1 of 1

Compiling, Customising and booting the Kernel

Instructions for compiling the kernel with your own settings, as well as compiling kernel modules for a specific kernel version.

This isn't necessary for learning how to write kernel exploits - all the important parts will be provided! This is just to help those hoping to write challenges of their own, or perhaps set up their own VMs for learning purposes.

Prerequisites

There may be other requirements, I just already had them. Check for the full list.

The Kernel

Cloning

Use --depth 1 to only get the last commit.

Customise

Remove the current compilation configurations, as they are quite complex for our needs

Now we can create a minimal configuration, with almost all options disabled. A .config file is generated with the least features and drivers possible.

We create a kconfig file with the options we want to enable. An example is the following:

Explanation of Options

CONFIG_64BIT - compiles the kernel for 64-bit
CONFIG_SMP - simultaneous multiprocessing; allows the kernel to run on multiple cores

In order to update the minimal .config with these options, we use the provided merge_config.sh script:

Building

That takes a while, but eventually builds a kernel in arch/x86/boot/bzImage. This is the same bzImage that you get in CTF challenges.

Kernel Modules

, we use the following Makefile structure:

To compile it for a different kernel, all we do is change the -C flag to point to the newly-compiled kernel rather than the system's:

The module is now compiled for the specific kernel version!

Booting the Kernel in a Virtual Machine

References

Creating the File System and Executables

We now have a minimal kernel bzImage and a kernel module that is compiled for it. Now we need to create a minimal VM to run it in.

To do this, we use , an executable that contains tiny versions of most Linux executables. This allows us to have all of the required programs, in as little space as possible.

We will download and extract busybox; you can find the latest version .

We also create an output folder for compiled versions.

Now compile it statically. We're going to use the menuconfig option, so we can make some choices.

Once the menu loads, hit Enter on Settings. Hit the down arrow key until you reach the option Build static binary (no shared libs). Hit Space to select it, and then Escape twice to leave. Make sure you choose to save the configuration.

Now, make it with the new options

Now we make the file system.

The last thing missing is the classic init script, which gets run on system load. A provisional one works fine for now:

Make it executable

Finally, we're going to bundle it into a cpio archive, which is understood by QEMU.

The -not -name *.cpio is there to prevent the archive from including itself
You can even compress the filesystem to a .cpio.gz file, which QEMU also recognises

If we want to extract the cpio archive (say, during a CTF) we can use this command:

Loading it with QEMU

Put bzImage and initramfs.cpio into the same folder. Write a short run.sh script that loads QEMU:

Explanation of Flags

-kernel bzImage - sets the kernel to be our compiled bzImage
-initrd initramfs.cpio

Once we make this executable and run it, we get loaded into a VM!

User Accounts

Right now, we have a minimal linux kernel we can boot, but if we try and work out who we are, it doesn't act quite as we expect it to:

This is because /etc/passwd and /etc/group don't exist, so we can just create those!

Loading the Kernel Module

The final step is, of course, the loading of the kernel module. I will be using the module from my section for this step.

First, we copy the .ko file to the filesystem root. Then we modify the init script to load it, and also set the UID of the loaded shell to 1000 (so we are not root!).

Here I am assuming that the major number of the double_fetch module is 253.

Why am I doing that?

If we load into a shell and run cat /proc/devices, we can see that double_fetch

Compiling a Different Kernel Version

If we want to compile a kernel version that is not the latest, we'll dump all the :

It takes ages to run, naturally. Once we do that, we can check out a specific version of choice:

We then continue from there.

Some tags seem to not have the correct header files for compilation. Others, weirdly, compile kernels that build, but then never load in QEMU. I'm not quite sure why, to be frank.

Compiling, Customising and booting the Kernel

Instructions for compiling the kernel with your own settings, as well as compiling kernel modules for a specific kernel version.

Prerequisites

$ apt-get install flex bison libelf-dev

There may be other requirements, I just already had them. Check for the full list.

The Kernel

Cloning

Use --depth 1 to only get the last commit.

Customise

Remove the current compilation configurations, as they are quite complex for our needs

Now we can create a minimal configuration, with almost all options disabled. A .config file is generated with the least features and drivers possible.

