0

I have a vmlinuz ELF image file. I need to get the kernel version from the image file without disassembling it. Is it possible to get kerenel version from offsets of that compressed image file? The file is ELF 64-bit MSB executable, statically linked, not stripped.

Manish Purohit
  • 58
  • 1
  • 3
  • Yes, it is. You need to know the offset at which the kernel version is stored. You can find those out for the various kernel boot image formats by studying the "magic" definition of the standard "file" utility: https://github.com/file/file/blob/master/magic/Magdir/linux – Nikos C. Mar 07 '20 at 13:04
  • Can you help me? How can I do this? I just need steps to be followed for searching the correct offset and using it to get the version! – Manish Purohit Mar 07 '20 at 16:37

1 Answers1

0

As previously mentioned, the version number is hardcoded into the compressed image file. First it depends on the compression algorithm used to compress the content, how to decompress it. Decompressing files in linux could be challenging due to the combination of compression algorithms and the correlated tool options (not to forget a newer version of tar for newer algorithms). For files with

file extension tar.gz, tgz use e.g. $ tar -xzv -f vmlinuz.tgz
file extension tar.xz, use e.g. $ tar -xJv -f vmlinuz.tar.xz
file extension tar.bz2, use e.g. $ tar -xjv -f vmlinuz.tar.bz2

So if you have access to the file utility (should also run on windows), run the following to receive the version string and additional information of your file named e.g. vmlinuz-4.x.y-z-a.

file vmlinuz-4.x.y-z-a

Another possibility to reverse-engineer would be to read all strings of the binary file vmlinuz-4.x.y-z-a and grep for a part of the possible solution.

strings vmlinuz-4.x.y-z-a | grep 'linked,'
AndreasK
  • 16
  • 1
  • Generally the file utility prints the version of the kernel but in my case it just prints the type of the file but not the version. It prints this " ELF 64-bit MSB executable, statically linked, not stripped. " but not the version. I somehow used hexdump and found the offset where the version of the kernel is located. Thank You soo much for the answer :) – Manish Purohit Apr 01 '20 at 12:48