Chapter 9. Linux /proc/kcore Analysis

So far, we have covered Linux binaries and memory as it pertains to userland. This book won't be complete, however, if we don't spend a chapter on the Linux kernel. This is because it is actually an ELF binary as well. Similar to how a program is loaded into memory, the Linux kernel image, also known as vmlinux, is loaded into memory at boot time. It has a text segment and a data segment, overlaid with many section headers that are very specific to the kernel, and which you won't see in userland executables. We will also briefly cover LKMs in this chapter, as they are ELF files too.

Linux kernel forensics and rootkits

It is important to learn the layout of the Linux kernel image if you want to be a true master ...

Get Learning Linux Binary Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Learning Linux Binary Analysis by Ryan elfmaster O'Neill

Chapter 9. Linux /proc/kcore Analysis

Linux kernel forensics and rootkits

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly