2

Recently, I dumped my memory strings (just because I could) using sudo cat /dev/mem | strings. Upon reviewing this dump, I noticed some very interesting things:

.symtab
.strtab
.shstrtab
.note.gnu.build-id
.rela.text
.rela.init.text
.rela.text.unlikely
.rela.exit.text
.rela__ksymtab
.rela__ksymtab_gpl
.rela__kcrctab
.rela__kcrctab_gpl
.rela.rodata
.rodata.str1.8
.rela__mcount_loc
.rodata.str1.1
.rela__bug_table
.rela.smp_locks
.modinfo
__ksymtab_strings
.rela__tracepoints_ptrs
__tracepoints_strings
__versions
.rela.data
.data.unlikely
.rela__verbose
.rela__jump_table
.rela_ftrace_events
.rela.ref.data
.rela__tracepoints
.rela.gnu.linkonce.t6

These lines all seem to be related in some way: they are all (very) near each other in the memory, they all have similar .<name> prefixes, and they all seem to refer to each other.

What would cause these strings to appear, and why?

Kaz Wolfe
  • 485
  • 3
  • 17

2 Answers2

2

+1 to what @jos said above ("google it"). In this particular case you should remove the ".rela_" and "_gpl" parts. You'll find that these are kernel symbols. "rela" is an acronym for "relocation" and has to do with the ELF file format. These are all interesting topics and I encourage you to look into them further.

Mark Wagner
  • 1,891
  • 10
  • 7
1

These look very much like section names from the Linux kernel. The ones prefixed by .rela contain relocation information for the named section, e.g. .rela.text is the relocation information for the text section (where kernel object code is stored).

Other sections of interest are:

  1. .modinfo - kernel module information
  2. .rela.__ksymtab - kernel symbol table relocation table
  3. .rela.data - kernel data section relocation table
  4. rodata.str1.1 - read only data section for strings

etcetera.

Running strings on /dev/mem will just find interesting strings in the systems physical memory; hence you managed to find some strings that are in the uncompressed vmlinuz linux kernel.

ColinKing
  • 136
  • 3