New release

Author: IridiumXOR

.github/workflows/build.yaml

@@ -0,0 +1,38 @@
+name: Build
+
+on:
+  push
+
+jobs:
+  build:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-24.04-arm, ubuntu-24.04]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+    
+    - name: Install dependencies from apt
+      run: |
+        sudo apt update
+        sudo apt install -y make clang llvm libbpf-dev linux-tools-generic
+    
+    - name: Compile with Make
+      run: |
+        make CORE=1 static
+    
+    - name: Upload x64 binary
+      uses: actions/upload-artifact@v4
+      with:
+          name: lemon.x86_64
+          path: "lemon.x86_64"
+      continue-on-error: true
+
+    - name: Upload ARM64 binary
+      uses: actions/upload-artifact@v4
+      with:
+          name: lemon.aarch64
+          path: "lemon.aarch64"
+      continue-on-error: true

.gitignore

@@ -1,52 +1 @@
-# Prerequisites
-*.d
-
-# Object files
-*.o
-*.ko
-*.obj
-*.elf
-
-# Linker output
-*.ilk
-*.map
-*.exp
-
-# Precompiled Headers
-*.gch
-*.pch
-
-# Libraries
-*.lib
-*.a
-*.la
-*.lo
-
-# Shared objects (inc. Windows DLLs)
-*.dll
-*.so
-*.so.*
-*.dylib
-
-# Executables
-*.exe
-*.out
-*.app
-*.i*86
-*.x86_64
-*.hex
-
-# Debug files
-*.dSYM/
-*.su
-*.idb
-*.pdb
-
-# Kernel Module Compile Results
-*.mod*
-*.cmd
-.tmp_versions/
-modules.order
-Module.symvers
-Mkfile.old
-dkms.conf
+vmlinux.h

Makefile

@@ -1,33 +1,66 @@
-STATIC ?=
-CORE ?=
+# Optional build flags (can be overridden via command line)
+STATIC ?=  # Default is not static
+CORE ?= 1  # Default to CORE=1, can be disabled via CORE=0
 
+# System and architecture detection
 ARCH := $(shell uname -m)
+BPFTOOL := bpftool
 
-# For now supports only x86-64 and ARM64
+# Detect architecture for eBPF
 ifeq ($(ARCH), x86_64)
     TARGET_ARCH := __TARGET_ARCH_x86
 else ifeq ($(ARCH), aarch64)
     TARGET_ARCH := __TARGET_ARCH_arm64
+else
+    $(error Unsupported architecture: $(ARCH))
 endif
 
-all: CORE=-D CORE 
-all: ebpf loader
+# Define compiler and flags
+CLANG   := clang
+CFLAGS  := -Wall -O2 -D$(TARGET_ARCH)
+LDFLAGS := -lbpf -lelf -lz -lzstd
 
-static: CORE=1 
-static: STATIC=-static 
-static: all
+# Conditional flags
+ifeq ($(CORE), 1)
+    CFLAGS  += -DCORE
+    BPF_CORE_FLAG := -DCORE
+endif
+
+ifeq ($(STATIC), 1)
+    LDFLAGS += -static
+endif
+
+# Files
+LOADER_SRCS := lemon.c cpu_stealer.c mem.c dump.c disk.c net.c
+LOADER_BIN  := lemon.$(ARCH)
+BPF_SRC     := ebpf/mem.ebpf.c
+BPF_OBJ     := ebpf/mem.ebpf.o
+BPF_SKEL    := ebpf/mem.ebpf.skel.h
 
-loader:
-	clang $(CORE) -D $(TARGET_ARCH) -Wall -O2 lemon.c mem.c disk.c -o lemon -lbpf -lelf -lz -lzstd $(STATIC)
+# Default target: If CORE is enabled, make vmlinux first, then compile eBPF and loader
+all: $(if $(filter 1,$(CORE)), vmlinux) $(BPF_OBJ) $(LOADER_BIN)
 
-ebpf:
-	clang -target bpf $(CORE) -D $(TARGET_ARCH) -I/usr/include/linux -I/usr/include/$(ARCH)-linux-gnu \
-	      -Wall -O2 -g -c lemon.ebpf.c -o lemon.ebpf.o
-	llvm-strip -g lemon.ebpf.o
-	bpftool gen skeleton lemon.ebpf.o > lemon.ebpf.skel.h
+# Build eBPF object and generate skeleton
+$(BPF_OBJ): $(BPF_SRC)
+	$(CLANG) -target bpf -D$(TARGET_ARCH) $(BPF_CORE_FLAG) -I/usr/include/linux -I/usr/include/$(ARCH)-linux-gnu \
+	        -Wall -O2 -g -c $< -o $@
+	llvm-strip -g $(BPF_OBJ)
+	$(BPFTOOL) gen skeleton $(BPF_OBJ) > $(BPF_SKEL)
 
+# Build the loader (compiled before eBPF program)
+$(LOADER_BIN): $(LOADER_SRCS)
+	$(CLANG) $(CFLAGS) $^ -o $@ $(LDFLAGS)
+
+# Dump vmlinux BTF as C header (only if CORE is enabled)
 vmlinux:
-	bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h
+	$(BPFTOOL) btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h
+
+# Static target for convenience
+static:
+	$(MAKE) STATIC=1
 
+# Clean
 clean:
-	rm -f *.o *.bc vmlinux.h lemon.ebpf.skel.h lemon
+	rm -f $(LOADER_BIN) $(BPF_OBJ) $(BPF_SKEL) vmlinux.h
+
+.PHONY: all static clean vmlinux

README.md

@@ -1,22 +1,32 @@
-# LEMON - An eBPF Memory Dump Tool for x64 and ARM64 Linux
+# LEMON - An eBPF Memory Dump Tool for x64 and ARM64 Linux and Android
 
-LEMON is a Linux memory dump tool that utilizes eBPF to capture the entire physical memory of a system and save it in LiME format, compatible with forensic tools such as Volatility 3.
+LEMON is a Linux and Android memory dump tool that utilizes eBPF to capture the entire physical memory of a system and save it in LiME format, compatible with forensic tools such as Volatility 3.
 
