lemon: eBPF Memory Dump Tool

by · Published · Updated

LEMON is a Linux and Android memory dump tool that utilizes eBPF to capture the entire physical memory of a system and save it in LiME format, compatible with forensic tools such as Volatility 3.

LEMON is available as a precompiled static binary for x64 and ARM64, leveraging a CO-RE (Compile Once, Run Everywhere) eBPF program. This allows analysts to dump system memory without compiling anything on the target machine, checking for specific compatibility with installed libraries and kernel versions, and without requiring kernel headers. It is particularly useful in scenarios where loading kernel modules is not possible (e.g., due to Secure Boot) or when {/proc, /dev}/kcore is unavailable.

Memory Dump Tool

Limitations

  • The kernel must support eBPF (obviously!).
  • Kernel lockdown must not be in confidentiality mode (or must allow bpf_probe_read_kernel()).

Todo

  •  Support non CO-RE kernels (this library might help)
  •  Insert checks on kernel versions and CONFIG_ kernel options to extend support
  •  Implement network dump (TCP)
  •  Implement dump with reduced granule if page fail to be read
  •  Support other CPU architectures (x32, ARM32, MIPS, PowerPC, POWER, RISC-V)
  •  Introduce support for kernels that do not have uprobes (by hooking some syscall or intectept egress traffic in read only from TC?)
  •  Use of _stext in x64 to bypass missing CONFIG_KALLSYMS_ALL
  •  Bruteforce scanning (?) for page containing same data of _stext page in ARM64 to bypass missing CONFIG_KALLSYMS_ALL
  •  Implement network dump (UDP)

Download & Use

Tags: