Lib.rs

Operating systemsUnix APIs
#acquisition #security #forensics #memory

app emdumper

A tool to acquire the physical memory on linux systems (root is necessary)

by ph0llux

1 unstable release

new 0.6.0 Apr 4, 2025
0.5.2 Mar 10, 2025

#151 in Unix APIs

Download history 106/week @ 2025-03-09 16/week @ 2025-03-16

122 downloads per month

GPL-3.0 license

33KB
449 lines

emd

The eBPF memory dumper is able to dump the physical memory on a linux machine, using an eBPF filter.
This works even the kernel is in lock down mode (integrity) or /proc/kcore is not available on system.
You need root privileges to use this tool.

Prerequisites

  1. stable rust toolchains: rustup toolchain install stable
  2. nightly rust toolchains: rustup toolchain install nightly --component rust-src
  3. bpf-linker: cargo install bpf-linker

build

cargo build --release

install via cargo

cargo install emdumper

usage

sudo ./emd -o output-file.bin

to show all options, you can use

./emd -h

Dependencies

~13–24MB
~383K SLoC