What ELF types do kernel itself and kernel modules have?

https://linux-audit.com/elf-binaries-on-linux-understanding-and-analysis/
says

The type field tells us what the purpose of the file is. There are a
few common file types.

CORE (value 4)
DYN (Shared object file), for libraries (value 3)
EXEC (Executable file), for binaries (value 2)
REL (Relocatable file), before linked into an executable file (value 1)

A common misconception is that ELF files are just for binaries or
executables. We already have seen they can be used for partial pieces
(object code). Another example is shared libraries or even core dumps
(those core or a.out files). The ELF specification is also used on
Linux for the kernel itself and Linux kernel modules.

What ELF types do kernel itself and kernel modules have?

Could you give some examples of the files of kernel itself and kernel modules, for me to try out with file? I am using Ubuntu 18.04.

Thanks.

Here is Solutions:

We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.

Solution 1

You can find out yourself:

For modules, by looking under /lib/modules/$(uname -r)/kernel/.../*.ko:

$ file xfs.ko 
xfs.ko: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID[sha1]=bcb5e287509cedbb0c5ece383e0b97fb99e4781e, not stripped

$ readelf -h xfs.ko 
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              REL (Relocatable file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x0
  Start of program headers:          0 (bytes into file)
  Start of section headers:          1829088 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           0 (bytes)
  Number of program headers:         0
  Size of section headers:           64 (bytes)
  Number of section headers:         45
  Section header string table index: 44

For the kernel, an easy way is by compiling one and looking at vmlinux:

$ file vmlinux
vmlinux: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=eaf006a7ccfedbc40a6feddb04088bdb2ef0112f, with debug_info, not stripped

$ readelf -h vmlinux
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x1000000
  Start of program headers:          64 (bytes into file)
  Start of section headers:          171602920 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         5
  Size of section headers:           64 (bytes)
  Number of section headers:         43
  Section header string table index: 42

Solution 2

With most Linux distributions, the kernel is stored in /boot as a compressed bzImage. This can be decompressed using the extract-vmlinux script (provided by the linux-headers package on Ubuntu systems). With Ubuntu 16.04, I can determine the ELF type for the 4.4.0 kernel by running the following commands:

$ sudo /usr/src/linux-headers-4.4.0-127/scripts/extract-vmlinux /boot/vmlinuz-4.4.0-127-generic > /tmp/vmlinux &&
readelf -h /tmp/vmlinux | grep Type

Type:                              EXEC (Executable file)

Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply