Lib.rs

Operating systemsUnix APIsemd-common
#forensics #ebpf #security

bin+lib emd-ebpf-impl

The internal eBPF implementation (for use by emd-ebpf). This implementation is intended to use only with bpfel-unknown-none target

by Philipp Krönke

2 stable releases

1.1.1 May 4, 2025
1.0.2 Apr 4, 2025
1.0.1 Mar 10, 2025

#1442 in Unix APIs


Used in 2 crates (via emd-ebpf)

GPL-3.0 license

16KB
249 lines

emd

The eBPF memory dumper is able to dump the physical memory on a linux machine, using an eBPF filter.
This works even the kernel is in lock down mode (integrity) or /proc/kcore is not available on system.
You need root privileges to use this tool.

Prerequisites

  1. stable rust toolchains: rustup toolchain install stable
  2. nightly rust toolchains: rustup toolchain install nightly --component rust-src
  3. bpf-linker: cargo install bpf-linker

build

cargo build --release

install via cargo

cargo install emdumper

usage

sudo ./emd -o output-file.bin

to show all options, you can use

./emd -h

Dependencies

~1.8–3MB
~76K SLoC