core
Core dump analysis and memory forensics - load ELF core files, enumerate memory maps, read raw memory, inspect CPU registers, extract the stack, search for byte patterns or integer values, walk the call backtrace, resolve symbols, disassemble instructions, analyse the heap, find ROP gadgets, and print formatted crash summaries.
Load with: use core
What this module does
core is a crash-analysis toolkit for inspecting process core dumps.
Load a core file to get a handle, then use that handle to navigate memory regions,
read bytes at arbitrary addresses, check the CPU register state at crash time,
walk the call stack backtrace with optional symbol resolution, and disassemble
instructions around the fault address.
Pattern searches let you scan all mapped memory for a byte sequence, a hex pattern,
or a 64-bit little-endian integer - useful for finding pointers or canary values.
Heap analysis identifies [heap] regions and reads chunk metadata.
ROP gadget discovery finds short instruction sequences ending in ret.
Quick example
use core
# Load a core dump
h = corel("/var/crash/app.core")
# Print crash summary
prn(cores6(h))
# Read 32 bytes at the crash instruction pointer
regs = corer2(h)
ip = regs.rip
prn(corer(h, ip, 32))
# Disassemble 10 instructions
prn(cored(h, ip, 10))
# Search for a specific pointer
hits = coref2(h, 0x00007ffff7a3b2c0)
prn(hits)
# Find ROP gadgets (depth 5)
gadgets = coreg(h, 5)
corec(h)Functions
Loading
corel(path)
Loads a core dump file and returns a handle for subsequent operations.
corec(handle)
Closes the core dump and releases resources.
Memory maps
corem(handle)
Returns the process memory map - a list of region objects with start, end, permissions, offset, and name fields.
corem1(handle)
Returns the memory map as a JSON string.
Memory reading
corer(handle, addr, len)
Reads len bytes from the core at virtual address addr. Returns a binary string.
corer1(handle, addr, len)
Alias for corer with identical semantics.
Register state
corer2(handle)
Returns the CPU register state at crash time as an object (e.g. rip, rsp, rbp, general-purpose registers).
corer3(handle)
Returns the register state as a JSON string.
Stack
cores(handle)
Returns stack metadata (stack pointer, top, size) for the crashing thread.
cores1(handle)
Reads 256 bytes from the stack pointer and returns them as a hex string.
Pattern search
coref(handle, pattern)
Searches all mapped memory for the byte pattern string. Returns a list of matching virtual addresses.
coref1(handle, hex_pattern)
Searches for a hex-encoded byte pattern (e.g. "deadbeef").
coref2(handle, value)
Searches for a 64-bit little-endian integer value in memory.
coref3(handle, ptr)
Searches for a pointer value (64-bit LE).
Backtrace and symbols
coreb(handle)
Returns the call backtrace as a list of frame objects with address and frame metadata.
coreb1(handle)
Returns the backtrace as a JSON string.
cores2(handle, addr)
Resolves a virtual address to a symbol name (function name + offset), or nil if unknown.
cores3(handle, addr)
Like cores2 but falls back to "0x{hex}" if no symbol is found.
Disassembly
cored(handle, addr, count)
Disassembles count instructions starting at addr. Returns a list of instruction objects.
cored1(handle, addr, count)
Returns the disassembly as a JSON string.
Heap analysis
coreh(handle)
Returns the list of memory map regions identified as heap (name contains "heap" or "[heap]").
coreh1(handle)
Reads the raw bytes of all heap chunks and returns a list of {start, end, size, data} objects.
String extraction and ROP gadgets
cores4(handle, min_len)
Extracts all printable ASCII strings of at least min_len characters from mapped memory.
coreg(handle, max_depth)
Finds ROP gadgets (short instruction sequences ending in ret) up to max_depth instructions long.
Crash summary
cores5(handle)
Returns a structured crash summary: {regs, maps, bt, stack}.
cores6(handle)
Returns a human-readable formatted crash report - registers in hex, stack pointer, and numbered backtrace with symbol names.
Notes
- All operations delegate to
__core_*host natives - a debugger-capable host runtime is required. - Requires
trl,txt,bin, andenc.