The Kallsysms utility is a Win32 utility for extracting kernel symbols from a kernel. The kernel must be in an uncompressed condition. See also imgutil.exe.
There are many variations of how kallsyms are packed into the kernel. To find the correct parameters may take some experimentation. The good thing is that when you find them for a device they will probably stay the same forever.
/b
is the block alignment.
For the newest devices it could be 8.
For most new devices it could be 256.
For older 32 bit kernels it might be 16 or 8.
/a
is the width of the entries in the address table.
It could be 32 bits even in a 64 bit kernel if the relative option is being used.
/m
is the width of the entries in the marker table.
This will normally be the same width as the kernel itself.
It defaults to the value of /a
.
/r
is a flag that says that addresses in the address table are relative (zero-based).
This option also affects the position of the address table as relative uses another block.
/l
allows you to modify the reported addresses, especially useful when addresses are relative.
/d
allows display of partial solutions when there are errors.
It should only be used when trying things.
For 64 bit kernels you may get large and ungainly addresses outside the 4 GB 32 bit address range.
Since with Kernel Address Space Layout Randomization (KASLR) you're not going to get a really useful address anyway you might as well stick with a load address of zero.
Just use the /l0
flag.
Note that on a live, rooted system you might be able to extract the kallsyms directly.
Download kallsyms.exe, the Kallsyms utiliy.