Extracting Linux kernel executable (elf file) from a compressed vmlinuz image
If you are a Linux user, Surely you might have noticed a file called vmlinux or vmlinuz in the root filesystem. vmlinux/vmlinuz is the Linux kernel executable file found in /boot directory of you OS. vmlinux is the uncompressed version of executable and vmlinuz is the compressed version.
vmlinuz stands for virtual memory linux gzip image
vmlinuz is more common than uncompressed vmlinux. In my PC "/boot" directory contains vmlinuz of my Linux 5.0 kernel and its around 8.6 MB in size.
For all our following experiments we need this file to be copied into some other location. (Editing these files within /boot directory will lead to a corrupted OS). I prefer it to be in your /home directory. In my case its "/home/aswin/test" . I created a separate directory called "test" for all these.
#make sure that you are root while doing this
cp /boot/vmlinuz-5.0.0-050000-generic ~/test
cd ~/test
Now lets looks at the file vmlinuz in detail now. As I said vmlinuz is the compressed version of the kernel executable. But its not simply the linux kernel executable. It has got
- setup
- head
- misc
- vmlinux (piggy.o)(Kernel executable)
In a nutshell : Compiling the linux kernel source code will generate vmlinux elf file. This file is compressed and linked to create an object file called piggy.o. piggy.o file along with head.o and misc.o files are link together to create vmlinux file. Final step is to add bootsector code and setup code with it. Systems with modern bootloaders like GRUB (GRand Unified Bootloader) will take care of the bootsector part. So vmlinuz image will have setup code, head, misc and the compressed linux executables. Head and misc part of the code is used to un-compress the linux kernel while booting.
If I want to extract the actual linux executable files from vmliuz, I need to skip setup code, head and misc codes. How do I know where the kernel starts?
I know the kernel executables are compressed using gzip. So the best way to find executable is to find the gzip file inside. Every file will have a file signature. Signature for gzip files are "0x1F 0x8B 0x08".
I am using od (octal dump) command line tool to get the hex values of raw vmlinuz file and using grep tool to find the pattern "0x1F 0x8B 0x08".
sudo od -Ad -tx1 vmlinuz-5.0.0-050000-generic | grep '1f 8b 08'
As you can see I got the starting index of the gzip file, Which is 0x0018353. Now I need to collect the data and extract it. For generating the gzip file I am using dd command tool. dd outputs the contents into a file called vmlinuz.
vmlinuz file is the gzip file. I am using zcat commandline tool to extract the contents inside that. The output will be vmlinux or the raw linux executable in elf format. Try file command to see the difference between these to files. vmlinux will show up as a 64bit elf Linux executable and vmlinuz will show up as a gzip compressed file.
sudo dd if=vmlinuz-5.0.0-050000-generic bs=1 skip=0018353 of=vmlinuz
#uncompress the vmlinuz file to vmlinux
zcat vmlinuz > vmlinux
#Try file command on both vmlinux and vmlinuz to see the difference
file vmlinuz
file vmlinux
#print the header of the elf file
objdump -f vmlinux
Try to extract the header of the elf file by using readelf command .
If you have any doubt feel free to leave a comment below.