I have a program that can read and write to kernel memory and I want to get the address of swapper_pg_dir. The device in question is running Android with ARM64 architecture and has kASLR enabled.
swapper_pg_dir is not printed to /proc/kallsyms and what I tried to do was getting the swapper_pg_dir address from System.map (got by compiling the kernel source) and calculate the offset using /proc/kallsyms, and using it to calculate the current swapper_pg_dir address. But the resulting address seems to be wrong because the program cannot read memory from it (reading memory from this address returns some strings that are mostly of the format "u:object_r:####_prop:s0" which usually happens when the memory is not mapped)
Also, flashing a modified kernel or loading a kernel module is not an option because the bootloader is locked (and unlocking is not allowed) in this device.
So what could be a possible way to get the swapper_pg_dir address? It could be possible to read from a structure (whose address is exported in kallsyms or can be calculated) that has this as a variable but I have yet to find such a structure.
The structure init_mm contains the swapper_pg_dir address.
struct mm_struct init_mm = {
[...]
.pgd = swapper_pg_dir,
[...]
};
In my case it was located at the address 64 bytes after the init_mm address.