The latest articles on DEV Community by ddupard (@ddupard). https://dev.to/ddupard https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3949744%2Fab1a1cf3-7a46-4fa9-92d1-8ac9855809d3.png https://dev.to/ddupard en ddupard Mon, 25 May 2026 01:38:52 +0000 https://dev.to/ddupard/building-a-comfortable-workflow-for-debugging-an-old-version-of-the-linux-kernel-557c https://dev.to/ddupard/building-a-comfortable-workflow-for-debugging-an-old-version-of-the-linux-kernel-557c <p>When you want to work on the Linux kernel, for example to see how an exploit acts (like Dirty COW on kernel 4.7), you need to build a comfortable working environment.</p> <p>I use:</p> <ul> <li> <strong>Docker</strong> for compiling sources in their original version (with the GCC/LD versions corresponding to the source era).</li> <li> <strong>QEMU</strong> for running the executables in a virtual machine.</li> <li> <strong>VS Code</strong> as a debugger.</li> </ul> <p>Through this article, I will show you how I configured my environment to achieve an efficient setup.</p> <h2> 1) Compiling source code </h2> <p>The first step is to retrieve the kernel source code.</p> <p>For relatively recent versions (beyond 5.10), the simplest way is to download the tar file from <a href="https://www.kernel.org/" rel="noopener noreferrer">kernel.org</a>. For older versions, the best solution is to fetch them via git.</p> <p>For example, for 4.7, we start by retrieving the tags:</p> <blockquote> <p>git ls-remote --tags git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git | grep "v4.7"</p> </blockquote> <p>Then we clone it to get the version without downloading the entire history:</p> <blockquote> <p>git clone --depth 1 --branch v4.7 git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 4.7</p> </blockquote> <p>After a few minutes, you have a <code>4.7/</code> directory containing a working version of the 4.7 kernel sources.</p> <p>However, these sources are not compilable as-is. Compiling a 4.7 kernel (released in 2016) with a modern compiler (GCC 13+) produces compilation errors due to changes in C language standards or security attribute handling. This is why you need to load versions of GCC and LD compatible with these sources (see the table below), and the easiest way to do this is via Docker.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Kernel Version</th> <th>Ubuntu Version</th> <th>Codename</th> <th>Release Date</th> <th>Default GCC</th> </tr> </thead> <tbody> <tr> <td>v2.6.x</td> <td>6.06</td> <td>Dapper Drake</td> <td>June 2006</td> <td>GCC 4.0</td> </tr> <tr> <td>v3.2</td> <td>12.04</td> <td>Precise Pangolin</td> <td>April 2012</td> <td>GCC 4.6</td> </tr> <tr> <td>v3.13</td> <td>14.04</td> <td>Trusty Tahr</td> <td>April 2014</td> <td>GCC 4.8</td> </tr> <tr> <td>v4.4</td> <td>16.04</td> <td>Xenial Xerus</td> <td>April 2016</td> <td>GCC 5.4</td> </tr> <tr> <td>v4.15</td> <td>18.04</td> <td>Bionic Beaver</td> <td>April 2018</td> <td>GCC 7.3</td> </tr> <tr> <td>v5.4</td> <td>20.04</td> <td>Focal Fossa</td> <td>April 2020</td> <td>GCC 9.3</td> </tr> <tr> <td>v5.15</td> <td>22.04</td> <td>Jammy Jellyfish</td> <td>April 2022</td> <td>GCC 11.2</td> </tr> <tr> <td>v6.8</td> <td>24.04</td> <td>Noble Numbat</td> <td>April 2024</td> <td>GCC 13.2</td> </tr> </tbody> </table></div> <p>We need to retrieve the Docker container corresponding to the kernel version we are interested in. For 4.7, it is Ubuntu 16.04.</p> <p>To search for available containers, there are 2 solutions:<br> a) Run the command:</p> <blockquote> <p>skopeo list-tags docker://docker.io/library/ubuntu</p> </blockquote> <p>you should see something like </p> <p>{<br> "Repository": "docker.io/library/ubuntu",<br> "Tags": [<br> "10.04",<br> "12.04",<br> "12.04.5",<br> "12.10",<br> "13.04",<br> "13.10",<br> "14.04",<br> "14.04.1",<br> ...