lemon: eBPF Memory Dump Tool
LEMON is a Linux and Android memory dump tool that utilizes eBPF to capture the entire physical memory of a system and save it in LiME format, compatible with forensic tools such as Volatility 3.
LEMON is available as a precompiled static binary for x64 and ARM64, leveraging a CO-RE (Compile Once, Run Everywhere) eBPF program. This allows analysts to dump system memory without compiling anything on the target machine, checking for specific compatibility with installed libraries and kernel versions, and without requiring kernel headers. It is particularly useful in scenarios where loading kernel modules is not possible (e.g., due to Secure Boot) or when {/proc, /dev}/kcore
is unavailable.
Limitations
- The kernel must support eBPF (obviously!).
- Kernel lockdown must not be in confidentiality mode (or must allow
bpf_probe_read_kernel()
).
Todo
- Support non CO-RE kernels (this library might help)
- Insert checks on kernel versions and
CONFIG_
kernel options to extend support - Implement network dump (TCP)
- Implement dump with reduced granule if page fail to be read
- Support other CPU architectures (x32, ARM32, MIPS, PowerPC, POWER, RISC-V)
- Introduce support for kernels that do not have uprobes (by hooking some syscall or intectept egress traffic in read only from TC?)
- Use of
_stext
in x64 to bypass missingCONFIG_KALLSYMS_ALL
- Bruteforce scanning (?) for page containing same data of
_stext
page in ARM64 to bypass missingCONFIG_KALLSYMS_ALL
- Implement network dump (UDP)