Linux memory snapshots

mquire

Memory-forensics tool that queries Linux kernel snapshots over SQL, using BTF and kallsyms embedded in the dump so no external debug symbols are needed.

View on GitHub trailofbits/mquire

Best for

Incident response and forensics against unknown or custom kernels where shipping matching debug symbols is impractical.

Surface

Linux memory snapshots

Catalog group

Inspect operating systems and endpoint surfaces

Repository

trailofbits/mquire

Related tools · Inspect operating systems and endpoint surfaces

Linuxevents eBPF-based monitoring without shipping kernel headers or a stack of environment-specific bytecode artifacts.
ebpfpub Monitors system and library calls across multiple kernel versions with minimal runtime dependencies.
ebpf-verifier Research prototype for running the eBPF verifier outside the live kernel to make cross-version testing practical.
winchecksec Static inspection of Windows binaries for mitigations like DEP, ASLR, and code integrity.
pe-parse Minimal, security-focused parser for Portable Executable files built to survive malicious or malformed inputs.
osquery-extensions Collection of Trail of Bits extensions that expand what osquery can inspect and expose.