Lib.rs

Development toolsDebugging
#security #forensics #acquisition #memory

app emdumper

A tool to acquire the physical memory on linux systems (root is necessary)

by ph0llux

2 unstable releases

new 0.7.0 May 4, 2025
0.6.0 Apr 4, 2025
0.5.2 Mar 10, 2025

#396 in Debugging

Download history 106/week @ 2025-03-09 16/week @ 2025-03-16 103/week @ 2025-03-30 35/week @ 2025-04-06 3/week @ 2025-04-13

141 downloads per month

GPL-3.0 license

33KB
449 lines

emd

The eBPF memory dumper is able to dump the physical memory on a linux machine, using an eBPF filter.
This works even the kernel is in lock down mode (integrity) or /proc/kcore is not available on system.
You need root privileges to use this tool.

Prerequisites

  1. stable rust toolchains: rustup toolchain install stable
  2. nightly rust toolchains: rustup toolchain install nightly --component rust-src
  3. bpf-linker: cargo install bpf-linker

build

cargo build --release

install via cargo

cargo install emdumper

usage

sudo ./emd -o output-file.bin

to show all options, you can use

./emd -h

Dependencies

~13–23MB
~374K SLoC