Skip to content

ph0llux/emd

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

54 Commits
emd-common
emd-common
 
 
emd-ebpf-impl
emd-ebpf-impl
 
 
emd-ebpf
emd-ebpf
 
 
emd
emd
 
 
.gitignore
.gitignore
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

emd

The eBPF memory dumper is able to dump the physical memory on a linux machine, using an eBPF filter.
This works even the kernel is in lock down mode (integrity) or /proc/kcore is not available on system.
You need root privileges to use this tool.

Prerequisites

  1. stable rust toolchains: rustup toolchain install stable
  2. nightly rust toolchains: rustup toolchain install nightly --component rust-src
  3. bpf-linker: cargo install bpf-linker

build

cargo build --release

install via cargo

cargo install emdumper

usage

sudo ./emd -o output-file.bin

to show all options, you can use

./emd -h

About

eBPF based memory dumper for linux systems

Topics

linux rust security forensics ebpf memory-dump memory-dumper

Resources

Readme

License

GPL-3.0 license
Activity

Stars

10 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 5

v0.7.0 Latest
May 4, 2025
+ 4 releases

Packages

No packages published

Languages