浅析pc机上如何将vmlinuz-2.6.31-14-generic解压出vmlinux
luther@gliethttp:~$ vim /boot/grub/grub.cfg
可以看到我们进入的系统的内核为
linux /boot/vmlinuz-2.6.31-14-generic
查找1F 8B 08这是gzip的标志头
我找到的内容为
0000 366C: 1F 8B 08 00 8C 80 D8 4A 02 03 EC 3A 7F 74 53 55
0x0000366c等于13932
luther@gliethttp:~$ dd bs=1 skip=13932 if=/boot/vmlinuz-2.6.31-14-generic of=vmlinux.gz
luther@gliethttp:~$ file vmlinux.gz
vmlinux.gz: gzip compressed data, from Unix, last modified: Fri Oct 16 22:17:48 2009, max compression
luther@gliethttp:~$ gunzip vmlinux.gz
luther@gliethttp:~$ ll vmlinux
-rw-r--r-- 1 luther luther 7.9M 2010-05-16 12:06 vmlinux
luther@gliethttp:~$ vim linux-2.6.33.4/arch/x86/kernel/vmlinux_32.lds.S
// vim arch/x86/configs/i386_defconfig 我们获取的参数[luther.gliethttp]
// CONFIG_PAGE_OFFSET=0xC0000000
// CONFIG_PHYSICAL_START=0x100000
// #define __PAGE_OFFSET _AC(CONFIG_PAGE_OFFSET, UL)
#define LOAD_OFFSET __PAGE_OFFSET 其值为0xC0000000
/* Physical address where kernel should be loaded. */
#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START
+ (CONFIG_PHYSICAL_ALIGN - 1))
& ~(CONFIG_PHYSICAL_ALIGN - 1))
SECTIONS
{
. = LOAD_OFFSET + LOAD_PHYSICAL_ADDR; // 0xC0000000 + 0x100000 = 0xc0100000是最终的地址
phys_startup_32 = startup_32 - LOAD_OFFSET;
luther@gliethttp:~$ objdump -DS vmlinux |more
vmlinux: file format elf32-i386
Disassembly of section .text.head:
c0100000 <.text.head>:
c0100000: f6 86 11 02 00 00 40 testb $0x40,0x211(%esi)
c0100007: 75 14 jne 0xc010001d
c0100009: 0f 01 15 22 8e 74 00 lgdtl 0x748e22
c0100010: b8 18 00 00 00 mov $0x18,%eax
c0100015: 8e d8 mov %eax,%ds
c0100017: 8e c0 mov %eax,%es
c0100019: 8e e0 mov %eax,%fs
c010001b: 8e e8 mov %eax,%gs
c010001d: fc cld
c010001e: 31 c0 xor %eax,%eax
c0100020: bf 00 a0 81 00 mov $0x81a000,%edi
luther@gliethttp:~$ vbindiff vmlinux
0000 1000: F6 86 11 02 00 00 40 75 14 0F 01 15 22 8E 74 00 ......@u ....".t.
0000 1010: B8 18 00 00 00 8E D8 8E C0 8E E0 8E E8 FC 31 C0 ........ ......1.
0000 1020: BF 00 A0 81 00 B9 A0 80 8A 00 29 F9 C1 E9 02 F3 ........ ..).....
0000 1030: AB BF C0 56 7C 00 B9 00 04 00 00 FC F3 A5 8B 35 ...V|... .......5
0000 1040: E8 58 7C 00 21 F6 74 0C BF E0 2A 7C 00 B9 00 02 .X|.!.t. ..*|....
0000 1050: 00 00 F3 A5 66 81 3D C6 58 7C 00 07 02 72 1C A1 ....f.=. X|...r..
0000 1060: FC 58 7C 00 3D 03 00 00 00 73 0E 8B 04 85 80 22 .X|.=... .s....."
0000 1070: 7C 00 2D 00 00 00 C0 FF E0 0F 0B BF 00 90 8A 00 |.-..... ........
0000 1080: BA 00 A0 81 00 B8 03 00 00 00 8D 4F 67 89 0A 89 ........ ...Og...
0000 1090: 8A 00 0C 00 00 83 C2 04 B9 00 04 00 00 AB 05 00 ........ ........
0000 10A0: 10 00 00 E2 F8 BD 03 90 A4 00 39 E8 72 DC 81 C7 ........ ..9.r...
0000 10B0: 00 00 00 C0 89 3D 80 A5 74 00 C1 E8 0C A3 84 F0 .....=.. t.......
0000 10C0: 81 00 B8 67 B0 81 00 A3 FC AF 81 00 E9 6D 6B 46 ...g.... .....mkF
而vmlinux的前0x1000字节为ELF标志头数据,真正的有效kernel数据从0x1000开始
luther@gliethttp:~$ vim linux-2.6.33.4/arch/x86/boot/compressed/vmlinux_32.lds
OUTPUT_FORMAT("elf32-i386", "elf32-i386", "elf32-i386")
OUTPUT_ARCH(i386)
ENTRY(startup_32)
SECTIONS
{
/* Be careful parts of head_32.S assume startup_32 is at
* address 0.
*/
. = 0;
.text.head : {
_head = . ;
*(.text.head) // 文件头信息
_ehead = . ;
}
.rodata.compressed : {
*(.rodata.compressed)
}
.text : {
_text = .; /* Text */ // 从0x1000开始的kernel有效执行code机器码
*(.text)
*(.text.*)
_etext = . ;
}
......
}
让我们实际演练演练,我们读取释放到内存中的kernel代码
luther@gliethttp:~$ cat /proc/iomem |grep code
00100000-00575553 : Kernel code
0x00100000等于1048576
0x00575553等于5723475
luther@gliethttp:~$ sudo dd bs=1 skip=1048576 count=208 if=/dev/mem 2>/dev/null | xxd -g 1
0000000: f6 86 11 02 00 00 40 75 14 0f 01 15 22 8e 74 00 ......@u....".t.
0000010: b8 18 00 00 00 8e d8 8e c0 8e e0 8e e8 fc 31 c0 ..............1.
0000020: bf 00 a0 81 00 b9 a0 80 8a 00 29 f9 c1 e9 02 f3 ..........).....
0000030: ab bf c0 56 7c 00 b9 00 04 00 00 fc f3 a5 8b 35 ...V|..........5
0000040: e8 58 7c 00 21 f6 74 0c bf e0 2a 7c 00 b9 00 02 .X|.!.t...*|....
0000050: 00 00 f3 a5 66 81 3d c6 58 7c 00 07 02 72 1c a1 ....f.=.X|...r..
0000060: fc 58 7c 00 3d 03 00 00 00 73 0e 8b 04 85 80 22 .X|.=....s....."
0000070: 7c 00 2d 00 00 00 c0 ff e0 0f 0b bf 00 90 8a 00 |.-.............
0000080: ba 00 a0 81 00 b8 03 00 00 00 8d 4f 67 89 0a 89 ...........Og...
0000090: 8a 00 0c 00 00 83 c2 04 b9 00 04 00 00 ab 05 00 ................
00000a0: 10 00 00 e2 f8 bd 03 90 a4 00 39 e8 72 dc 81 c7 ..........9.r...
00000b0: 00 00 00 c0 89 3d 80 a5 74 00 c1 e8 0c a3 84 f0 .....=..t.......
00000c0: 81 00 b8 67 b0 81 00 a3 fc af 81 00 e9 6d 6b 46 ...g.........mkF