core dump file
core dump core dump file, some processing mode signal, generates a elf file format used to analyze the process crashes.
To summarize, core dump core dump file is all vma are mapped into a segment elf, and then generate an executable file. Note that the core dump file does not contain code segments, so when using gdb debugging core files need the source code.
In addition to the memory segment, but also in the top of the file add a note segment, segment information in this note includes signal information (current signal causing core dump, pending signal waiting), a variety of time (the system time, each process species execution time, etc.), register information.
Use eu-readelf -n core segment information may be displayed note file, including register state, the auxiliary vector, each of the process id, signal information, and file mapping
ECFS
linux binary analysis mentioned in expanding core file snapshot technology
ecfs add a note in the original section of the core dump file, add other information, including a list of open files, compression of information proc / pid directory, file paths, etc.
Since then coredump file will generate a page size of the code, ecfs will come complete disconnect code segment based on the original executable file
Will be labeled inject code, locate the library file path maps from the map library file, library or judge is to inject code