Sungju's Slow Life

Personal journal

How to disassemble a module from a vmcore

There are times that you have to deal with a module which you don’t have source code. Only thing we can do is disassemble it, but if you don’t have actual module binary, this is also tough. Luckily, vmcore has all the code loaded into the memory. So, here’s the steps to get disassembled code from vmcore.

crash> mod | grep oracleoks
ffffffffa07321e0  oracleoks             507656  (not loaded)  [CONFIG_KALLSYMS]
crash> module.module_core,core_text_size ffffffffa07321e0
  module_core = 0xffffffffa06de000
  core_text_size = 253952
crash> dis 0xffffffffa06de000 253952
....

That’s it. Now you can check what it does by checking each calls in those functions. Please bear in mind that using core_text_size will actually disassemble much more lines than the actual core size as ‘dis’ is taking ‘number of ops’ instead of bytes. It’s hard to put the exact ‘count’ as each op has different sizes.

Addition : There’s a much easier way to find function names belong to a module, so, it’ll be much easier go with that.

crash> sym -m oracleoks | grep '(t)' | awk '{ print $3 }' > oracleoks.txt
crash> dis -l  oracleoks_asm.txt
, , ,

Posted by:

sungju

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Me

A software engineer who loves any technologies that makes life easier. That’s why I love Linux and Mac at the same time.

Recent Posts

Newsletter

%d bloggers like this: