# Linux kernel exploit development

Inspired by [Midas's series](https://lkmidas.github.io/posts/20210123-linux-kernel-pwn-part-1/) on Linux kernel exploit development, this series follows the same pattern of exploit mitigations using [pwn.college's kernel](https://github.com/pwncollege/pwnkernel) and includes all of my code and examples [here ](https://github.com/ChrisTheCoolHut/Linux_kernel_exploitation)

Topics include:\
 \* [Setup](https://breaking-bits.gitbook.io/breaking-bits/exploit-development/linux-kernel-exploit-development/setup)\
 \* [Interacting with kernel modules (ioctl,  character devices)](https://breaking-bits.gitbook.io/breaking-bits/exploit-development/linux-kernel-exploit-development/interacting-with-kernel-modules)\
 \* [Stack cookies](https://breaking-bits.gitbook.io/breaking-bits/exploit-development/linux-kernel-exploit-development/stack-cookies)\
 \* [KASLR](https://breaking-bits.gitbook.io/breaking-bits/exploit-development/linux-kernel-exploit-development/kernel-address-space-layout-randomization-kalsr)\
 \* [SMEP](https://breaking-bits.gitbook.io/breaking-bits/exploit-development/linux-kernel-exploit-development/supervisor-mode-execution-protection-smep)\
 \* [SMAP](https://breaking-bits.gitbook.io/breaking-bits/exploit-development/linux-kernel-exploit-development/supervisor-mode-access-prevention-smap)\
 \* [KPTI](https://breaking-bits.gitbook.io/breaking-bits/exploit-development/linux-kernel-exploit-development/kernel-page-table-isolation-kpti)\
 \* modprobe\_path\
 *\** cred\_struct overwritting

Protections TLDR:

**KASLR** - Requires a leak to exploit

**SMEP** - Can't execute shellcode in userspace while in kernelmode (Kind of like DEP/NX)

**SMAP** - No reading or writing from userspace pages while in kernelmode (Stack pivots harder)

**KPTI** - Separate kernel space from user space. Need to swap between pages


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://breaking-bits.gitbook.io/breaking-bits/exploit-development/linux-kernel-exploit-development.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.