Highlight from Mquire: Open-Source Linux Memory Forensics Tool

mquire draws on two data sources embedded in Linux kernels. The first is BPF Type Format (BTF), a compact format that describes kernel data structure layouts. BTF was designed for eBPF’s compile-once, run-everywhere architecture and carries type definitions, field offsets, and type relationships. The second source is Kallsyms, the same symbol address data that appears at /proc/kallsyms on a live system. mquire scans the memory dump to locate Kallsyms data, then combines it with BTF type information to find and parse kernel data structures.