Skip to content

Volatility plugin that attempts to create a core dump file starting from the memory of a Linux process

Notifications You must be signed in to change notification settings

poehlerj/linux_coredump

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Linux Coredump

Linux Coredump is a volatility plugin that attempts to create a core dump file starting from the memory of a Linux process.

Usage

  • Clone or download the linux_coredump plugin.

  • Issue the command:

    volatility --plugins=<path of extracted linux_coredump dir> --profile=<memory profile> -f <memory dump> linux_coredump --pid <process pid> --dump-dir <output dir> --output-file <output file>

    or

    vol.py --plugins=<path of extracted linux_coredump dir> --profile=<memory profile> -f <memory dump> linux_coredump --pid <process pid> --dump-dir <output dir> --output-file <output file>

Depending on how you installed volatility (from apt or github).

The plugin will output the corefile in the specified directory and with the specified file name.

NOTES

  • The --plugins option must be the first option.
  • The plugin may require some time for processes that use a lot of memory (up to 15-20 minutes).
  • The volatility version installed using apt differs from the one present in github. This latter version probably has a bug and does not show the name of the process memory mappings.

About

Volatility plugin that attempts to create a core dump file starting from the memory of a Linux process

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%