How to Find Linux Kernel Function Addresses with System.map, vmlinux, /proc/kallsyms and Kernel APIs

1. System.map

When the kernel is compiled, a System.map file is generated. Each line contains an address, a type character, and a symbol name. To locate the address of a function such as do_fork you can search the file: grep 'do_fork' System.map Typical output: c0105020 T do_fork The address is c0105020; the type T indicates a global function symbol.

2. vmlinux

The uncompressed kernel image vmlinux also contains the full symbol table. Standard binutils can be used to query it.

2.1 Using nm

List symbols and filter by name: nm vmlinux | grep do_fork Find a symbol by address (e.g., c0105020): nm vmlinux | grep c0105020 The output format matches that of System.map.

2.2 Using objdump

Disassemble the kernel and filter for a specific function: objdump -d vmlinux | grep do_fork Dump the complete disassembly to a file for offline inspection:

objdump -D vmlinux > vmlinux_dump.txt

2.3 Using readelf

Print the symbol table and grep for the desired entry: readelf -s vmlinux | grep do_fork Example line:

56481: c10601e0 96 FUNC GLOBAL DEFAULT 1 do_fork

The address of do_fork in this case is c10601e0.

3. /proc/kallsyms

If the kernel is built with CONFIG_KALLSYMS=y, the virtual file /proc/kallsyms provides the current running kernel’s symbol table. You can query it directly: cat /proc/kallsyms | grep ' do_fork' Sample output: ffffffff810b57b0 T do_fork The address shown is the runtime address of do_fork.

4. Kernel API

Kernel code can obtain symbol information programmatically, also requiring CONFIG_KALLSYMS=y.

kallsyms_lookup_name

unsigned long addr = kallsyms_lookup_name("do_fork");

Returns the address of the specified symbol.

sprint_symbol

#include <linux/kallsyms.h>
int sprint_symbol(char *buf, unsigned long address);

Writes the symbol name that corresponds to address into buf.