How do I decompile a specific kernel function?

Question

For example ,kernen function system_call decompiles to:

push %eax
...
call * 0xc03094c0(,%eax,,4)

How's this done in linux?

Answer 1

I think it could be as simple as this:

Compile your kernel with debugging symbols, or if you're using your distro's version, grab its debug package. Then run gdb vmlinux and type disas <function name> if you want to look at a C function. Except that system_call isn't a C function, so GDB won't look it up the same way. But you can still disassemble:

(gdb) info addr system_call
Symbol "system_call" is at 0xc0403964 in a file compiled without debugging.
(gdb) x/4i 0xc0403964
   0xc0403964:  push   %eax
   0xc0403965:  cld    
   0xc0403966:  push   %fs
   0xc0403968:  push   %es

Answer 2

You wouldn't really need to decompile anything since its linux. You can just look at the source. A good source browser is LXR. Join the kernel mailing list if you need help, they are very nice people.