</p> <p>...then run the command:</p> <blockquote> <p>sudo docker pull ubuntu:16.04</p> </blockquote> <p>b) Go to Docker Hub </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F52j4gppztvssbvxchx44.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F52j4gppztvssbvxchx44.png" alt="Docker Hub" width="800" height="394"></a><br> and download it.</p> <p>After a few minutes, you can run the following command to check that your container was downloaded </p> <blockquote> <p>sudo docker images</p> </blockquote> <p>and you should see</p> <p>kernel-builder-515:latest 9f311ec05f16 580MB 147MB U<br><br> ubuntu:16.04 1f1a2d56de1d 195MB 46.5MB U </p> <p>I always favor LTS (Long Term Support) versions like 16.04, because they guarantee library longevity and compilation tool stability, which is critical to avoid linking errors when generating <code>vmlinux</code>.</p> <p>See the difference here: ubuntu:16.04 is the raw image we just downloaded, while kernel-builder-515 represents the kernel 5.15 image that I customized to include all the necessary compilation tools. We will now cover this customization step using the Dockerfile.</p> <p>To customize the downloaded Docker container, we use a <code>Dockerfile</code>, here is an example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c">### Example for kernel 4.7 (based on Ubuntu 16.04 - Xenial)</span> <span class="k">FROM</span><span class="s"> ubuntu:16.04</span> <span class="c">### Install compilation dependencies</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="se">\ </span> build-essential <span class="se">\ </span> libncurses5-dev <span class="se">\ </span> bison <span class="se">\ </span> flex <span class="se">\ </span> libssl-dev <span class="se">\ </span> libelf-dev <span class="se">\ </span> gcc-5 g++-5 <span class="se">\ </span> <span class="o">&amp;&amp;</span> update-alternatives <span class="nt">--install</span> /usr/bin/gcc gcc /usr/bin/gcc-5 100 <span class="k">WORKDIR</span><span class="s"> /usr/src/linux</span> </code></pre> </div> <p>To create a personal container version, just run the command:</p> <blockquote> <p>sudo docker build -t my-ubuntu:16.04 .</p> </blockquote> <p>if we launch sudo docker images, you should see the following result</p> <p>kernel-builder-515:latest 9f311ec05f16 580MB 147MB U<br><br> my-ubuntu:16.04 3aa5b81c120f 822MB 188MB U<br><br> ubuntu:16.04 1f1a2d56de1d 195MB 46.5MB U </p> <p>You can find other Dockerfile examples at <a href="https://github.com/ddupard/low-level-security-research" rel="noopener noreferrer">https://github.com/ddupard/low-level-security-research</a>.</p> <p>If you have followed all previous steps, you should be able to compile without issues by running these commands in a shell:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>docker run <span class="nt">-it</span> <span class="se">\</span> <span class="nt">-v</span> ~/Desktop/KERNEL/4.7:/build <span class="se">\</span> my-ubuntu:16.04 make x86_64_defconfig scripts/config <span class="nt">--enable</span> CONFIG_DEBUG_INFO scripts/config <span class="nt">--disable</span> CONFIG_DEBUG_INFO_REDUCED scripts/config <span class="nt">--enable</span> CONFIG_GDB_SCRIPTS scripts/config <span class="nt">--enable</span> CONFIG_DEBUG_KERNEL scripts/config <span class="nt">--disable</span> CONFIG_RANDOMIZE_BASE make olddefconfig make scripts_gdb make <span class="nt">-j</span><span class="si">$(</span><span class="nb">nproc</span><span class="si">)</span> </code></pre> </div> <p>et voila</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa52f4xs6l1dpoifdhshi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa52f4xs6l1dpoifdhshi.png" alt="kernel compilation" width="799" height="341"></a></p> <h2> 2) Creating the runtime </h2> <p>This step consists of two parts:</p> <ul> <li>Retrieving and compiling BusyBox.</li> <li>Creating the <code>initramfs.cpio.gz</code>.</li> </ul> <p>Unlike a complete Linux distribution that weighs gigabytes, BusyBox bundles essential utilities (ls, cat, sh, etc.) into a single binary executable.