 LEMON is available as a precompiled static binary for x64 and ARM64, leveraging a CO-RE (Compile Once, Run Everywhere) eBPF program. This allows analysts to dump system memory without compiling anything on the target machine, checking for specific compatibility with installed libraries and kernel versions, and without requiring kernel headers. It is particularly useful in scenarios where loading kernel modules is not possible (e.g., due to Secure Boot) or when `{/proc, /dev}/kcore` is unavailable.
 
 ## Usage
 
-Copy the `lemon` binary to the target machine and initiate the memory dump with:
+Copy the `lemon` binary to the target machine and initiate a memory dump on disk with:
 
 ```sh
-./lemon memory.dump
+./lemon.ARCH -d memory_on_disk.dump
+```
+
+For a network dump instead use:
+
+```sh
+./lemon.ARCH -n TARGET_IP -p TARGET_PORT
+```
+while on the target machine
+```sh
+nc -l -p TARGET_PORT >  memory_by_net.dump
 ```
 
 This generates a `memory.dump` file in LiME format, containing all physical memory pages. Since running eBPF programs typically requires root privileges, LEMON must be executed as `root` or with an appropriate `sudo` configuration.
 
 ## Build
 
-Precompiled static binaries (`static_bins/lemon.x64` and `static_bins/lemon.arm64`) are available in this repository. Analysts can also compile LEMON themselves, either dynamically or statically. The dynamic version requires the presence of `libbpf`, `libz`, `libelf`, and `libzstd` on the target machine, whereas the static version has no external dependencies. Note that the build machine **MUST** have the same CPU architecture as the target.
+Precompiled static binaries are available in this repository (check the Github actions tab). Analysts can also compile LEMON themselves, either dynamically or statically. The dynamic version requires the presence of `libbpf`, `libz`, `libelf`, and `libzstd` on the target machine, whereas the static version has no external dependencies. Note that the build machine **MUST** have the same CPU architecture as the target.
 
 ### Dependencies
 
@@ -36,7 +46,7 @@ Other distributions provide equivalent packages, which at minimum allow compilin
    git clone [email protected]:eurecom-s3/lemon.git && cd lemon
    ```
 
-2. **Generate a valid **``** file:**
+2. **Generate a valid **`vmlinux.h`** file (only for CO-RE builds):**
 
    Copy a valid `vmlinux.h` file into `lemon/` or generate one with:
 
@@ -46,24 +56,45 @@ Other distributions provide equivalent packages, which at minimum allow compilin
 
 3. **Compile:**
 
-   - Dynamic binary:
+   - Dynamic binary (set CORE=0 for non CO-RE binaries):
      ```sh
-     make
+     make CORE=1
      ```
    - Static binary:
      ```sh
-     make static
+     make CORE=1 static
      ```
 
 ## Limitations
 
 - The kernel must support eBPF (obviously!).
 - Kernel lockdown must not be in confidentiality mode (or must allow `bpf_probe_read_kernel()`).
-- Currently, LEMON supports only CO-RE kernels and on-disk memory dumps.
 
 ## TODO
 
-- [ ] Support non CO-RE kernels
-- [ ] Insert checks on kernel versions and ```CONFIG_``` kernel options to extend support
-- [ ] Implement network dump
-- [ ] Support other CPU architectures (x32, ARM32, MIPS, PowerPC, POWER, RISC-V)
+- [X] Support non CO-RE kernels ([this library](https://github.com/eunomia-bpf/bpf-compatible) might help)
+- [X] Insert checks on kernel versions and ```CONFIG_``` kernel options to extend support
+- [X] Implement network dump (TCP)
+- [X] Implement dump with reduced granule if page fail to be read
+- [ ] Support other CPU architectures (x32, ARM32, MIPS, PowerPC, POWER, RISC-V)
+- [ ] Introduce support for kernels that do not have uprobes (by hooking some syscall or intectept egress traffic in read only from TC?)
+- [ ] Use of `_stext` in x64 to bypass missing `CONFIG_KALLSYMS_ALL`
+- [ ] Bruteforce scanning (?) for page containing same data of  `_stext` page in ARM64 to bypass missing `CONFIG_KALLSYMS_ALL`
+- [ ] Implement network dump (UDP)
+
+## Notes
+
+### eBPF cronology
+- Introduction of eBPF: 3.15
+- Introduction of Array maps 3.19
+- Introduction of kProbe/uProbe support 4.1
+- Introduction of tracepoint support (syscalls tracing) 4.7
+- Introduction of XDP 4.8
+- !!! Android 9 support eBPF: 4.9
+- Introduction of BTF 4.18
+- Introduction mmap() support for array maps 5.5
+- !!! Introduction of read_kernel() 5.5 <==== Minimum Lemon target version
+- Introduction of ring_buffer 5.8
+- !!! Android 13 support BTF 5.15
+- Introduction of SYSCALL program type 5.15
+- Introduction of kallsyms() in ebpf 5.16