rivets How to enact and ceases Linux eral image (ini) -Packapecoud Blog
packagec| |
‘Subscribe to our blog via email
Sign upt
Subscribe to our RSS feed
back to posts
How to extract and
disassemble a Linux
kernel image (vmlinuz)
Mar 8, 2016 = packagecloud
linux-howto
TL;DR
This blog post explains how to extract and disassemble a Linux kernel
image. It will cover the extract-vmlinux script, how to use objdump, and
how to use /boot/System.map to locate functions and other symbols.
fle:INICRACKINGIREVERSE.20ENGINEERINGIHow%2010%20extract20and’420dieaseerble%20a%20Linux%20kemnel%20image%20(uml.. 116ariigate How to extract and disassemile a Linux kernel image (vmiinuz) - Packagectoud Blog
Create a package repository in less than 10 Sign up!
seconds, free.
Extracting the Linux kernel image
(vmlinuz)
First, you'll need to get the extract-vmlinux script so that you can
decompress and extract the Linux kernel image.
You can download the latest version from GitHub:
$ wget -O extract-vmlinux https: //raw.githubusercontent .com/torvalds/Linux/mast
er/scripts/extract-vmlinux
It’s unlikely that the script will change, but to be safe you should use the
extract-vmlinux script that is from the same source tree as your kernel.
If you are extracting a kernel installed from your operating system, you can
install the extract-linux script with your package manager.
On Ubuntu, install linux-headers-$(uname -r):
$ sudo apt-get install linux-headers-$(uname -r)
You will be able to find the extract-linux script at /usr/src/linux-
headers-$(uname -r)/scripts/extract-vmlinux.
On CentOS, install kernel-devel :
$ sudo yum install kernel-devel
fle:INICRACKINGIREVERSE20ENGINEERINGIHow%2010%20extract20and’20dieaseemble%20a%20Linux%20kemnel%20image%20(um.. 216aris018 How to extac and disassemble a Linux Kemal image (minus) -Packagectoud Blog
You will be able to find the extract-linux script at
Jusr/src/kernels/$(uname -r)/scripts/extract-vmlinux.
Using extract-vmlinux
You can now use extract-vmlinux to decompress and extract the kernel
image.
A good first step is to create a temporary directory and copy the kernel
image to it:
$ mkdir /tmp/kernel-extract
$ sudo cp /boot/vmlinuz-$(uname -r) /tmp/kernel-extract/
Now, run the extract-vmlinux script to extract the image.
On Ubuntu:
$ cd /tmp/kernel-extract/
$ sudo /usr/src/linux-headers-$(uname -r)/scripts/extract-vmlinux vmlinuz-$(una
me -r) > vmlinux
On CentOS:
$ cd /tmp/kernel-extract/
$ sudo /usr/src/kernels/$(uname -r)/scripts/extract-vmlinux vmlinuz-$(uname -r)
> vmlinux
Disassmble the Linux kernel with
objdump
fledINICRACKINGIREVERSE%.20ENGINEERING/How%2010%20extact%é20and%420disassemblo%20a%é20Linux%20kemel%20imago%20(vm
38ariigate How to extract and disassemile a Linux kernel image (vmiinuz) - Packagectoud Blog
Now that you have decompressed and extracted the kernel image, you can
use objdump to disassemble it. There's quite a bit of code, so piping the
output to less is probably a good idea.
Using the same directory structure as before:
$ cd /tmp/kernel-extract/
$ objdump -D vmlinux | less
Finding symbols in
/boot/System.map
So, you’ve extracted the kernel and are now looking at the disassembled
kernel. You'll notice that there are no symbol names, so you can’t easily find
the starting point for functions you want to examine.
Luckily, all the symbols and their starting address can be found in the file
/boot/System.map-$(uname -r).
For example, let’s lookup the address of tcp_v4_do_rcv:
$ sudo grep " tep_v4_do_rev" /boot/System.map-3.2.0-29-virtual
FFFFFFFF81590df T tcp_v4_do_rcv
You can now search the objdump output for the address ffffffffs1s9edfo
to find the disassmbled net_ipv4_path function:
FFFFFFFFBIS90d#O: 55 push %rbp
FFFFFFFF81590dF1: 48 89 eS mov. rsp, %rbp
FFFFFFFFBISOOUFA: 48 83 ec 20 sub $0x20,%rsp
fledINICRACKINGIREVERSE20ENGINEERINGIHow%2010%20extract20and’20dieaseemble%20a%20Linux%20kemnel%20image%20(um.. 416areata How to extract and disassemile a Linux kernel image (vmiinuz) - Packagectoud Blog
FFFFFFFFB1S90df8: 48 89 Sd e8 mov %rbx, -@x18(%rbp)
FFFFFFFFBIS9OdF. 4c 89 65 fo mov %r12, -@x10(%rbp)
FF FFFFFFE1590€00: 4c 89 6d f8 mov %r13,-@x8(%rbp)
FFFFFFFFE1590004: eB 77 9c Gc 00 callq oxffrfrrffsiesaase
Conclusion
Extracting the Linux kernel is relatively straightforward once you know
what extract-vmlinux is and where to find it. Extracting the kernel can be
useful when you want to verify comments left by kernel code authors or are
just curious to see how a particular function was compiled.
Share this post:
Never miss an update!
Subscribe to our blog via email
Sign up!
‘Subscribe to our RSS feed
asaya?
fle:INICRACKINGIREVERSE.20ENGINEERINGIHow%2010%20extract20and’420dieaseemble%20a%20Linux%20kemnel%20image%20(um.. 516arrears How to extract and disassemile a Linux kernel image (vmiinuz) - Packagectoud Blog
Features
Cl
Jenkins
Buildkite
Public Package Repository
Private Package Repository
GPG Signatures
Pricing
Private DE!
ry
Private RPM repository
Private Ru
Gem server
Private PyPI server
Private Maven rep
HOWTOs
Linux HOV
Guides
Maven Guide
bian Guide
RPM Guide
fle:INICRACKINGIREVERSE20ENGINEERINGIHow%2010%20extract20and%420dieasserble%20a%20Linux%20kemnel%20image%20(um.. 616