LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   howto uncompress kermel image? (https://www.linuxquestions.org/questions/linux-newbie-8/howto-uncompress-kermel-image-555828/)

jaggy00 05-22-2007 11:47 AM
howto uncompress kermel image?
 
I wonder how can one uncompress the kernel image (in /boot directory), for let's say investigation purposes? It looks neither gzipped nor bzipped and still it is compressed.

Matir 05-22-2007 01:21 PM
The file contains several executable sections that do the uncompression when you are actually booting. You should take a look at http://www2.linuxjournal.com/article/2239 to see just how the kernel boots and where the data is stored.

pixellany 05-22-2007 01:34 PM
Quote:
Originally Posted by jaggy00
I wonder how can one uncompress the kernel image (in /boot directory), for let's say investigation purposes? It looks neither gzipped nor bzipped and still it is compressed.
For "investigation purposes", why would you not look at the source code??

Trying to determine what is going on by reading machine code would not be MY idea of fun......YMMV..;)

jaggy00 05-23-2007 03:26 AM
I had an intrusion nearly a week ago and a rootkit, which I've cleaned out as I think. But, in fact I'm trying to detect whether there was a change in system calls or not. I've found this article, very good and helpfull in my opinion :D

http://www.securityfocus.com/infocus/1811

And it says:
Quote:
Sometimes only a compressed version of the kernel may be available (named vmlinuz-2.4.x). In this case, before starting our investigation we have to uncompress that kernel image.
But it doesn't mention how one can accomplish this.

That's it.

samstar 05-23-2007 04:03 AM
Usually they're Bzipped, so I think you'll need to 'bunzip2' the kernel file - though I'd do that to a copy of it instead.

Sam

Matir 05-23-2007 12:30 PM
If you think you had a rootkit, I strongly advise you to reinstall. No need to worry about what's changed in the kernel then.

jaggy00 05-24-2007 03:14 AM
Quote:
Usually they're Bzipped, so I think you'll need to 'bunzip2' the kernel file - though I'd do that to a copy of it instead.
Out of luck. Hm... It starts to look like a problem :(

Code:
bunzip2: xvmlinuz-2.6.9-22.0.1.ELsmp is not a bzip2 file.
Quote:
If you think you had a rootkit, I strongly advise you to reinstall. No need to worry about what's changed in the kernel then.
I know, I plan to. Just amazed.


All times are GMT -5. The time now is 09:38 PM.