linuxlinux-kernelkernelkernel-moduleefl

Is it possible to get kernel version from ELF image file without disassemble or using grep or strings?


I have a vmlinuz ELF image file. I need to get the kernel version from the image file without disassembling it. Is it possible to get kerenel version from offsets of that compressed image file? The file is ELF 64-bit MSB executable, statically linked, not stripped.


Solution

  • As previously mentioned, the version number is hardcoded into the compressed image file. First it depends on the compression algorithm used to compress the content, how to decompress it. Decompressing files in linux could be challenging due to the combination of compression algorithms and the correlated tool options (not to forget a newer version of tar for newer algorithms). For files with

    file extension tar.gz, tgz use e.g. $ tar -xzv -f vmlinuz.tgz
    file extension tar.xz, use e.g. $ tar -xJv -f vmlinuz.tar.xz
    file extension tar.bz2, use e.g. $ tar -xjv -f vmlinuz.tar.bz2
    

    So if you have access to the file utility (should also run on windows), run the following to receive the version string and additional information of your file named e.g. vmlinuz-4.x.y-z-a.

    file vmlinuz-4.x.y-z-a
    

    Another possibility to reverse-engineer would be to read all strings of the binary file vmlinuz-4.x.y-z-a and grep for a part of the possible solution.

    strings vmlinuz-4.x.y-z-a | grep 'linked,'