vmlinux-to-elf: recover a fully analyzable .ELF from a raw kernel

by do son · Published April 5, 2022 · Updated November 4, 2024

vmlinux-to-elf

This tool allows to obtain a fully analyzable .ELF file from a vmlinux/vmlinuz/bzImage/zImage kernel image (either a raw binary blob or a preexisting but stripped .ELF file), with recovered function and variable symbols.

For this, it scans your kernel for a kernel symbol table (kallsyms), a compressed symbol table that is present in almost every kernel, mostly unaltered.

Because the concerned symbol table is originally compressed, it should recover strings that aren’t visible in the original binary.

It produces an .ELF file that you can analyze using IDA Pro and Ghidra. This tool is hence useful for embedded systems reverse engineering.

Features

Take a raw binary blob or ELF kernel file as an input [OK]
Automatically detect and unpack the main compression formats used for the Linux kernel [OK]
Find and extract the embedded kernel symbols table (kallsyms) from the input file [OK]
Infer the instruction set architecture, endianness, bit size, relying upon other things on common function prologue signatures [OK]
Infer the entry point of the kernel from the symbols contained in the kallsyms table [OK]
Provide basic inference for the kernel base address [OK] (for now, consider that it is the first “TEXT” symbol address of the binary with the lower 0xfff bits clear – seems to work well enough)
Unpack certain types of Android boot.img files, starting with an ANDROID! or UNCOMPRESSED_IMG magic [OK]
Produce an .ELF file fully analyzable with IDA Pro or Ghidra as an output [OK]

Kernels support

It supports kernels from version 2.6.10 (December 2004) until now. Only kernels explicitly configured without CONFIG_KALLSYMS should not be supported. If this kernel configuration variable was not set at build, then you will get: KallsymsNotFoundException: No embedded symbol table found in this kernel.

For raw kernels, the following architectures can be detected (using magics from binwalk): MIPSEL, MIPSEB, ARMEL, ARMEB, PowerPC, SPARC, x86, x86-64, ARM64, MIPS64, SuperH, ARC.

The following kernel compression formats can be automatically detected: XZ, LZMA, GZip, BZ2, LZ4. Support for LZO, Zstd may be added upon request.