ELF headers for in-memory Linux kernel?

Question

I'm looking at a memory snapshot of an Ubuntu 14.04 x64 (3.13.0-46-generic) Linux system.

Looking at the System.map file, the .text section starts at 0xffffffff81000000 (virtual), which is address 0x1000000 physical.

I'm trying to find the actual ELF header in memory. Specifically, I'm trying to figure out where each section resides in memory without having a System.map file, for forensic purposes. Volatility relies on having a profile for a stock kernel, but I'd like a generic approach.

Do these headers persist in memory after the kernel is up and running?

If not, is there some way I can determine where each section is mapped into memory from a physical memory capture?

Answer 1

Very late answer, but just to document this for myself:

The parse_elf() function is called on boot, and copies the first section (.text) in-place over the uncompressed kernel with a memmove, overwriting the ELF header.