</p> <p>We start by creating a shell script (<code>build_busybox.sh</code>) to download the BusyBox sources and compile them within Docker using <code>my-ubuntu:16.04</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nv">BUSYBOX_VERSION</span><span class="o">=</span><span class="s2">"1.36.1"</span> <span class="nv">BUSYBOX_TAR</span><span class="o">=</span><span class="s2">"busybox-</span><span class="nv">$BUSYBOX_VERSION</span><span class="s2">.tar.bz2"</span> <span class="nv">BUILD_DIR</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span><span class="s2">/busybox_build"</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$BUSYBOX_TAR</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Downloading BusyBox </span><span class="nv">$BUSYBOX_VERSION</span><span class="s2">..."</span> wget <span class="s2">"https://busybox.net/downloads/</span><span class="nv">$BUSYBOX_TAR</span><span class="s2">"</span> <span class="k">fi </span><span class="nb">tar </span>xvf <span class="s2">"</span><span class="nv">$BUSYBOX_TAR</span><span class="s2">"</span> <span class="nb">cd</span> <span class="s2">"busybox-</span><span class="nv">$BUSYBOX_VERSION</span><span class="s2">"</span> make defconfig <span class="nb">sed</span> <span class="nt">-i</span> <span class="s1">'s/.*CONFIG_STATIC.*/CONFIG_STATIC=y/'</span> .config <span class="c">### 4. Compilation</span> <span class="nb">echo</span> <span class="s2">"Compilation of BusyBox..."</span> make <span class="nt">-j</span><span class="si">$(</span><span class="nb">nproc</span><span class="si">)</span> make <span class="nb">install </span><span class="nv">CONFIG_PREFIX</span><span class="o">=</span><span class="s2">"</span><span class="nv">$BUILD_DIR</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"BusyBox compiled in : </span><span class="nv">$BUILD_DIR</span><span class="s2">"</span> </code></pre> </div> <p>then we launch the following command<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>docker run <span class="nt">-it</span> <span class="se">\</span> <span class="nt">-v</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span><span class="s2">"</span>:/build <span class="se">\</span> <span class="nt">-w</span> /build <span class="se">\</span> my-ubuntu:16.04 <span class="se">\</span> /bin/bash ./build_busybox.sh </code></pre> </div> <p>the compilation fails with the following message indicating that wget and other executables are missing</p> <p>sudo docker run -it \<br> -v "$(pwd)":/build \<br> -w /build \<br> my-ubuntu:16.04 \<br> /bin/bash ./build_busybox.sh<br> Téléchargement de BusyBox 1.36.1...<br> ./build_busybox.sh: line 11: wget: command not found<br> tar: busybox-1.36.1.tar.bz2: Cannot open: No such file or directory<br> tar: Error is not recoverable: exiting now</p> <p>so we need to modify the Dockerfile in order to include these new executables<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> ubuntu:16.04</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="se">\ </span> build-essential <span class="se">\ </span> gcc <span class="se">\ </span> make <span class="se">\ </span> libncurses5-dev <span class="se">\ </span> libssl-dev <span class="se">\ </span> bc <span class="se">\ </span> bison <span class="se">\ </span> flex <span class="se">\ </span> nano <span class="se">\ </span> git <span class="se">\ </span> cpio <span class="se">\ </span> openssh-client <span class="se">\ </span> wget <span class="se">\ </span> bzip2 <span class="se">\ </span> ca-certificates <span class="se">\ </span> linux-headers-generic <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="k">WORKDIR</span><span class="s"> /opt</span> <span class="k">RUN </span>git clone https://github.com/radareorg/radare2 <span class="se">\ </span> <span class="o">&amp;&amp;</span> radare2/sys/install.sh <span class="nt">--install</span> <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> <span class="nt">-rf</span> radare2 <span class="k">WORKDIR</span><span class="s"> /build</span> </code></pre> </div> <p>now we can recreate the container using </p> <blockquote> <p>sudo docker build -t my-ubuntu:16.04 .