mquire 1.2.7

Memory forensics and analysis tool for querying Linux kernel memory dumps using SQL
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

//
// Copyright (c) 2025-present, Trail of Bits, Inc.
// All rights reserved.
//
// This source code is licensed in accordance with the terms specified in
// the LICENSE file found in the root directory of this source tree.
//

use crate::memory::{primitives::PhysicalAddress, virtual_address::VirtualAddress};

use std::ops::Range;

/// Represents the source of syslog file data
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum SyslogFileDataSource {
    /// Data read from the kernel page cache
    PageCache,

    /// Data read from a process memory mapping
    MemoryMapping,
}

impl SyslogFileDataSource {
    pub fn as_str(&self) -> &'static str {
        match self {
            SyslogFileDataSource::PageCache => "page_cache",
            SyslogFileDataSource::MemoryMapping => "memory_mapping",
        }
    }
}

/// Represents a syslog file region in memory
pub struct SyslogFileRegion {
    /// The file offset range for the syslog region
    pub offset_range: Range<PhysicalAddress>,

    /// The extracted valid text lines from this region
    pub lines: Vec<String>,
}

/// Represents the /var/log/syslog file data available in memory
pub struct SyslogFile {
    /// The virtual address for the file entity
    pub virtual_address: VirtualAddress,

    /// The virtual address of the task_struct
    pub task: VirtualAddress,

    /// The thread group identifier (TGID)
    pub tgid: u32,

    /// The source of this syslog data
    pub data_source: SyslogFileDataSource,

    /// The available syslog regions
    pub region_list: Vec<SyslogFileRegion>,
}