How to extract and disassemble a Linux kernel
Last Updated :
15 Jun, 2021
Extracting and examining the disassembled assembly code for your Linux kernel can be really helpful if you want to look for some malfunctioning piece of code or want to examine entry points for various functions. The process is fairly intuitive once you know the necessary tools that are required.
The process below is described for Ubuntu 20.04 but should work for other GNU/Linux based operating systems as well. We will be using the objdump command-line utility that comes pre-installed with all Ubuntu distributions. To check if it is installed and working, type the following on your terminal and you should see the version and license information about the program.
objdump --version
The Linux kernel executable is called vmlinuz . This is the executable file that is first loaded into the memory when we boot up our computer and this is what we will be disassembling. The file is located under /boot/ directory. It is, however, compressed. We will have to first extract it before disassembly using the extract-vmlinux script that comes with the Linux-headers.
STEP 1: Copying the compressed kernel executable to a different location :
First, we will create a copy of our kernel to a location of our choice and cd into that directory. Superuser privileges are necessary for this step.
mkdir ~/kernel-tmp
sudo cp /boot/vmlinuz-$(uname -r) ~/kernel-tmp
cd kernel-tmp
STEP 2: Extracting the kernel :
Now we will extract the compressed kernel that we have copied into our directory. we will use the extract-vmlinux script that comes with our Linux-headers.
sudo /usr/src/linux-headers-$(uname -r)/scripts/extract-vmlinux vmlinuz-$(uname -r) > decomp-vmlinuz
The above command will run the extract-vmlinux script for our copy of the kernel and output it into a file with the name decomp-vmlinuz that will be located under our current working directory.
STEP 3: Disassembly :
We are now ready to disassemble our decompressed executable. Simply run the following command
objdump -D decomp-vmlinuz > disassembled-vmlinuz.asm
The disassembled kernel code can now be found in dissassembled-vmlinuz.asm file.
STEP 4: Finding symbols :
The disassembled kernel file has no symbols, hence we cannot find the starting point of functions very easily. Linux stores all symbol names and their starting address in a separate file. We will copy that file as well for our ease of access.
sudo cp /boot/System.map-$(uname -r) ./
Now, we can easily grep for our symbol name in the System.map-x.x.x-xx-generic file to get the starting address, then we can look for that address in the dissassembled-vmlinuz.asm file.
For e.g. we could grep for register_keyboard_notifier
sudo cat System.map-$(uname -r) | grep register_keyboard_notifier
which will give an output somewhat like:
ffffffff816ec720 T register_keyboard_notifier
We can copy the starting address and search for it in the disassembled kernel code to find something like this :
ffffffff816ec720: e8 4b 13 98 ff callq 0xffffffff8106da70
ffffffff816ec725: 55 push %rbp
ffffffff816ec726: 48 89 fe mov %rdi,%rsi
ffffffff816ec729: 48 c7 c7 a0 f7 d8 82 mov $0xffffffff82d8f7a0,%rdi
ffffffff816ec730: 48 89 e5 mov %rsp,%rbp
ffffffff816ec733: e8 18 bb 9d ff callq 0xffffffff810c8250
...
Similar Reads
How to Compile Linux Kernel on CentOS 7
The kernel is the core of a computer's operating system that has complete control over the system and provides basic services for all other parts. The default kernel available in any distribution cannot be customized. We cannot enable or disable any feature on it. Running a custom-compiled Linux Ker
6 min read
How to Compile, Decompile and Run C# Code in Linux?
C# is a modern multi-paradigm programming language developed by Microsoft and released in the year 2000. By multi-paradigm we mean that it includes static typing, strong typing, lexically scoped, imperative, declarative, functional, generic, object-oriented, and component-oriented programming discip
2 min read
How to View Kernel Messages in Linux | dmesg Command
The Linux kernel is considered one of the core components of the Linux operating system. It helps in establishing the communication between the hardware and managed system resources. To monitor and troubleshoot the kernel's interactions with the hardware and software components, the dmesg command co
8 min read
How to Extract and Copy Files from ISO Image in Linux?
The term ISO was derived from the ISO 9660 file system, which is commonly used by optical media. An ISO image is a full copy of everything contained on a physical optical disc, such as a CD, DVD, or Blu-ray disc, including the file system. There is no compression and they are a sector-by-sector copy
3 min read
Difference between Linux and OS/2
1. Linux : Linux is a group of open source Unix-like operating systems which was developed by Linus Torvalds. It is a packaged of Linux distribution. Some of the mostly used Linux distribution are Debian, Fedora and Ubuntu. It was basically written in C language and assembly language. Kernel used in
2 min read
How to Upgrade Linux Kernel on CentOS 7
The kernel is a central component of an operating system that manages the operations of the computer and hardware. It basically manages operations of memory and CPU time. It is a core component of an operating system. Kernel acts as a bridge between applications and data processing performed at the
2 min read
How to Recover a Deleted File in Linux?
We all have often faced a problem where we have accidentally deleted some files in Linux, that we regretted deleting later on after we did not even find it in the trash. But what if we can recover them? Here, we will discuss How we can recover a Deleted File in Linux.Whenever we delete something fro
4 min read
Difference between Linux and Chrome OS
Linux and Chrome OS are both widely used operating systems. They vary from each other in their core purpose, design philosophy and various different ways. While Linux is a versatile, general-purpose operating system, Chrome OS is more specialized, designed for web-based tasks and simplicity.LinuxLin
3 min read
How to Check Kernel Version in Linux
The kernel is the core component of the Linux operating system, responsible for managing hardware, running processes, and ensuring system stability. Whether you're updating software, installing new drivers, or troubleshooting issues, knowing your kernel version helps ensure everything works smoothly
7 min read
Is Linux a Kernel or an Operating System?
Linux is a widely used open-source Unix-like operating system. This is what most of us know. However, Linux is not an operating system. At least not technically. So, in this article, we will discuss if we should call Linux a kernel or an operating system. Kernel and Operating System:Before moving fo
4 min read