mquire: Linux memory forensics without external dependencies
Trail of Bits has open-sourced mquire, a Linux memory forensics tool that eliminates the need for external kernel debug symbols. By utilizing embedded BTF and Kallsyms data, mquire allows incident responders to perform reliable memory analysis on unknown or custom Linux kernels using an intuitive SQL interface.
Authors: Trail of Bits
Source:
Trail of Bits
Key Takeaways
- Trail of Bits released mquire, a new open-source Linux memory forensics tool that operates without external debug dependencies.
- mquire leverages BPF Type Format (BTF) and Kallsyms data embedded directly in modern Linux kernels to extract type information and symbol addresses.
- The tool features an osquery-inspired SQL interface for querying processes, open files, memory mappings, and network connections.
- It includes a .dump command capable of recovering deleted files directly from the kernel's file cache in memory.
- mquire requires Linux Kernel 4.18+ for BTF support and Kernel 6.4+ for Kallsyms support.
Affected Systems
- Linux (Kernel 4.18+ with BTF enabled)
- Linux (Kernel 6.4+ for Kallsyms support)
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: Yes
- Platforms: mquire
The article provides example SQL queries designed to be executed within the mquire tool to analyze Linux memory dumps.
Detection Engineering Assessment
EDR Visibility: None — The article discusses a defensive memory forensics tool, not a threat that generates EDR telemetry. Network Visibility: None — The tool analyzes local memory dumps and does not generate network traffic relevant to threat detection. Detection Difficulty: N/A — This is a defensive tool release, not a malicious technique to be detected.
Required Log Sources
- Linux Memory Dump (e.g., LiME)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Analysts can hunt for hidden or unlinked malicious processes by querying the tasks table in mquire and comparing the results against known good baselines or live system outputs. | Memory Dump (mquire tasks table) | Defense Evasion | Low |
Control Gaps
- Traditional memory forensics tools (like Volatility) fail to analyze memory dumps when exact kernel debug symbols are unavailable.
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- N/A
Infrastructure Hardening
- N/A
User Protection
- N/A
Security Awareness
- Incorporate mquire into Linux incident response playbooks to enable memory analysis on systems with custom, updated, or unknown kernels where traditional debug symbols are unavailable.
Additional IOCs
- File Paths:
/proc/kallsyms- Linux virtual file containing kernel symbol addresses, which mquire replicates by scanning memory dumps.
- Command Lines:
- Purpose: Acquire a Linux memory dump using LiME | Tools:
insmod,lime| Stage: Forensic Acquisition |insmod ./lime-x.x.x-xx-generic.ko 'path= - Purpose: Run a single SQL query against a memory snapshot using mquire | Tools:
mquire| Stage: Forensic Analysis |mquire query --format json snapshot.lime - Purpose: Extract files from the kernel's file cache using mquire | Tools:
mquire| Stage: Forensic Analysis |mquire command snapshot.lime '.dump
- Purpose: Acquire a Linux memory dump using LiME | Tools: