Package rekall :: Package plugins :: Package addrspaces :: Module elfcore

Module elfcore

An Address Space for processing ELF64 coredumps.

Classes
	Elf64CoreDump This AS supports ELF64 coredump format, as used by VirtualBox.
	KCoreAddressSpace A Linux kernel's /proc/kcore file also maps the entire physical ram.

Functions

WriteElfFile(address_space, outfd, session=None)
Convert the address_space to an ELF Core dump file.

source code

Variables
	PT_PMEM_METADATA = `1835363696`
	__package__ = `'rekall.plugins.addrspaces'`

Function Details

Convert the address_space to an ELF Core dump file.

The Core dump will be written to outfd which is expected to have a .write() method.