We create a kconfig file with the options we want to enable. An example is the following:

Explanation of Options

CONFIG_64BIT - compiles the kernel for 64-bit
CONFIG_SMP - simultaneous multiprocessing; allows the kernel to run on multiple cores

In order to update the minimal .config with these options, we use the provided merge_config.sh script:

Building

That takes a while, but eventually builds a kernel in arch/x86/boot/bzImage. This is the same bzImage that you get in CTF challenges.

Kernel Modules

, we use the following Makefile structure:

To compile it for a different kernel, all we do is change the -C flag to point to the newly-compiled kernel rather than the system's:

The module is now compiled for the specific kernel version!

Booting the Kernel in a Virtual Machine

References

Creating the File System and Executables

We now have a minimal kernel bzImage and a kernel module that is compiled for it. Now we need to create a minimal VM to run it in.

To do this, we use , an executable that contains tiny versions of most Linux executables. This allows us to have all of the required programs, in as little space as possible.

We will download and extract busybox; you can find the latest version .

We also create an output folder for compiled versions.

Now compile it statically. We're going to use the menuconfig option, so we can make some choices.

Now, make it with the new options

Now we make the file system.

The last thing missing is the classic init script, which gets run on system load. A provisional one works fine for now:

Make it executable

Finally, we're going to bundle it into a cpio archive, which is understood by QEMU.

The -not -name *.cpio is there to prevent the archive from including itself
You can even compress the filesystem to a .cpio.gz file, which QEMU also recognises

If we want to extract the cpio archive (say, during a CTF) we can use this command:

Loading it with QEMU

Put bzImage and initramfs.cpio into the same folder. Write a short run.sh script that loads QEMU:

Explanation of Flags

-kernel bzImage - sets the kernel to be our compiled bzImage
-initrd initramfs.cpio

Once we make this executable and run it, we get loaded into a VM!

User Accounts

Right now, we have a minimal linux kernel we can boot, but if we try and work out who we are, it doesn't act quite as we expect it to:

This is because /etc/passwd and /etc/group don't exist, so we can just create those!

Loading the Kernel Module

The final step is, of course, the loading of the kernel module. I will be using the module from my section for this step.

First, we copy the .ko file to the filesystem root. Then we modify the init script to load it, and also set the UID of the loaded shell to 1000 (so we are not root!).

Here I am assuming that the major number of the double_fetch module is 253.

Why am I doing that?

If we load into a shell and run cat /proc/devices, we can see that double_fetch

Compiling a Different Kernel Version

If we want to compile a kernel version that is not the latest, we'll dump all the :

It takes ages to run, naturally. Once we do that, we can check out a specific version of choice:

We then continue from there.

Some tags seem to not have the correct header files for compilation. Others, weirdly, compile kernels that build, but then never load in QEMU. I'm not quite sure why, to be frank.

Compiling, Customising and booting the Kernel

hashtagPrerequisites

hashtagThe Kernel

hashtagCloning

hashtagCustomise

hashtagBuilding

hashtagKernel Modules

hashtagBooting the Kernel in a Virtual Machine

hashtagReferences

hashtagCreating the File System and Executables

hashtagLoading it with QEMU

hashtagUser Accounts

hashtagLoading the Kernel Module

hashtagCompiling a Different Kernel Version

Compiling, Customising and booting the Kernel

hashtagPrerequisites

hashtagThe Kernel

hashtagCloning

hashtagCustomise

hashtagBuilding

hashtagKernel Modules

hashtagBooting the Kernel in a Virtual Machine

hashtagReferences

hashtagCreating the File System and Executables

hashtagLoading it with QEMU

hashtagUser Accounts

hashtagLoading the Kernel Module

hashtagCompiling a Different Kernel Version

Prerequisites

The Kernel

Cloning

Customise

Building

Kernel Modules

Booting the Kernel in a Virtual Machine

References

Creating the File System and Executables

Loading it with QEMU

User Accounts

Loading the Kernel Module

Compiling a Different Kernel Version

Prerequisites

The Kernel

Cloning

Customise

Building

Kernel Modules

Booting the Kernel in a Virtual Machine

References

Creating the File System and Executables

Loading it with QEMU

User Accounts

Loading the Kernel Module

Compiling a Different Kernel Version