Well, the general idea is to find a pointer to the memory, then follow
the pointer. Given the struct definitions for table entries, you
should be able to decode them.

The easiest way to do this is all in gdb. It can read the symbol table
from the binary file and knows how to evaluate C expressions against
the state of memory represented by the core file, so you just need to
know what the table is called and tell it to print a C expression that
evaluates to the data you're interested in.

Lacking the ability to use gdb to do it, you'd want to use something
like objdump to look at the symbol table of the executable and use it
as a guide to the memory layout of the core file. As long as there's a
symbol that refers to the table's address, it should be pretty easy to
find with a hex editor viewing the core dump. You'd have to manually
decode it, or copy it out of the core file and load it into a simple C
program that will decode it using the original structure definitions.

If you can't gdb and there's no symbol that directly refers to the
table, you'll have to do a bit more work. Presumably the memory was
allocated dynamically and was pointed to by a variable in a stack
frame. You'll need to find the stack and manually decode it, looking
for heap pointers that could refer to the table. This could be rather
difficult and tedious, so hopefully you don't have to resort to it.

--Levi

/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/

If you're talking about shared memory on Linux, were shared memory pages
included in the dump? By default, most Linux systems don't include shared
memory in core dumps. See the description of /proc/PID/coredump_filter in
the core(5) man page. Apologies if I'm preaching to the choir.

/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/