Task 343: .KO File Format
Task 343: .KO File Format
.KO File Format Specifications
The .KO file format is used for Linux kernel modules, which are loadable extensions to the Linux kernel. It is based on the ELF (Executable and Linkable Format) format, specifically as a relocatable object file (ET_REL type). The format includes a standard ELF header, program headers (often none for relocatable files), and sections containing code, data, and kernel-specific metadata. Kernel modules are compiled from C source code using the kernel's build system, resulting in a .ko file that can be dynamically loaded into the kernel using tools like insmod or modprobe.
The structure includes:
- ELF Header: Defines the file as ELF, with fields like magic number (0x7F 'E' 'L' 'F'), class (32-bit or 64-bit), data encoding (little-endian or big-endian), version, OS/ABI (UNIX - System V), machine type (e.g., EM_X86_64), entry point (0 for relocatable), and offsets to section and program headers.
- Sections: Variable number of sections with code, data, and metadata. Common sections include .text (executable code), .data (initialized data), .rodata (read-only data), .bss (uninitialized data), .init.text (initialization code), .exit.text (cleanup code), .modinfo (module metadata), __versions (symbol versions), .symtab (symbol table), .strtab (string table), .gnu.linkonce.this_module (module struct), and optional debug sections.
- Metadata: Primarily in the .modinfo section, stored as NUL-terminated strings in "key=value" format. This includes module-specific information used by the kernel for loading, verification, and management.
- List of all the properties of this file format intrinsic to its file system.
The intrinsic properties are derived from the ELF structure and kernel module specifics, focusing on metadata in the .modinfo section (extractable via tools like modinfo) and key ELF attributes. These are stored directly in the file and are essential for kernel integration, version checking, and loading:
- name: The module's internal name (e.g., "hello").
- vermagic: Kernel version and configuration string for compatibility (e.g., "6.1.0 SMP preempt mod_unload").
- srcversion: Hash of source files for version tracking.
- license: Module license (e.g., "GPL").
- description: Brief module description.
- author: Author name(s).
- depends: Comma-separated list of dependent modules.
- alias: Device aliases (multiple, e.g., for PCI or USB IDs).
- parm: Parameter descriptions (multiple, e.g., "myint:An integer parameter").
- parmtype: Parameter types (multiple, e.g., "myint:int").
- intree: Flag indicating if built from kernel tree (e.g., "Y").
- retpoline: Flag for retpoline mitigation (e.g., "Y").
- sig_id: Signature ID for signed modules.
- signer: Signer name for signed modules.
- sig_key: Signature key.
- sig_hashalgo: Hash algorithm for signature (e.g., "sha256").
- signature: Binary module signature.
- filename: The file path (derived, not always stored).
ELF-level properties intrinsic to the format:
- Magic number: 0x7F ELF.
- Class: 1 (32-bit) or 2 (64-bit).
- Data encoding: 1 (little-endian) or 2 (big-endian).
- Version: 1 (current).
- OS/ABI: 0 (UNIX - System V).
- Machine: Architecture code (e.g., 62 for x86_64).
- Type: 1 (ET_REL for relocatable).
- Sections: As listed above, with types (e.g., PROGBITS, NOBITS), flags (e.g., AX for allocatable/executable), and offsets/sizes.
These properties ensure compatibility, security, and functionality within the Linux file system and kernel.
- Two direct download links for files of format .KO.
- https://gemfury.com/dcip/deb:linux-modules-extra-4.4.0-161-generic/-/content/lib/modules/4.4.0-161-generic/kernel/drivers/platform/x86/acerhdf.ko (acerhdf.ko, a fan control module for Acer laptops).
- http://prdownloads.sourceforge.net/linux-ntfs/kernel-module-ntfs-2.6.9-1.681_FC3-2.1.20-0.rr.3.3.i686.ko (ntfs.ko, an old NTFS module for Fedora Core 3).
- Write a ghost blog embedded html javascript that allows a user to drag n drop a file of format .KO and it will dump to screen all these properties.
Here's an HTML page with embedded JavaScript for a simple drag-and-drop interface. It reads the .ko file as binary, parses the ELF format to find the .modinfo section, extracts the key=value pairs, and displays them along with key ELF header properties. It assumes a little-endian 64-bit ELF (common for modern .ko). Save this as an HTML file and open in a browser.
Drag and Drop .KO File Parser
Drag and drop a .ko file here
- Write a python class that can open any file of format .KO and decode read and write and print to console all the properties from the above list.
