mquire 1.2.7

Memory forensics and analysis tool for querying Linux kernel memory dumps using SQL
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

//
// Copyright (c) 2025-present, Trail of Bits, Inc.
// All rights reserved.
//
// This source code is licensed in accordance with the terms specified in
// the LICENSE file found in the root directory of this source tree.
//

use crate::memory::virtual_address::VirtualAddress;

/// Represents a kernel module parameter from `struct kernel_param`
#[derive(Debug, Clone)]
pub struct KernelModuleParam {
    /// Virtual address of this object
    pub virtual_address: VirtualAddress,

    /// Parameter name
    pub name: Option<String>,

    /// Parameter permissions
    pub permissions: Option<u16>,

    /// Parameter flags
    pub flags: Option<u8>,
}

/// Represents the state of a kernel module
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum KernelModuleState {
    /// Module is fully loaded and active
    Live,

    /// Module is being loaded
    Coming,

    /// Module is being unloaded
    Going,

    /// Module structure exists but init hasn't been called
    Unformed,
}

/// Represents a Linux kernel module from `struct module`
#[derive(Debug, Clone)]
pub struct KernelModule {
    /// Virtual address of this object
    pub virtual_address: VirtualAddress,

    /// Module name
    pub name: Option<String>,

    /// Module version string
    pub version: Option<String>,

    /// Source version string
    pub src_version: Option<String>,

    /// Module taint flags
    pub taints: Option<u64>,

    /// Whether the module uses GPL-only symbols
    pub using_gpl_only_symbols: Option<bool>,

    /// Current state of the module
    pub state: Option<KernelModuleState>,

    /// List of module parameters
    pub parameter_list: Vec<KernelModuleParam>,
}