ELF headers for in-memory Linux kernel?

1
votes

I'm looking at a memory snapshot of an Ubuntu 14.04 x64 (3.13.0-46-generic) Linux system.

Looking at the System.map file, the .text section starts at 0xffffffff81000000 (virtual), which is address 0x1000000 physical.

I'm trying to find the actual ELF header in memory. Specifically, I'm trying to figure out where each section resides in memory without having a System.map file, for forensic purposes. Volatility relies on having a profile for a stock kernel, but I'd like a generic approach.

Do these headers persist in memory after the kernel is up and running?

If not, is there some way I can determine where each section is mapped into memory from a physical memory capture?

1
linuxkernelelf
Why do you ask? Is it physical memory or virtual memory image snapshot? ELF matters much more in user space than in kernel (except of course for execve implementation) - Basile Starynkevitch
I'm interested for forensic analysis of a Linux system with a custom kernel. It's a physical memory snapshot of a Linux virtual machine, simply for testing at this point. - Stephen
You should have edited your question to tell that.... - Basile Starynkevitch
It's quite possible that the ELF headers are never actually mapped into memory - I haven't looked at the ld.so code, but I suspect when it starts up a new process, it reads the headers into some buffers to get the information that it needs to locate all the correct segments, etc. But, after it maps those segments into the new process address space, it may very well just discard the headers that it no longer needs... - twalberg
IIRC there is a separate kdebug(ger) and it would not surprise me if it could use post-mortem dumps as well ;-} - wildplasser

1 Answers

0
votes

Very late answer, but just to document this for myself:

The parse_elf() function is called on boot, and copies the first section (.text) in-place over the uncompressed kernel with a memmove, overwriting the ELF header.