About
This is an IDA Pro (Interactive Disassembler) plugin allowing to automatically analyze and annotate Linux kernel alternatives (content of .altinstructions and .altinstr_replacement sections).
Requirements
This is an IDAPython-based plugin supporting IDA Pro 7.x with Python 3.
Currently only x86/x86_64 architecture is supported.
Installation
System-wide installation:
Copy linux_alternatives.py file into your IDADIR/plugins directory:
| OS | Typical global plugins directory path |
|---|---|
| Windows | %ProgramFiles%\IDA Pro 7.x\plugins |
| macOS | /Applications/IDA Pro 7.x/idabin/plugins |
| Linux | /opt/idapro-7.x/plugins |
Where x should be the actual version number installed.
User installation:
Copy linux_alternatives.py file into your local user IDA plugins directory:
| OS | Typical user plugins directory path |
|---|---|
| Windows | %AppData%\Hex-Rays\IDA Pro\plugins |
| Linux/macOS | ~/.idapro/plugins |
Usage
To use the plugin click Linux Alternatives entry from the Edit / Plugins menu bar. Alternatively, invoke the plugin with a shortcut Alt + F9.
The plugin also registers three additional options (available from Edit / Linux Alternatives menu bar):
-
Import cpufeatures.h file- This option opens up a file chooser allowing to specify acpufeatures.hfile corresponding to the kernel being analyzed. -
Remove alternative comments- This option closes theAlternativeswindow and removes all annotations from the database. Note: This option appears only after the annotations are applied. -
Patch selected alternatives- This option allows to specify a comma-separated list of CPU feature flags and patch into binary corresponding alternatives. Note: after providing the list of feature flags, the corresponding alternatives are automatically patched in. No need to re-run the plugin.
What does it do?
The plugin performs the following steps upon invocation:
1. Obtain the memory layout of struct alt_instr:
- If DWARF-based definition of the structure is available, it is used directly.
- Otherwise, the plugin heuristically determines:
- type (and size) of the first two structure members (address or relative offset of instruction and replacement).
- size of the structure
- offset of the length field members
2. Obtain available CPUFEATURE and X86_BUGS flag names
- Analyze string references in:
x86_cap_flagsandx86_bug_flagsarray symbols. - If
cpufeatures.hfile has been loaded, the plugin parses it and uses CPUFEATURE and X86_BUGS flags from it.
3. Analyze and annotate content of .altinstructions and .altinstr_replacement sections
.altinstructions |
.altinstr_replacement |
|---|---|
 |
 |
4. Apply alternatives comments in the disassembly for all alternative entries found
| without opcodes | with opcodes |
|---|---|
 |
 |
5. Open a new window with a tabular listing of the alternatives
- columns are sortable and addresses clickable
Patching alternatives
Main purpose of this feature is to simulate presence of specified CPU feature flags and update binary with their corresponding alternatives for static analysis purposes. This feature might be helpful for inspecting alternative entries for correctness and security, without the need to run the Linux kernel binary.
Upon clicking the Patch selected alternatives option in Edit / Linux Alternatives menu bar, the following prompt is displayed: 
User can specify comma-separated list of feature flags either by their name (case insensitive) or by their integer value as calculated in typical cpufeatures.h file:
Clicking OK will automatically patch and re-analyze the entire database with alternatives selected with the feature flags:
| Before | After |
|---|---|
 |
 |
5 Nov 18, 2022
36 Dec 20, 2022
2 Dec 16, 2021
62 Dec 23, 2022
185 Dec 25, 2022
[email protected]">
388 Dec 27, 2022
127 Dec 27, 2022
1 Jan 11, 2022
172 Nov 17, 2022
15 Jul 24, 2022
12.4k Jan 08, 2023
12 Nov 09, 2022
4 Feb 22, 2022
20 Nov 24, 2022
9 Sep 21, 2022
1 Feb 12, 2022
25 Sep 23, 2022
6 Dec 24, 2022
232 Nov 21, 2022
3 Nov 04, 2022