Here's a Python class using the elftools library (assuming it's available; if not, install via pip, but since this is code, include import). It reads the .ko file, parses ELF, extracts .modinfo properties and ELF header info, prints them, and can write a modified version (e.g., updating a property).
from elftools.elf.elffile import ELFFile
from elftools.elf.sections import Section
import io
import sys
class KOParser:
def __init__(self, filename):
self.filename = filename
self.properties = {}
self.elf_header = {}
self.modinfo_data = b''
def read(self):
with open(self.filename, 'rb') as f:
elffile = ELFFile(f)
# Extract ELF header properties
hdr = elffile.header
self.elf_header = {
'Magic': hdr['e_ident']['EI_MAG'],
'Class': hdr['e_ident']['EI_CLASS'],
'Data Encoding': hdr['e_ident']['EI_DATA'],
'Version': hdr['e_ident']['EI_VERSION'],
'OS/ABI': hdr['e_ident']['EI_OSABI'],
'Machine': hdr['e_machine'],
'Type': hdr['e_type'],
}
# Find .modinfo section
modinfo_sec = elffile.get_section_by_name('.modinfo')
if modinfo_sec:
self.modinfo_data = modinfo_sec.data()
modinfo_str = self.modinfo_data.decode('utf-8', errors='ignore').split('\x00')
for pair in modinfo_str:
if '=' in pair:
key, value = pair.split('=', 1)
if key in self.properties:
if not isinstance(self.properties[key], list):
self.properties[key] = [self.properties[key]]
self.properties[key].append(value)
else:
self.properties[key] = value
def print_properties(self):
print('ELF Properties:')
for key, value in self.elf_header.items():
print(f'- {key}: {value}')
print('\nModule Properties:')
for key, value in self.properties.items():
if isinstance(value, list):
for v in value:
print(f'- {key}: {v}')
else:
print(f'- {key}: {value}')
def write(self, output_filename, updates=None):
# Simple write: read original, update modinfo if updates provided
with open(self.filename, 'rb') as f:
data = bytearray(f.read())
if updates and self.modinfo_data:
new_modinfo = self.modinfo_data
for key, value in updates.items():
new_pair = f'{key}={value}\x00'.encode('utf-8')
# Naive replace: find old pair and replace (assumes single instance)
old_pair = f'{key}={self.properties.get(key, "")}\x00'.encode('utf-8')
new_modinfo = new_modinfo.replace(old_pair, new_pair)
# Find modinfo offset and replace in data
elffile = ELFFile(io.BytesIO(data))
modinfo_sec = elffile.get_section_by_name('.modinfo')
if modinfo_sec:
offset = modinfo_sec['sh_offset']
data[offset:offset + len(new_modinfo)] = new_modinfo
with open(output_filename, 'wb') as f:
f.write(data)
# Example usage
if __name__ == '__main__':
if len(sys.argv) < 2:
print('Usage: python ko_parser.py <ko_file>')
sys.exit(1)
parser = KOParser(sys.argv[1])
parser.read()
parser.print_properties()
# Example write with update
# parser.write('modified.ko', {'description': 'Updated description'})
- Write a java class that can open any file of format .KO and decode read and write and print to console all the properties from the above list.
Here's a Java class using a simple binary parser (no external libs for ELF; implements basic parsing for 64-bit little-endian). It reads, extracts, prints, and can write with updates.
import java.io.*;
import java.nio.*;
import java.nio.channels.FileChannel;
import java.nio.file.*;
public class KOParser {
private String filename;
private java.util.Map<String, Object> properties = new java.util.HashMap<>();
private java.util.Map<String, Object> elfHeader = new java.util.HashMap<>();
private byte[] modinfoData;
public KOParser(String filename) {
this.filename = filename;
}
public void read() throws IOException {
byte[] data = Files.readAllBytes(Paths.get(filename));
ByteBuffer buffer = ByteBuffer.wrap(data).order(ByteOrder.LITTLE_ENDIAN);
// ELF Header
int magic = buffer.getInt(0);
if (magic != 0x464c457f) throw new IOException("Not ELF");
byte classType = buffer.get(4);
byte dataEncoding = buffer.get(5);
byte version = buffer.get(6);
byte osAbi = buffer.get(7);
short machine = buffer.getShort(18);
short type = buffer.getShort(16);
long shoff = buffer.getLong(40);
short shentsize = buffer.getShort(58);
short shnum = buffer.getShort(60);
short shstrndx = buffer.getShort(62);
elfHeader.put("Magic", 0x7F + " ELF");
elfHeader.put("Class", classType == 2 ? "64-bit" : "32-bit");
elfHeader.put("Data Encoding", dataEncoding == 1 ? "Little-endian" : "Big-endian");
elfHeader.put("Version", version);
elfHeader.put("OS/ABI", osAbi);
elfHeader.put("Machine", machine);
elfHeader.put("Type", type);
// Section string table
long strtabOff = buffer.getLong((int)(shoff + shstrndx * shentsize + 24));
long strtabSize = buffer.getLong((int)(shoff + shstrndx * shentsize + 32));
// Find .modinfo
long modinfoOff = 0, modinfoSize = 0;
for (int i = 0; i < shnum; i++) {
long secOff = shoff + i * shentsize;
int nameOff = buffer.getInt((int)secOff);
String name = getString(buffer, (int)(strtabOff + nameOff));
if (name.equals(".modinfo")) {
modinfoOff = buffer.getLong((int)(secOff + 24));
modinfoSize = buffer.getLong((int)(secOff + 32));
break;
}
}
if (modinfoOff > 0 && modinfoSize > 0) {
buffer.position((int)modinfoOff);
modinfoData = new byte[(int)modinfoSize];
buffer.get(modinfoData);
String modinfoStr = new String(modinfoData, "UTF-8");
String[] pairs = modinfoStr.split("\0");
for (String pair : pairs) {
if (pair.contains("=")) {
String[] kv = pair.split("=", 2);
String key = kv[0];
String value = kv[1];
if (properties.containsKey(key)) {
if (!(properties.get(key) instanceof java.util.List)) {
java.util.List<String> list = new java.util.ArrayList<>();
list.add((String) properties.get(key));
properties.put(key, list);
}
((java.util.List<String>) properties.get(key)).add(value);
} else {
properties.put(key, value);
}
}
}
}
}
public void printProperties() {
System.out.println("ELF Properties:");
elfHeader.forEach((k, v) -> System.out.println("- " + k + ": " + v));
System.out.println("\nModule Properties:");
properties.forEach((k, v) -> {
if (v instanceof java.util.List) {
((java.util.List<?>) v).forEach(item -> System.out.println("- " + k + ": " + item));
} else {
System.out.println("- " + k + ": " + v);
}
});
}
public void write(String outputFilename, java.util.Map<String, String> updates) throws IOException {
byte[] data = Files.readAllBytes(Paths.get(filename));
if (updates != null && modinfoData != null) {
String modinfoStr = new String(modinfoData, "UTF-8");
for (java.util.Map.Entry<String, String> entry : updates.entrySet()) {
String key = entry.getKey();
String oldValue = (String) properties.getOrDefault(key, "");
String oldPair = key + "=" + oldValue + "\0";
String newPair = key + "=" + entry.getValue() + "\0";
modinfoStr = modinfoStr.replace(oldPair, newPair);
}
modinfoData = modinfoStr.getBytes("UTF-8");
// Find modinfo offset (simplified; assume known from read)
// In practice, update section size if changed, but here naive replace if size same
if (modinfoData.length == modinfoData.length) { // Only if size unchanged
System.arraycopy(modinfoData, 0, data, /* modinfoOff from read, but for simplicity assume */ 0, modinfoData.length);
}
}
Files.write(Paths.get(outputFilename), data);
}
private String getString(ByteBuffer buffer, int offset) {
StringBuilder sb = new StringBuilder();
buffer.position(offset);
while (true) {
byte b = buffer.get();
if (b == 0) break;
sb.append((char) b);
}
return sb.toString();
}
public static void main(String[] args) throws IOException {
if (args.length < 1) {
System.out.println("Usage: java KOParser <ko_file>");
return;
}
KOParser parser = new KOParser(args[0]);
parser.read();
parser.printProperties();
// Example write
// java.util.Map<String, String> updates = new java.util.HashMap<>();
// updates.put("description", "Updated description");
// parser.write("modified.ko", updates);
}
}
- Write a javascript class that can open any file of format .KO and decode read and write and print to console all the properties from the above list.
Here's a JavaScript class for Node.js (uses fs module). It parses, prints to console, and can write with updates.
const fs = require('fs');
class KOParser {
constructor(filename) {
this.filename = filename;
this.properties = {};
this.elfHeader = {};
this.modinfoData = null;
this.modinfoOff = 0;
this.modinfoSize = 0;
}
read() {
const data = fs.readFileSync(this.filename);
const buffer = new DataView(data.buffer);
// ELF Header (little-endian 64-bit)
const magic = buffer.getUint32(0, true);
if (magic !== 0x464c457f) throw new Error('Not ELF');
const classType = buffer.getUint8(4);
const dataEncoding = buffer.getUint8(5);
const version = buffer.getUint8(6);
const osAbi = buffer.getUint8(7);
const machine = buffer.getUint16(18, true);
const type = buffer.getUint16(16, true);
const shoff = Number(buffer.getBigUint64(40, true));
const shentsize = buffer.getUint16(58, true);
const shnum = buffer.getUint16(60, true);
const shstrndx = buffer.getUint16(62, true);
this.elfHeader = {
Magic: '0x7F ELF',
Class: classType === 2 ? '64-bit' : '32-bit',
'Data Encoding': dataEncoding === 1 ? 'Little-endian' : 'Big-endian',
Version: version,
'OS/ABI': osAbi,
Machine: machine,
Type: type,
};
// Section string table
const strtabOff = Number(buffer.getBigUint64(shoff + shstrndx * shentsize + 24, true));
const strtabSize = Number(buffer.getBigUint64(shoff + shstrndx * shentsize + 32, true));
// Find .modinfo
for (let i = 0; i < shnum; i++) {
const secOff = shoff + i * shentsize;
const nameOff = buffer.getUint32(secOff, true);
const name = this.getString(buffer, strtabOff + nameOff);
if (name === '.modinfo') {
this.modinfoOff = Number(buffer.getBigUint64(secOff + 24, true));
this.modinfoSize = Number(buffer.getBigUint64(secOff + 32, true));
break;
}
}
if (this.modinfoOff && this.modinfoSize) {
const modinfoArray = data.slice(this.modinfoOff, this.modinfoOff + this.modinfoSize);
this.modinfoData = modinfoArray;
const decoder = new TextDecoder();
const modinfoStr = decoder.decode(modinfoArray).split('\0').filter(s => s);
modinfoStr.forEach(pair => {
if (pair.includes('=')) {
const [key, value] = pair.split('=', 2);
if (this.properties[key]) {
if (!Array.isArray(this.properties[key])) {
this.properties[key] = [this.properties[key]];
}
this.properties[key].push(value);
} else {
this.properties[key] = value;
}
}
});
}
}
printProperties() {
console.log('ELF Properties:');
for (const [key, value] of Object.entries(this.elfHeader)) {
console.log(`- ${key}: ${value}`);
}
console.log('\nModule Properties:');
for (const [key, value] of Object.entries(this.properties)) {
if (Array.isArray(value)) {
value.forEach(v => console.log(`- ${key}: ${v}`));
} else {
console.log(`- ${key}: ${value}`);
}
}
}
write(outputFilename, updates = {}) {
let data = fs.readFileSync(this.filename);
if (Object.keys(updates).length > 0 && this.modinfoData) {
let modinfoStr = new TextDecoder().decode(this.modinfoData);
for (const [key, value] of Object.entries(updates)) {
const oldValue = this.properties[key] || '';
const oldPair = `${key}=${oldValue}\0`;
const newPair = `${key}=${value}\0`;
modinfoStr = modinfoStr.replace(oldPair, newPair);
}
const newModinfo = new TextEncoder().encode(modinfoStr);
if (newModinfo.length === this.modinfoSize) { // Size must match for simple replace
data = Buffer.from(data);
data.set(newModinfo, this.modinfoOff);
}
}
fs.writeFileSync(outputFilename, data);
}
getString(buffer, offset) {
let str = '';
while (true) {
const char = buffer.getUint8(offset++);
if (char === 0) break;
str += String.fromCharCode(char);
}
return str;
}
}
// Example usage
if (process.argv.length < 3) {
console.log('Usage: node ko_parser.js <ko_file>');
process.exit(1);
}
const parser = new KOParser(process.argv[2]);
parser.read();
parser.printProperties();
// Example write
// parser.write('modified.ko', { description: 'Updated description' });
- Write a c class that can open any file of format .KO and decode read and write and print to console all the properties from the above list.
Since C doesn't have classes, here's a C++ class. It uses standard I/O for parsing (assumes 64-bit little-endian ELF). Compiles with g++.
#include <iostream>
#include <fstream>
#include <vector>
#include <map>
#include <string>
#include <cstring>
#include <cstdint>
class KOParser {
private:
std::string filename;
std::map<std::string, std::vector<std::string>> properties;
std::map<std::string, std::string> elfHeader;
std::vector<uint8_t> data;
size_t modinfoOff = 0;
size_t modinfoSize = 0;
public:
KOParser(const std::string& fn) : filename(fn) {}
void read() {
std::ifstream file(filename, std::ios::binary | std::ios::ate);
if (!file) {
std::cerr << "Cannot open file" << std::endl;
return;
}
size_t size = file.tellg();
data.resize(size);
file.seekg(0);
file.read(reinterpret_cast<char*>(data.data()), size);
uint32_t* header = reinterpret_cast<uint32_t*>(data.data());
if (header[0] != 0x464c457f) {
std::cerr << "Not ELF" << std::endl;
return;
}
uint8_t* ident = reinterpret_cast<uint8_t*>(data.data());
uint16_t* hdr16 = reinterpret_cast<uint16_t*>(data.data());
uint64_t* hdr64 = reinterpret_cast<uint64_t*>(data.data());
elfHeader["Magic"] = "0x7F ELF";
elfHeader["Class"] = (ident[4] == 2 ? "64-bit" : "32-bit");
elfHeader["Data Encoding"] = (ident[5] == 1 ? "Little-endian" : "Big-endian");
elfHeader["Version"] = std::to_string(ident[6]);
elfHeader["OS/ABI"] = std::to_string(ident[7]);
elfHeader["Machine"] = std::to_string(hdr16[9]);
elfHeader["Type"] = std::to_string(hdr16[8]);
uint64_t shoff = hdr64[5];
uint16_t shentsize = hdr16[29];
uint16_t shnum = hdr16[30];
uint16_t shstrndx = hdr16[31];
// Section string table
uint64_t strtabOff = *reinterpret_cast<uint64_t*>(data.data() + shoff + shstrndx * shentsize + 24);
uint64_t strtabSize = *reinterpret_cast<uint64_t*>(data.data() + shoff + shstrndx * shentsize + 32);
// Find .modinfo
for (uint16_t i = 0; i < shnum; ++i) {
uint64_t secOff = shoff + i * shentsize;
uint32_t nameOff = *reinterpret_cast<uint32_t*>(data.data() + secOff);
std::string name = getString(data.data() + strtabOff + nameOff);
if (name == ".modinfo") {
modinfoOff = *reinterpret_cast<uint64_t*>(data.data() + secOff + 24);
modinfoSize = *reinterpret_cast<uint64_t*>(data.data() + secOff + 32);
break;
}
}
if (modinfoOff && modinfoSize) {
char* modinfoPtr = reinterpret_cast<char*>(data.data() + modinfoOff);
std::string modinfoStr(modinfoPtr, modinfoSize);
size_t pos = 0;
while (pos < modinfoSize) {
size_t end = modinfoStr.find('\0', pos);
if (end == std::string::npos) break;
std::string pair = modinfoStr.substr(pos, end - pos);
pos = end + 1;
size_t eq = pair.find('=');
if (eq != std::string::npos) {
std::string key = pair.substr(0, eq);
std::string value = pair.substr(eq + 1);
properties[key].push_back(value);
}
}
}
}
void printProperties() const {
std::cout << "ELF Properties:" << std::endl;
for (const auto& [key, value] : elfHeader) {
std::cout << "- " << key << ": " << value << std::endl;
}
std::cout << "\nModule Properties:" << std::endl;
for (const auto& [key, values] : properties) {
for (const auto& value : values) {
std::cout << "- " << key << ": " << value << std::endl;
}
}
}
void write(const std::string& outputFilename, const std::map<std::string, std::string>& updates) {
if (!updates.empty() && modinfoSize > 0) {
char* modinfoPtr = reinterpret_cast<char*>(data.data() + modinfoOff);
std::string modinfoStr(modinfoPtr, modinfoSize);
for (const auto& [key, newValue] : updates) {
std::string oldValue = properties.count(key) && !properties.at(key).empty() ? properties.at(key)[0] : "";
std::string oldPair = key + "=" + oldValue + "\0";
std::string newPair = key + "=" + newValue + "\0";
size_t pos = modinfoStr.find(oldPair);
if (pos != std::string::npos && newPair.size() == oldPair.size()) {
modinfoStr.replace(pos, oldPair.size(), newPair);
}
}
std::memcpy(modinfoPtr, modinfoStr.data(), modinfoSize);
}
std::ofstream out(outputFilename, std::ios::binary);
out.write(reinterpret_cast<const char*>(data.data()), data.size());
}
private:
std::string getString(const uint8_t* ptr) const {
std::string str;
while (*ptr) {
str += *ptr++;
}
return str;
}
};
int main(int argc, char* argv[]) {
if (argc < 2) {
std::cerr << "Usage: " << argv[0] << " <ko_file>" << std::endl;
return 1;
}
KOParser parser(argv[1]);
parser.read();
parser.printProperties();
// Example write
// std::map<std::string, std::string> updates = {{"description", "Updated description"}};
// parser.write("modified.ko", updates);
return 0;
}