K-ecfs – kernel ECFS
In the previous chapter, we discussed the
ECFS (short for Extended Core File Snapshot) technology. It is worth mentioning near the end of this chapter that I have worked out some code for a kernel-ecfs, which merges vmlinux and /proc/kcore
into a kernel-ecfs file. The result is essentially a file similar to /proc/kcore, but one that also has section headers and symbols. In this way, an analyst can easily access any part of the kernel, LKMs, and kernel memory (such as the "vmalloc'd" memory). This code will eventually become publicly available.
A sneak peek of the kernel-ecfs file
Here, we are demonstrating how /proc/kcore
has been snapshotted into a file called kcore.img
and given a set of ELF section headers:
# ./kcore_ecfs kcore.img # readelf -S kcore.img here are 6 section headers, starting at offset 0x60404afc: Section Headers: [Nr] Name Type Address Offset Size EntSize Flags Link Info Align ...