You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+10-17Lines changed: 10 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,31 +2,32 @@
2
2
3
3
LEMON is a Linux and Android memory dump tool that utilizes eBPF to capture the entire physical memory of a system and save it in LiME format, compatible with forensic tools such as Volatility 3.
4
4
5
-
LEMON is available as a precompiled static binary for x64 and ARM64, leveraging a CO-RE (Compile Once, Run Everywhere) eBPF program. This allows analysts to dump system memory without compiling anything on the target machine, checking for specific compatibility with installed libraries and kernel versions, and without requiring kernel headers. It is particularly useful in scenarios where loading kernel modules is not possible (e.g., due to Secure Boot) or when `{/proc, /dev}/kcore` is unavailable.
5
+
LEMON is available as a precompiled static binary for x64 and ARM64, leveraging a CO-RE (Compile Once, Run Everywhere) eBPF program. This allows analysts to dump system memory without compiling anything on the target machine, checking for specific compatibility with installed libraries and kernel versions, and without requiring kernel headers. It is particularly useful in scenarios where loading kernel modules is not possible (e.g., due to Secure Boot) or when `{/proc, /dev}/kcore` is unavailable. If CO-RE is not available on the target machine a universal kernel-independent no CO-RE version of lemon can be run on it.
6
6
7
7
## Usage
8
8
9
9
Copy the `lemon` binary to the target machine and initiate a memory dump on disk with:
10
10
11
11
```sh
12
-
./lemon.ARCH -d memory_on_disk.dump
12
+
./lemon.MODE.ARCH -d memory_on_disk.dump
13
13
```
14
14
15
15
For a network dump instead use:
16
16
17
17
```sh
18
-
./lemon.ARCH -n TARGET_IP -p TARGET_PORT
18
+
./lemon.MODE.ARCH -n TARGET_IP -p TARGET_PORT
19
19
```
20
20
while on the target machine
21
21
```sh
22
22
nc -l -p TARGET_PORT > memory_by_net.dump
23
23
```
24
24
25
25
This generates a `memory.dump` file in LiME format, containing all physical memory pages. Since running eBPF programs typically requires root privileges, LEMON must be executed as `root` or with an appropriate `sudo` configuration.
26
+
Sometimes LEMON returns reading error on a 2MB block of pages: it is normal and due to KFENCE security infrastructure of the kernel.
26
27
27
28
## Build
28
29
29
-
Precompiled static binaries are available in this repository (check the Github actions tab). Analysts can also compile LEMON themselves, either dynamically or statically. The dynamic version requires the presence of `libbpf`, `libz`, `libelf`, and `libzstd` on the target machine, whereas the static version has no external dependencies. Note that the build machine **MUST** have the same CPU architecture as the target.
30
+
Precompiled static binaries are available in this repository (check the Github actions tab) or in the release section. Analysts can also compile LEMON themselves, either dynamically or statically. The dynamic version requires the presence of `libbpf`, `libz`, `libelf`, `libzstd`and `libcap` on the target machine, whereas the static version has no external dependencies. Note that the build machine **MUST** have the same CPU architecture as the target.
30
31
31
32
### Dependencies
32
33
@@ -46,23 +47,15 @@ Other distributions provide equivalent packages, which at minimum allow compilin
2.**Generate a valid **`vmlinux.h`** file (only for CO-RE builds):**
50
+
2.**Compile:**
50
51
51
-
Copy a valid `vmlinux.h` file into `lemon/` or generate one with:
52
-
53
-
```sh
54
-
make vmlinux
55
-
```
56
-
57
-
3.**Compile:**
58
-
59
-
- Dynamic binary (set CORE=0 for non CO-RE binaries):
52
+
- Dynamic binary (MODE accepts: core, nocore (for using no CO-RE version based on kernel headers) and nocoreuni (for no CO-RE version using the universal header included in LEMON)):
60
53
```sh
61
-
make CORE=1
54
+
make MODE=core
62
55
```
63
56
- Static binary:
64
57
```sh
65
-
make CORE=1 static
58
+
make MODE=core static
66
59
```
67
60
68
61
## Limitations
@@ -72,7 +65,7 @@ Other distributions provide equivalent packages, which at minimum allow compilin
72
65
73
66
## TODO
74
67
75
-
- [X] Support non CO-RE kernels ([this library](https://github.com/eunomia-bpf/bpf-compatible) might help)
68
+
- [X] Support non CO-RE kernels
76
69
- [X] Insert checks on kernel versions and ```CONFIG_``` kernel options to extend support
77
70
- [X] Implement network dump (TCP)
78
71
- [X] Implement dump with reduced granule if page fail to be read
0 commit comments