Lib.rs

Operating systemsUnix APIs
#physical-memory #forensics #linux #security #system #ebpf #root #memory-on-linux #dump #dumper

app emdumper

A tool to acquire the physical memory on linux systems (root is necessary)

by ph0llux

2 unstable releases

0.7.0 May 4, 2025
0.6.0 Apr 4, 2025
0.5.2 Mar 10, 2025

#174 in Unix APIs

Download history 106/week @ 2025-03-09 16/week @ 2025-03-16 103/week @ 2025-03-30 35/week @ 2025-04-06 3/week @ 2025-04-13 130/week @ 2025-05-04 50/week @ 2025-05-11 7/week @ 2025-05-18

187 downloads per month

GPL-3.0 license

45KB
573 lines

emd

The eBPF memory dumper is able to dump the physical memory on a linux machine, using an eBPF filter.
This works even the kernel is in lock down mode (integrity) or /proc/kcore is not available on system.
You need root privileges to use this tool.

Prerequisites

  1. stable rust toolchains: rustup toolchain install stable
  2. nightly rust toolchains: rustup toolchain install nightly --component rust-src
  3. bpf-linker: cargo install bpf-linker

build

cargo build --release

install via cargo

cargo install emdumper

usage

sudo ./emd -o output-file.bin

to show all options, you can use

./emd -h

Dependencies

~17–29MB
~452K SLoC