Enhancement: Memory scanning, core dump parsing

[eternaleclipse]

Currently it is possible to scan memory only by dumping it manually to a file and using the --raw option. A useful feature would be the ability to parse core dump files (gdb can generate core dumps using the gcore command, WinDBG has a similar command called .dump) and scan executable pages in the entire process memory for gadgets. This can also be used to access the process state, register, stack etc and as suggested in #40.

[sashs]

Since coredumps are ELF files, it is possible to load those files with ropper without using the --raw option. However the Windows dump format is different. In order to use that filebytes has to be extended with that format.

[eternaleclipse]

I used ropper to scan a core file, it does work but with incorrect offset. I used objdump to find the same gadget (objdump will display the correct address for the mapped memory), calculate the offset and then used ropper -I to fix the image base. It does work but the process is kinda tedious. I'm trying to find out how to find the correct offset by parsing the core file directly.

[XVilka]

You can use the radare2 for loading any kind of format though, since it supports core files and minidumps of different kinds, and it's available as a library.