Linux ELF core files

In most UNIX flavored OSes, a process can be delivered a signal so that it dumps a core file. A core file is essentially a snapshot of the process and its state right before it cored (crashed or dumped). A core file is a type of ELF file that is primarily made up of program headers and memory segments. They also contain a fair amount of notes in the PT_NOTE segment that describe file mappings, shared library paths, and other information.

A core file by itself is not especially useful for process memory forensics, but it may yield some results to the more astute analyst.

Note

This is actually where ECFS comes into the picture; it is an extension of the regular Linux ELF core format and provides features that are specifically for ...

Get Learning Linux Binary Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Learning Linux Binary Analysis by Ryan elfmaster O'Neill

Linux ELF core files

Note

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly