Expand description
Linux kernel memory forensic walkers.
Provides process, network connection, and kernel module enumeration by walking kernel data structures in physical memory dumps.
Re-exports§
pub use types::*;
Modules§
- arp
- Linux ARP cache extraction from the kernel neighbour table.
- bash
- Linux bash command history recovery.
- bash_
history - Bash command history extraction from memory byte slices.
- boot_
time - Linux boot time extraction from kernel timekeeper.
- bpf
- Linux eBPF program enumeration from kernel memory.
- capabilities
- Linux process capabilities analysis for privilege escalation detection.
- cgroups
- Linux cgroup membership enumeration for container forensics.
- check_
afinfo - Linux network protocol handler (
seq_afinfo) hook detector. - check_
creds - Shared credential structure detection for privilege escalation analysis.
- check_
fops - Linux file_operations table hook detector.
- check_
hooks - Linux kernel inline hook detector.
- check_
idt - Linux IDT (Interrupt Descriptor Table) hook detector.
- check_
modules - Linux hidden kernel module detector.
- cmdline
- Linux process command line walker.
- container_
escape - Container escape artifact detection.
- correlate
IntoForensicEventsimplementations for Linux walker output types.- cpu_
pinning - CPU affinity / cryptominer detection via scheduling policy and CPU pinning.
- crontab
- Linux crontab entry recovery from cron process memory.
- deleted_
exe - Detect processes running from deleted executables.
- dentry_
cache - Detect files hidden via dentry unlink (open-but-unlinked file descriptors).
- dmesg
- Linux kernel dmesg ring buffer extraction.
- ebpf_
progs - eBPF map enumeration from kernel memory.
- elf_
analysis - ELF dynamic symbol analysis for LD_PRELOAD rootkit detection.
- elfinfo
- Linux ELF header extraction from process memory.
- envvars
- Linux process environment variable walker.
- files
- Linux open file descriptor walker.
- framebuffer
- Linux EFI/VESA linear framebuffer recovery — locates the framebuffer via
boot_params.screen_infoand encodes the captured screen as PNG. - fs
- Linux mounted filesystem walker.
- ftrace
- Ftrace hook detection from kernel memory.
- fuse_
abuse - FUSE filesystem abuse detection.
- futex_
forensics - Futex forensics for Linux memory forensics.
- heuristics
- Pure heuristic classifiers for Linux forensic artifacts.
- io_
uring - Linux io_uring context forensics.
- iomem
- I/O memory resource region enumeration.
- ipc
- Linux System V IPC object enumeration.
- kaslr
- KASLR offset detection for Linux kernels.
- kernel_
timers - Linux kernel timer enumeration for rootkit callback detection.
- keyboard_
notifiers - Keyboard notifier chain forensics — keylogger detection.
- kmsg
- Kernel message ring buffer extraction.
- kthread
- Linux kernel thread enumeration and anomaly detection.
- ld_
preload - LD_PRELOAD injection detection for Linux memory forensics.
- library_
list - Process shared library enumeration for Linux memory forensics.
- magic_
gid - Magic GID detection — identifies processes controlled by LD_PRELOAD rootkits.
- malfind
- Linux suspicious memory region detector (malfind).
- maps
- Linux process memory map (VMA) walker.
- memfd_
create - Detect fileless payloads loaded via
memfd_create(2). - modules
- Linux kernel module walker.
- modxview
- Cross-view kernel module detection for Linux.
- mountinfo
- Mount namespace forensics — enumerate mounts from kernel memory.
- namespaces
- Linux namespace enumeration for container forensics.
- netfilter
- Linux netfilter (iptables) rule extraction from kernel memory.
- netlink_
audit - Audit rule suppression / netlink audit tamper detection.
- network
- Linux network connection walker.
- oom_
events - OOM (Out-of-Memory) kill event recovery from the kernel log buffer.
- pam_
hooks - PAM library hook detection.
- perf_
event - Suspicious
perf_eventdetection for Linux memory forensics. - preload_
scanner - Library prevalence analysis for LD_PRELOAD rootkit detection.
- proc_
cmdline - Pure-logic process command-line parsing and forensic classification.
- proc_
hidden - Hidden process detection via PID namespace vs task list discrepancy.
- process
- Linux process walker.
- psaux
- Detailed process information extraction (Linux
ps auxequivalent). - psxview
- Linux hidden process detection via cross-view analysis.
- ptrace
- Linux ptrace relationship detection for debugging/injection analysis.
- raw_
sockets - Detect processes holding raw (
AF_PACKETorSOCK_RAW) sockets. - seccomp
- Linux seccomp-BPF filter analysis for container security forensics.
- shared_
mem_ anomaly - Shared memory forensics / anomaly detection.
- signal_
handlers - Linux process signal handler inspection for malware detection.
- ssh_
keys - SSH key extraction from sshd process memory.
- syscalls
- Linux syscall table integrity checker.
- systemd_
units - In-memory systemd unit analysis.
- thread
- Linux thread walker.
- timerfd_
signalfd - Timer/signal FD abuse detection.
- tmpfs_
recovery - Tmpfs/ramfs inode enumeration for ephemeral file recovery.
- tty_
check - Linux TTY operations hook detector.
- types
- Output types for Linux forensic walkers.
- unix_
sockets - Linux Unix domain socket walker.
- user_
ns_ escalation - User namespace escalation detection.
- vdso_
tamper - vDSO tampering detection.
- vma_
walker - VMA region walker — shared abstraction for Linux walkers.
- zombie_
orphan - Zombie and orphan process detection for Linux memory forensics.
Enums§
- Error
- Error type for memf-linux operations.
Traits§
- Walker
Plugin - A plugin that walks Linux kernel data structures.
Type Aliases§
- Result
- A Result alias for memf-linux.