How can I hook a kernel function
20 views
Skip to first unread message
Yushan
Jun 24, 2025, 4:19:33 PMJun 24
to S2E Developer Forum
Hi,
I am new to s2e. I’m currently working on a project involving symbolic execution in the Linux kernel using S2E. My goal is to hook kernel functions, sysctl, or variables in order to inject symbolic execution and observe how the system behaves or makes decisions under symbolic inputs.
Could you please advise on how to achieve this using S2E? Any guidance, documentation, or example references would be greatly appreciated.
Best,
Yushan
Andrea
Sep 24, 2025, 9:50:01 AMSep 24
to S2E Developer Forum
Hi Yushan,
to hook on kernel functions, you should consider to write a plugin which register the `onTranslateBlockStart` event. There you can inspect the PC for the ones of the functions you want to hook. When you find a match, you can then register a signal for when that PC is then executed and proceed with making your input symbolic through `makeSymbolic` calls from the `BaseInstructions` plugin.
To obtain the PC of the functions you care about in the kernel you have two options. You can either hardcode the PCs of the functions that you want to follow by looking them up with gdb against the vmlinux that will be used in your s2e image, or you can modify the kernel installed and introduce a series of `s2e_invoke_plugin` to share that information. `s2e_invoke_plugin` will require your plugin to define commands and their parameters. I'd advice to inspect the other plugins available in s2e for how that's done (e.g., `S2E_BASEINSTRUCTION_COMMANDS` or `S2E_LINUXMON_COMMANDS`). This second method will allow you to share this information at runtime, particularly useful if you need to recompile the kernel often and things changes under you.
Best,
to hook on kernel functions, you should consider to write a plugin which register the `onTranslateBlockStart` event. There you can inspect the PC for the ones of the functions you want to hook. When you find a match, you can then register a signal for when that PC is then executed and proceed with making your input symbolic through `makeSymbolic` calls from the `BaseInstructions` plugin.
To obtain the PC of the functions you care about in the kernel you have two options. You can either hardcode the PCs of the functions that you want to follow by looking them up with gdb against the vmlinux that will be used in your s2e image, or you can modify the kernel installed and introduce a series of `s2e_invoke_plugin` to share that information. `s2e_invoke_plugin` will require your plugin to define commands and their parameters. I'd advice to inspect the other plugins available in s2e for how that's done (e.g., `S2E_BASEINSTRUCTION_COMMANDS` or `S2E_LINUXMON_COMMANDS`). This second method will allow you to share this information at runtime, particularly useful if you need to recompile the kernel often and things changes under you.
Best,
Andrea
Reply all
Reply to author
Forward
0 new messages