Module memfd_create 

Detect fileless payloads loaded via memfd_create(2).

memfd_create creates an anonymous file living only in RAM. Malware uses this to load shellcode or staged payloads without touching disk. The file descriptor appears in the process’s open-fd table with a dentry name of memfd:<name> (e.g. memfd:payload).

MITRE ATT&CK: T1055.009 — Process Injection: Process Hollowing (via anonymous memory).

Re-exports

pub use crate::heuristics::classify_memfd;

Structs

MemfdInfo

Information about an open memfd_create file descriptor.

Functions

walk_memfd_create

Walk the task list and collect information about open memfd_create file descriptors.