LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-22-2007, 12:47 PM   #1
jaggy00
LQ Newbie
 
Registered: Jan 2007
Distribution: CentOS & Fedora Core
Posts: 25

Rep: Reputation: 15
howto uncompress kermel image?


I wonder how can one uncompress the kernel image (in /boot directory), for let's say investigation purposes? It looks neither gzipped nor bzipped and still it is compressed.
 
Old 05-22-2007, 02:21 PM   #2
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 122Reputation: 122
The file contains several executable sections that do the uncompression when you are actually booting. You should take a look at http://www2.linuxjournal.com/article/2239 to see just how the kernel boots and where the data is stored.
 
Old 05-22-2007, 02:34 PM   #3
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738
Quote:
Originally Posted by jaggy00
I wonder how can one uncompress the kernel image (in /boot directory), for let's say investigation purposes? It looks neither gzipped nor bzipped and still it is compressed.
For "investigation purposes", why would you not look at the source code??

Trying to determine what is going on by reading machine code would not be MY idea of fun......YMMV..
 
Old 05-23-2007, 04:26 AM   #4
jaggy00
LQ Newbie
 
Registered: Jan 2007
Distribution: CentOS & Fedora Core
Posts: 25

Original Poster
Rep: Reputation: 15
I had an intrusion nearly a week ago and a rootkit, which I've cleaned out as I think. But, in fact I'm trying to detect whether there was a change in system calls or not. I've found this article, very good and helpfull in my opinion

http://www.securityfocus.com/infocus/1811

And it says:
Quote:
Sometimes only a compressed version of the kernel may be available (named vmlinuz-2.4.x). In this case, before starting our investigation we have to uncompress that kernel image.
But it doesn't mention how one can accomplish this.

That's it.
 
Old 05-23-2007, 05:03 AM   #5
samstar
Member
 
Registered: Apr 2007
Distribution: suse 10.2
Posts: 324

Rep: Reputation: 31
Usually they're Bzipped, so I think you'll need to 'bunzip2' the kernel file - though I'd do that to a copy of it instead.

Sam
 
Old 05-23-2007, 01:30 PM   #6
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 122Reputation: 122
If you think you had a rootkit, I strongly advise you to reinstall. No need to worry about what's changed in the kernel then.
 
Old 05-24-2007, 04:14 AM   #7
jaggy00
LQ Newbie
 
Registered: Jan 2007
Distribution: CentOS & Fedora Core
Posts: 25

Original Poster
Rep: Reputation: 15
Quote:
Usually they're Bzipped, so I think you'll need to 'bunzip2' the kernel file - though I'd do that to a copy of it instead.
Out of luck. Hm... It starts to look like a problem

Code:
bunzip2: xvmlinuz-2.6.9-22.0.1.ELsmp is not a bzip2 file.
Quote:
If you think you had a rootkit, I strongly advise you to reinstall. No need to worry about what's changed in the kernel then.
I know, I plan to. Just amazed.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Ruby+libglade - howto get an image in a Glade widget? rasat Programming 4 04-12-2006 01:49 AM
howto mount image from g4l ? pewi Linux - General 0 11-25-2004 04:46 AM
howto modify the image on the screen after logging in?? rohan208 Linux - General 3 07-14-2004 12:48 AM
howto mount dvd image on slackware? carboncopy Slackware 3 10-25-2003 04:10 PM
Kermel panic: VFS: Unable to mount root fs on 00:00 teclipse Linux - General 1 10-04-2003 12:56 PM


All times are GMT -5. The time now is 06:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration