How to extract and disassemble vmlinuz file

  • Post last modified:February 1, 2022
  • Reading time:7 mins read
  • Post author:
  • Post comments:0 Comments

Recently, we wrote an article on how to unpack initrd or initramfs to view content in Linux. After that, I thought I should write an article on the extraction of VMlinuz.

Obviously, you might wonder, why extract VMLinuz? What is the use of it? Extraction of assembly code may be helpful when you want to debug where the problem occurred and how the specific function is executed.

And in this article, you will see how to extract the vmlinuz file and disassemble (read) the vmlinuz file in Linux.

What is vmlinuz?

A vmlinuz is a compressed Linux kernel image that is capable of booting the system and loading the kernel into memory. Eventually, it helps you to use your daily applications.

Moreover, vmlinux is a statically linked executable file, which means the kernel supports object file formats such as ELF, COFF, and a.out.

People get confused between VMlinuz and VMlinux because of the same name, but both are different. VMlinux is an uncompressed and non-bootable version of VMlinuz.

To explain it to you, let’s bifurcate vmlinuz. The VM acronym stands for Virtual Memory, and Linuz is a compressed version of Linux.

You can find Vmlinuz in the /boot directory, name conventions included with the kernel version.For example vmlinuz-5.10.0-11-amd64.

Steps to extract vmlinuz file

The first and foremost step is to download a script that helps you extract VMLinuz into an object file format like ELF.

Afterward, we can use the objdump command to disassemble the VMLinuz.

And objdump is part of GNU Binutils. First, check whether the Binutils is installed. If not, we can download it from the package manager.

$ objdump --version
$ sudo apt install binutils            // Debian/Ubuntu
$ sudo dnf install binutils            // AlmaLinux/Fedora

Download script to extract vmlinuz

A script is already available on Github under the Linux project, and you just need to pass a couple of commands to download a script to use.

$ wget -O extract-vmlinux https://raw.githubusercontent.com/torvalds/linux/master/scripts/extract-vmlinux

Extract vmlinuz in Linux

Once the script is downloaded, you are ready to extract the file. Before that, create a temporary directory where you will extract VMLinuz.

$ mkdir /tmp/extract-kernel
$ cd extract-kernel

After that, copy the current kernel into a newly created folder, and check the file type.

$ sudo cp /boot/vmlinuz-$(uname -r) .
$ file vmlinuz-5.10.0-9-amd64 
Output:

vmlinuz-5.10.0-9-amd64: Linux kernel x86 boot executable bzImage, version 5.10.0-9-amd64 ([email protected]) #1 SMP Debian 5.10.70-1 (2021-09-30), RO-rootFS, swap_dev 0x6, Normal VGA

The next and last step for extraction is to pass the following code, which we will first extract the compressed kernel. After that, it will check the file type.

$ sudo bash extract-vmlinux vmlinuz-$(uname -r) > vmlinuz
$ file vmlinuz
Output:

vmlinuz: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=23eb9b22614b52c9c3e7105ac116a67ce749404d, stripped

As per the output file is decompressed successfully into an ELF object.

Disassemble vmlinuz file using objdump

You cannot read this file using cat or any other text editor; even if you do, it will print ambiguous data, which is not possible for us to read. So to cater to this request, we can use objdump, which is capable of reading object files.

You have extracted the compressed kernel from the above step into the object file. Let’s read the object file using the below command.

$ cd extract-kernel
$ objdump -D vmlinuz | less

Don’t miss to pipe data through less to read the content.

Output:

vmlinuz:     file format elf64-x86-64


Disassembly of section .text:

ffffffff81000000 <.text>:
ffffffff81000000:       48 8d 25 51 3f 60 01    lea    0x1603f51(%rip),%rsp        # 0xffffffff82603f58
ffffffff81000007:       48 8d 3d f2 ff ff ff    lea    -0xe(%rip),%rdi        # 0xffffffff81000000
ffffffff8100000e:       56                      push   %rsi
ffffffff8100000f:       e8 4c 04 00 00          callq  0xffffffff81000460

Wrap up

That’s all to extract and disassemble the VMlinuz file in Linux.

If you face any difficulty while following our article, please let us know in the comment section.

Leave a Reply