mquire: Open-source Linux memory forensics tool

Linux memory forensics has long depended on debug symbols tied to specific kernel versions. These symbols are not installed on production systems by default, and sourcing them from external repositories creates a recurring problem: repositories go stale, kernel builds diverge, and analysts working incident response often find no published symbols for the exact kernel they need to examine.

Trail of Bits published mquire to address this constraint. The open-source tool analyzes Linux memory dumps without requiring any external debug information.

What the tool reads from memory

mquire draws on two data sources embedded in Linux kernels. The first is BPF Type Format (BTF), a compact format that describes kernel data structure layouts. BTF was designed for eBPF’s compile-once, run-everywhere architecture and carries type definitions, field offsets, and type relationships. The second source is Kallsyms, the same symbol address data that appears at /proc/kallsyms on a live system. mquire scans the memory dump to locate Kallsyms data, then combines it with BTF type information to find and parse kernel data structures.

BTF support requires kernel 4.18 or newer with BTF enabled, a configuration that major Linux distributions have shipped by default for some time. Kallsyms support requires kernel 6.4 or newer, owing to format changes in scripts/kallsyms.c.

An SQL interface for querying memory

After loading a dump, mquire exposes an interactive SQL interface. The design draws directly from osquery, the system instrumentation tool that lets analysts query operating system state using SQL. Alessandro Gario, the tool’s primary author, wrote: “This is something I’ve wanted to build ever since my first Querycon, where I discussed forensics capabilities with other osquery maintainers. The idea of bringing osquery’s intuitive, SQL-based exploration model to memory forensics has been on my mind for years, and mquire is the realization of that vision.”

Analysts can run one-off queries from the command line or work interactively. The SQL interface supports relational queries across different data sources. A single query can join process information with open file handles, reconstruct complete file paths from kernel dentry objects, or cross-reference network connections with the processes that own them.

The tool provides a set of queryable tables covering running processes with PIDs, command lines, and binary paths; open files organized by process; memory mappings per process; active network connections; network interface information; loaded kernel modules; kernel ring buffer messages; system logs read from the kernel’s file cache; and kernel symbol addresses.

File extraction from the page cache

One capability beyond standard process and network enumeration is file recovery from the kernel’s page cache. The .dump command iterates through tasks and their open file descriptors, extracting file contents from the page cache and writing them to an output directory. Files that have been deleted from disk remain recoverable as long as they are still cached in memory. The tool also includes a .carve command for extracting raw memory content from a specific virtual address range.

Rootkit detection through process enumeration

mquire supports multiple task enumeration strategies, which creates an avenue for detecting hidden processes. One strategy walks the kernel’s task list; another enumerates through the PID namespace. Rootkits sometimes hide processes by unlinking them from the task list while leaving them running. Comparing output from both enumeration sources can surface processes that appear in one list and not the other.

Kernel-level scope and known constraints

mquire only accesses kernel-level information. BTF does not carry information about user-space data structures, so analysis of user-space memory is out of scope. The Kallsyms scanner also depends on the data format from scripts/kallsyms.c, which means future kernel format changes could require updates to scanner heuristics.

Trail of Bits noted plans for expanded table support, improved caching for performance, and DMA-based external memory acquisition for analysis of physical systems without taking a snapshot.

mquire is available for free on GitHub.

Must read:

• 40 open-source tools redefining how security teams secure the stack
• Firmware scanning time, cost, and where teams run EMBA

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!