Linux Memory Forensics Tool: mquire

Post Views: 7

Linux Memory Forensics Tool mquire Eliminates Dependence on Debug Symbols

A new open-source tool, mquire, has been released to facilitate Linux memory forensics without relying on external debug information.

Overcoming the Limitation of Debug Symbols

Developed by Trail of Bits, mquire addresses a long-standing challenge in the field, where debug symbols tied to specific kernel versions were required for analysis.

However, these symbols are not typically installed on production systems, and sourcing them from external repositories often proved problematic due to outdated repositories and diverging kernel builds.

How mquire Works

mquire overcomes this limitation by leveraging two data sources embedded in Linux kernels: BPF Type Format (BTF) and Kallsyms.

BTF, a compact format that describes kernel data structure layouts, was designed for eBPF’s compile-once, run-everywhere architecture.

Kallsyms, on the other hand, provides symbol address data, similar to what is found at /proc/kallsyms on a live system.

Interactive SQL Interface for Memory Analysis

mquire offers an interactive SQL interface, inspired by osquery, to query memory dumps.

The tool’s primary author, Alessandro Gario, noted that this feature has been a long-held vision, aiming to bring osquery’s intuitive exploration model to memory forensics.

Querying Memory Dumps

Analysts can execute one-off queries or work interactively, with the SQL interface supporting relational queries across different data sources.

A single query can join process information with open file handles, reconstruct file paths from kernel dentry objects, or cross-reference network connections with owning processes.

Queryable Tables

mquire provides a range of queryable tables, including running processes with PIDs, command lines, and binary paths; open files organized by process; memory mappings per process; active network connections; network interface information; loaded kernel modules; kernel ring buffer messages; system logs read from the kernel’s file cache; and kernel symbol addresses.

File Recovery from Page Cache

A notable feature of mquire is its ability to extract files from the kernel’s page cache.

The `.dump` command iterates through tasks and their open file descriptors, extracting file contents from the page cache and writing them to an output directory.

This capability allows for the recovery of files deleted from disk, as long as they remain cached in memory.

Rootkit Detection through Process Enumeration

mquire supports multiple task enumeration strategies, which can aid in detecting hidden processes.

By comparing output from different enumeration sources, analysts can identify processes that appear in one list but not the other, potentially indicating the presence of a rootkit.

Scope and Limitations

mquire’s analysis is limited to kernel-level information, as BTF does not provide information about user-space data structures.

Furthermore, the Kallsyms scanner relies on the data format from scripts/kallsyms.c, which may require updates to scanner heuristics in response to future kernel format changes.

Future Development

Trail of Bits plans to expand table support, improve caching for performance, and develop DMA-based external memory acquisition for analyzing physical systems without taking a snapshot.

mquire is available for free on GitHub.