Add support for ELF Core dumps

[JanielDary]

Summary

Would it be possible to add support for ELF core dump files, as created by gcore, gdb etc.

Motivation

Ability to analyse dumped process memory on Linux. Helping to investigate code injection.

Describe alternatives you've considered

Currently capa provides an error message "Input file does not appear to target a supported OS" when trying to run it against a core dump. Modified the e_type field to either ET_EXEC / ET_DYN in the executable header of a core file to see if it enabled to capa to run. This didn't work either.

Additional context

[williballenthin]

We had a similar idea for analyzing Windows memory dumps; however, there's stumbling block: of all the loaded modules in the dump, which one should be analyzed and displayed? I can imagine a user interface that prompts the user for which module to inspect, but something like this is probably beyond the scope of the primary capa tool. Could we work together on an integration with capa by another tool, maybe like Volatility or Rekall

[JanielDary]

Good point made. FYI I stumbled across a quick work around yesterday using 'core2ELF64' which provides the option to rebuild either the ELF binary or any module independent from each other. These binaries then ran fine with capa. Perhaps this could be integrated in future? It essentially just iterates through the headers and dynamic segment to rebuild the binary, adjusting the program header table afterwards.

IIRC Volatility only handles full dumps on Linux / VBox core dumps (in which the guest's physical mem is extracted), rather than per process core files? Going forwards it would indeed be cool have capa run across a full memory dump, but for the time being I'm just looking at single processes.