Linkat, short for 'Linux Kernel Allocation Tracer,' is a small tool that allows you to trace the allocation that your POCs makes inside the kernel memory on a Linux system and visualize it in a user-friendly interface. It utilizes ftrace, so you need to have it installed to use this tool. Linkat sets ftrace parameters and parses the logs to provide you with detailed information about kernel memory allocation.
To install Linkat, follow the steps given below:
Clone the Linkat repository in your host machine using the following command:
git clone https://github.com/AntoineBlaud/linkat.gitAfter cloning the repository, go to the Linkat directory and run the docker-build.sh script to build the Docker image:
cd linkat
./docker-build.shNext, install Linkat on the target machine by cloning the repository and running the setup.py script:
git clone https://github.com/linkat/linkat.git
cd linkat
python3 setup.py installFollow the steps below to use Linkat:
Inside your target machine, launch linkat-run using the following command:
linkat-runInside your poc call the function 'marker' at least once, which is located inside the 'helper.h' file.
Quickly run your poc after launching linkat-run. The longer you wait, the more time Linkat will take to parse the log.
Once your poc has finished running, press enter to allow Linkat to parse the log and fetch data. If Linkat asks for it, enter the process from the ones proposed.
Copy the trace.json file to your host machine.
After copying the trace.json file to your host machine, run the Docker container using the following command:
./docker-run.sh <your-trace.json path>Finally, open your browser and go to localhost:3000 to enjoy using Linkat. Move the range bar to display the progress/evolution
Rendering a large memory trace could take a few seconds (approximately 1 second per 3000 entries) when the poc makes a large amount of allocations, so please be patient. Also, this program could easily be extended to trace any pre-compiled program, but I don't see the need for it.
Linkat is a useful tool for tracing kernel memory allocation on Linux systems. By following the installation and usage steps given above, you can easily use Linkat to trace allocation made by your poc in kernel memory.