1

I just loaded up an ARM kernel image into IDA. When I boot up the ARM kernel and inspect the kernel symbols, I can see the following :-

/ $ cat /proc/kallsyms | head -n 10
00000000 t __vectors_start
80008240 T asm_do_IRQ
80008240 T _stext
80008240 T __exception_text_start
80008244 T do_undefinstr
80008408 T do_IPI
8000840c T do_DataAbort
800084a8 T do_PrefetchAbort
80008544 t gic_handle_irq
800085a0 T secondary_startup

When I load the kernel image into IDA, I am presented with functions with a memory segment that is loaded at 0x8000. As the kernel symbols are not present in the ARM kernel, this is making analysis hard.

How can I map the addresses I see in the ARM image(I'm running it in Qemu, and could debug the kernel using gdb-multiarch) with the addresses I see in IDA? I'm guessing rebasing the .text section in IDA would be the way to go. If so, how could I go about finding the address to which I would have to rebase the segment?

Improve this question
1
  • Would you post a list of segments you see in IDA ?
    – w s
    Commented Nov 7, 2015 at 9:31

1 Answer 1

Reset to default
4

I figured out a solution. Here is what I did.

  1. Export the content of /proc/kallsyms to a text file.
  2. From the zImage kernel file look for the gz file format header, copy it out and extract. Load the file into IDA.
  3. As the file is a binary file, you need to tell IDA how to work with it. You set the architecture to ARM(as was in my case), set the RAM segment to load at 0x80008000.
  4. Write an IDApython script to read the text file from [1] and do a MakeName(address, name).
Improve this answer