</p> </blockquote> <p>then we rebuild busybox with the following command<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>docker run <span class="nt">-it</span> <span class="se">\</span> <span class="nt">-v</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span><span class="s2">"</span>:/build <span class="se">\</span> <span class="nt">-w</span> /build <span class="se">\</span> my-ubuntu:16.04 <span class="se">\</span> /bin/bash ./build_busybox.sh </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F694oirrooyyeo53sgqbe.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F694oirrooyyeo53sgqbe.png" alt=" " width="799" height="341"></a></p> <p>however the compilation process wil fail with the following message</p> <p>CC miscutils/mt.o<br> CC miscutils/nandwrite.o<br> CC miscutils/partprobe.o<br> CC miscutils/raidautorun.o<br> CC miscutils/readahead.o<br> CC miscutils/runlevel.o<br> CC miscutils/rx.o<br> CC miscutils/seedrng.o<br> miscutils/seedrng.c:45:24: fatal error: sys/random.h: No such file or directory</p> <p>it's because you are compiling a recent version of BusyBox with an old Ubuntu 16.04 base.<br> in order to solve our problem, we will launch the following commands</p> <blockquote> <p>sudo docker ps -a<br> in order to get the list of the last docker commands launched</p> </blockquote> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>CONTAINER ID</th> <th>IMAGE</th> <th>COMMAND</th> <th>CREATED</th> <th>STATUS</th> <th>PORTS NAMES</th> </tr> </thead> <tbody> <tr> <td>49c7144e4dbb</td> <td>my-ubuntu:16.04</td> <td>"/bin/bash ./build_b…"</td> <td>13 minutes ago</td> <td>Exited (0) 10 minutes ago</td> <td>mystifying_mayer</td> </tr> <tr> <td>eb9d3d19f3a0</td> <td>58aacbfbda6f</td> <td>"/bin/bash ./build_b…"</td> <td>23 minutes ago</td> <td>Exited (0) 23 minutes ago</td> <td>wonderful_jemison</td> </tr> </tbody> </table></div> <p>then<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>docker start 49c7144e4dbb <span class="nb">sudo </span>docker <span class="nb">exec</span> <span class="nt">-it</span> 49c7144e4dbb /bin/bash </code></pre> </div> <p>to restart the docker environment (root@49c7144e4dbb:/build#)<br> then the following commands<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> /build/busybox-1.36.1 <span class="nb">sed</span> <span class="nt">-i</span> <span class="s1">'s/CONFIG_SEEDRNG=y/CONFIG_SEEDRNG=n/'</span> .config make clean make <span class="nt">-j</span><span class="si">$(</span><span class="nb">nproc</span><span class="si">)</span> </code></pre> </div> <p>compilation should restart and go to the end.</p> <p>then we launch the following command to make the install</p> <blockquote> <p>make install CONFIG_PREFIX="$(pwd)/../busybox_build"</p> </blockquote> <p>at the end a new directory should appear </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5fyxsmkse0un5knc5tjd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5fyxsmkse0un5knc5tjd.png" alt=" " width="736" height="457"></a></p> <p>Now that BusyBox has copiled, it's time to create initramfs.cpio.gz that sets up the file structure (<code>/proc</code>, <code>/sys</code>, etc.) </p> <p>we are going to create and lauch a new shell script (create_initramfs.sh)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nv">BUILD_DIR</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span><span class="s2">/busybox_build"</span> <span class="nv">ROOTFS_DIR</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span><span class="s2">/initramfs_staging"</span> <span class="nb">rm</span> <span class="nt">-rf</span> <span class="s2">"</span><span class="nv">$ROOTFS_DIR</span><span class="s2">"</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$ROOTFS_DIR</span><span class="s2">"</span> <span class="nb">cp</span> <span class="nt">-a</span> <span class="s2">"</span><span class="nv">$BUILD_DIR</span><span class="s2">/"</span><span class="k">*</span> <span class="s2">"</span><span class="nv">$ROOTFS_DIR</span><span class="s2">/"</span> <span class="nb">cd</span> <span class="s2">"</span><span class="nv">$ROOTFS_DIR</span><span class="s2">"</span> <span class="nb">mkdir</span> <span class="nt">-p</span> proc sys dev etc/init.d <span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> &gt; init #!/bin/sh mount -t proc none /proc mount -t sysfs none /sys echo "--- Système démarré avec succès ---" exec /bin/sh </span><span class="no">EOF </span><span class="nb">chmod</span> +x init find <span class="nb">.</span> <span class="nt">-print0</span> | cpio <span class="nt">--null</span> <span class="nt">-ov</span> <span class="nt">--format</span><span class="o">=</span>newc | <span class="nb">gzip</span> <span class="o">&gt;</span> ../initramfs.cpio.gz </code></pre> </div> <p>at the end of its execution, we should see something like <br> ./bin/mknod<br> ./bin/more<br> ./bin/zcat<br> ./bin/pidof<br> ./bin/egrep<br> ./bin/watch<br> ./bin/link<br> ./bin/pwd<br> ./bin/dd<br> ./bin/netstat<br> ./bin/fgrep<br> ./bin/stty<br> ./bin/mt<br> ./bin/gunzip<br> ./proc<br> ./etc<br> ./etc/init.d<br> ./init<br> 5556 blocks</p> <p>and a new file in the root directory (initramfs.cpio.gz)</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffyg3s2h7jf12x4uze6p9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffyg3s2h7jf12x4uze6p9.png" alt=" " width="736" height="457"></a></p> <p>to check that everything is fine , we are going to launch the VM using the following command</p> <blockquote> <p>qemu-system-x86_64 \<br> -kernel ./4.7/arch/x86/boot/bzImage \<br> -initrd ./initramfs.cpio.gz \<br> -append "console=ttyS0 nokaslr" \<br> -nographic </p> </blockquote> <p>and something like below should appear</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2hxpzfg0zra09ijqy444.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2hxpzfg0zra09ijqy444.png" alt=" " width="800" height="489"></a></p> <p>if it happens , congrats your environment is working now</p> <h2> 3) Debugging setup </h2> <p>To debug the kernel, the base tool is GDB, but it isn't very user-friendly. The idea here is to use VS Code's overlay for GDB.</p> <p>First, ensure you compile with debug options in your <code>compile_4.7.sh</code> script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./scripts/config <span class="nt">--enable</span> CONFIG_DEBUG_INFO ./scripts/config <span class="nt">--disable</span> CONFIG_DEBUG_INFO_REDUCED ./scripts/config <span class="nt">--enable</span> CONFIG_GDB_SCRIPTS ./scripts/config <span class="nt">--enable</span> CONFIG_DEBUG_KERNEL ./scripts/config <span class="nt">--disable</span> CONFIG_RANDOMIZE_BASE </code></pre> </div> <p>Verify with:</p> <blockquote> <p>file ./4.7/vmlinux</p> </blockquote> <p>(You should see a line containing "with debug_info")</p> <p>Then, launch QEMU with the <code>-s</code> and <code>-S</code> options:</p> <ul> <li> <code>-s</code>: Opens a GDB server on <code>tcp::1234</code>.</li> <li> <code>-S</code>: Freezes QEMU at the first instruction.</li> </ul> <blockquote> <p>qemu-system-x86_64 \<br> -kernel ./4.7/arch/x86/boot/bzImage \<br> -initrd ./initramfs.cpio.gz \<br> -append "console=ttyS0 nokaslr" \<br> -nographic \<br> -s -S</p> </blockquote> <p>In VS Code, install the <strong>C/C++</strong> extension from Microsoft and create a <code>.vscode/launch.json</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0.2.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"configurations"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"(gdb) Attacher au Kernel"</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cppdbg"</span><span class="p">,</span><span class="w"> </span><span class="nl">"request"</span><span class="p">:</span><span class="w"> </span><span class="s2">"launch"</span><span class="p">,</span><span class="w"> </span><span class="nl">"program"</span><span class="p">:</span><span class="w"> </span><span class="s2">"${workspaceFolder}/4.7/vmlinux"</span><span class="p">,</span><span class="w"> </span><span class="nl">"miDebuggerServerAddress"</span><span class="p">:</span><span class="w"> </span><span class="s2">"localhost:1234"</span><span class="p">,</span><span class="w"> </span><span class="nl">"miDebuggerPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/usr/bin/gdb"</span><span class="p">,</span><span class="w"> </span><span class="nl">"setupCommands"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"text"</span><span class="p">:</span><span class="w"> </span><span class="s2">"-enable-pretty-printing"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"cwd"</span><span class="p">:</span><span class="w"> </span><span class="s2">"${workspaceFolder}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Debugging Workflow </h3> <ol> <li>Launch QEMU (using your script with <code>-s -S</code>).</li> <li>In VS Code, go to the 4.7 directory and launch the "Debug Kernel LKM" configuration.</li> <li>This triggers the kernel to start. You can now set breakpoints, view registers, and use the debug console to launch commands like the following</li> </ol> <p><code>-exec info functions</code><br> <code>-exec p/x $rax</code><br> <code>-exec monitor xp/512gx 0x4786000</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffsnsf7tq0aehypb1i6l3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffsnsf7tq0aehypb1i6l3.png" alt=" " width="800" height="468"></a></p> <p><em>Note: If you load an LKM, you must load the symbol file and tell GDB where the source files are located using:</em><br> <code>-exec add-symbol-file /path/to/my_attack.ko ...</code><br> <code>-exec set substitute-path ...</code></p> <p>Happy kernel debugging!</p> <h2> Appendix: Automation Script </h2> <p>To make the environment setup more efficient, I use a script (<code>run_qemu.sh</code>) to quickly switch between different kernel versions and automate the LKM injection process for the 5.15 LTS kernel.</p> <p>You can save the following code into a file named <code>run_qemu.sh</code> in your <code>~/Desktop/KERNEL</code> directory. Make sure to give it execution permissions with <code>chmod +x run_qemu.sh</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># This script runs on the host (Ubuntu) in ~/Desktop/KERNEL</span> <span class="nb">cd</span> <span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/Desktop/KERNEL"</span> <span class="nb">echo</span> <span class="s2">"-------------------------------------------------------"</span> <span class="nb">echo</span> <span class="s2">" COGNITIVE FIREWALL LAB - TEST ENVIRONMENT"</span> <span class="nb">echo</span> <span class="s2">"-------------------------------------------------------"</span> <span class="nb">echo</span> <span class="s2">"Select the kernel version to test:"</span> <span class="nb">echo</span> <span class="s2">"1) Kernel 4.7 (Dirty COW vulnerable)"</span> <span class="nb">echo</span> <span class="s2">"2) Kernel 4.8 (Intro XDP)"</span> <span class="nb">echo</span> <span class="s2">"3) Kernel 4.9 (Dirty COW patched)"</span> <span class="nb">echo</span> <span class="s2">"4) Kernel 5.15 (LTS)"</span> <span class="nb">echo</span> <span class="s2">"q) Quit"</span> <span class="nb">echo</span> <span class="s2">"-------------------------------------------------------"</span> <span class="nb">read</span> <span class="nt">-p</span> <span class="s2">"Your choice [1-4] : "</span> choice <span class="k">case</span> <span class="nv">$choice</span> <span class="k">in </span>1<span class="p">)</span> <span class="nv">VERSION</span><span class="o">=</span><span class="s2">"4.7"</span><span class="p">;</span> <span class="nv">KERNEL_PATH</span><span class="o">=</span><span class="s2">"./4.7/arch/x86/boot/bzImage"</span> <span class="p">;;</span> 2<span class="p">)</span> <span class="nv">VERSION</span><span class="o">=</span><span class="s2">"4.8"</span><span class="p">;</span> <span class="nv">KERNEL_PATH</span><span class="o">=</span><span class="s2">"./4.8/arch/x86/boot/bzImage"</span> <span class="p">;;</span> 3<span class="p">)</span> <span class="nv">VERSION</span><span class="o">=</span><span class="s2">"4.9"</span><span class="p">;</span> <span class="nv">KERNEL_PATH</span><span class="o">=</span><span class="s2">"./4.9/arch/x86/boot/bzImage"</span> <span class="p">;;</span> 4<span class="p">)</span> <span class="nv">VERSION</span><span class="o">=</span><span class="s2">"5.15"</span> <span class="nv">KERNEL_PATH</span><span class="o">=</span><span class="s2">"./5.15/arch/x86/boot/bzImage"</span> <span class="nv">LKM2_PATH</span><span class="o">=</span><span class="s2">"./lkm/poc/my_attack.ko"</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$LKM2_PATH</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Building initramfs for Kernel 5.15..."</span> <span class="nb">mkdir</span> <span class="nt">-p</span> .initramfs_root <span class="nb">cd</span> .initramfs_root zcat ../initramfs.cpio.gz | cpio <span class="nt">-idmv</span> &amp;&gt;/dev/null <span class="nb">cp</span> <span class="s2">"../</span><span class="nv">$LKM2_PATH</span><span class="s2">"</span> <span class="nb">.</span> <span class="c"># Automatic LKM injection script</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="sh">'</span><span class="no">EOF</span><span class="sh">' &gt; init #!/bin/sh mount -t proc proc /proc mount -t sysfs sysfs /sys mount -t devtmpfs devtmpfs /dev 2&gt;/dev/null if [ -f /my_attack.ko ]; then insmod /my_attack.ko; fi exec /bin/sh </span><span class="no">EOF </span> <span class="nb">chmod</span> +x init find <span class="nb">.</span> <span class="nt">-print0</span> | cpio <span class="nt">--null</span> <span class="nt">-ov</span> <span class="nt">--format</span><span class="o">=</span>newc 2&gt;/dev/null | <span class="nb">gzip</span> <span class="nt">-9</span> <span class="o">&gt;</span> ../initramfs.cpio.gz <span class="nb">cd</span> .. <span class="nb">rm</span> <span class="nt">-rf</span> .initramfs_root <span class="k">fi </span>qemu-system-x86_64 <span class="nt">-kernel</span> <span class="s2">"</span><span class="nv">$KERNEL_PATH</span><span class="s2">"</span> <span class="nt">-initrd</span> <span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/Desktop/KERNEL/initramfs.cpio.gz"</span> <span class="nt">-nographic</span> <span class="nt">-append</span> <span class="s2">"console=ttyS0 loglevel=7 nosmep nosmap nokaslr"</span> <span class="nt">-s</span> <span class="nt">-S</span> <span class="nb">exit </span>0 <span class="p">;;</span> q<span class="p">)</span> <span class="nb">exit </span>0 <span class="p">;;</span> <span class="k">*</span><span class="p">)</span> <span class="nb">echo</span> <span class="s2">"Invalid choice"</span><span class="p">;</span> <span class="nb">exit </span>1 <span class="p">;;</span> <span class="k">esac</span> <span class="c"># Launch QEMU for versions 1, 2, 3</span> qemu-system-x86_64 <span class="se">\</span> <span class="nt">-kernel</span> <span class="s2">"</span><span class="nv">$KERNEL_PATH</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-initrd</span> <span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/Desktop/KERNEL/initramfs.cpio.gz"</span> <span class="se">\</span> <span class="nt">-nographic</span> <span class="se">\</span> <span class="nt">-append</span> <span class="s2">"console=ttyS0 nokaslr loglevel=7"</span> <span class="se">\</span> <span class="nt">-s</span> <span class="nt">-S</span> </code></pre> </div> linux kernel security