxrc -> bin/busybox
├── proc
├── sbin
├── sys
└── usr

6 directories, 2 files

接下来打包即可

find . -print0 | cpio --null -ov --format=newc | gzip > ../initramfs.cpio.gz

生成的 gzip 压缩后的 cpio 映像放在了 build/initramfs.cpio.gz,此时 BusyBox ramdisk 就做好了,保存备用。

编译最小配置的 Linux 内核

  1. 下载Linux内核 kernel,解压

  2. 编译

    cd linux-5.13.9
    mkdir build
    
    make O=build ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- allnoconfig
    make O=build ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- menuconfig
    

    先初始化一个最小的配置(allnoconfig),然后打开配置菜单。在配置菜单中做以下修改

    -> General setup
    [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
    
    -> General setup
      -> Configure standard kernel features
    [*] Enable support for printk
    
    -> Executable file formats / Emulations
    [*] Kernel support for ELF binaries
    [*] Kernel support for scripts starting with #!
    
    -> Device Drivers
      -> Generic Driver Options
    [*] Maintain a devtmpfs filesystem to mount at /dev
    [*]   Automount devtmpfs at /dev, after the kernel mounted the rootfs
    
    -> Device Drivers
      -> Character devices
    [*] Enable TTY
    
    -> Device Drivers
      -> Character devices
        -> Serial drivers
    [*] ARM AMBA PL010 serial port support
    [*]   Support for console on AMBA serial port
    [*] ARM AMBA PL011 serial port support
    [*]   Support for console on AMBA serial port
    
    -> File systems
      -> Pseudo filesystems
    [*] /proc file system support
    [*] sysfs file system support
    

    完成后保存并退出,编译

    make O=build ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- # -j8
    

编译出来的两个东西比较有用,一个是 build/vmlinux,另一个是 build/arch/arm64/boot/Image,前者是 ELF 格式的内核,可以用来在 GDB 中加载调试信息,后者是可启动的内核映像文件。

启动Linux

qemu-system-aarch64 \
    -machine virt -cpu cortex-a53 -smp 1 -m 2G \
    -kernel ./linux-5.13.9/build/arch/arm64/boot/Image \
    -append "console=ttyAMA0" \
    -initrd ./busybox-1.33.1/build/initramfs.cpio.gz \
    -nographic

GDB调试

启动调试

qemu-system-aarch64 \
    -machine virt -cpu cortex-a53 -smp 1 -m 2G \
    -kernel ./Image \
    -append "console=ttyAMA0" \
    -initrd ./initramfs.cpio.gz \
    -nographic \
    -S -gdb tcp::8889

运行gdb

gdb-multiarch vmlinux

set architecture aarch64
target remote :8889

set disassembly-flavor intel

disassemble

file findit4me # 加载符号
b main  # main下断点