Lib.rs

#ebpf #memory #forensics #security #acquisition

bin+lib emd-ebpf-impl

The internal eBPF implementation (for use by emd-ebpf). This implementation is intended to use only with bpfel-unknown-none target

by Philipp Krönke

2 stable releases

new 1.1.1 May 4, 2025
1.0.2 Apr 4, 2025
1.0.1 Mar 10, 2025

#11 in #acquisition

Download history 212/week @ 2025-03-10 17/week @ 2025-03-17 1/week @ 2025-03-24 117/week @ 2025-03-31 28/week @ 2025-04-07 5/week @ 2025-04-14 2/week @ 2025-04-21 60/week @ 2025-04-28

109 downloads per month
Used in 2 crates (via emd-ebpf)

GPL-3.0 license

16KB
249 lines

emd

The eBPF memory dumper is able to dump the physical memory on a linux machine, using an eBPF filter.
This works even the kernel is in lock down mode (integrity) or /proc/kcore is not available on system.
You need root privileges to use this tool.

Prerequisites

  1. stable rust toolchains: rustup toolchain install stable
  2. nightly rust toolchains: rustup toolchain install nightly --component rust-src
  3. bpf-linker: cargo install bpf-linker

build

cargo build --release

install via cargo

cargo install emdumper

usage

sudo ./emd -o output-file.bin

to show all options, you can use

./emd -h

Dependencies

~1.4–3MB
~63K SLoC