MemForge

MemForge is a Linux memory acquisition tool focused on creating dump artifacts.

Maintainer	Cuma KURT — cumakurt@gmail.com
Source	github.com/cumakurt/memforge

What it does

• memforge dump — Captures memory and writes a dump artifact plus a sidecar .memforge.json manifest with metadata (hash, host, kernel, method, size).
  • Default mode is physical and writes uncompressed raw linear memory.
  • Use --compress for .zst output.
  • Use --type process --pid <PID> for process dumps.
  • Output can be a file path or a target directory (-o).
• memforge doctor — Quick host capability check for physical acquisition (/dev/mem and memforge_kac readiness).
• memforge kac — Helper commands for bundled memforge-kac kernel module.

Install

Standard install (/usr/local/bin/memforge)

git clone https://github.com/cumakurt/memforge.git && cd memforge
chmod +x install.sh && sudo ./install.sh

By default this installs to /usr/local, builds the release binary, and builds memforge-kac unless INSTALL_MEMFORGE_KAC=0 is set.

Static standalone binary (single file in project root)

git clone https://github.com/cumakurt/memforge.git && cd memforge
chmod +x install_static.sh && ./install_static.sh

This produces a static binary in the repository root:

• ./memforge-static (default)

Optional:

OUT_NAME=memforge ./install_static.sh
TARGET_TRIPLE=x86_64-unknown-linux-musl ./install_static.sh
SKIP_PACKAGE_INSTALL=1 ./install_static.sh

Kernel module (memforge-kac) in detail

memforge-kac is an out-of-tree Linux kernel module bundled in memforge-kac/. It exists to provide a fallback acquisition path when user-space /dev/mem access is restricted by kernel hardening (commonly STRICT_DEVMEM/related policies).

Why this module is needed

On many modern Linux systems, reading full physical RAM via /dev/mem is limited. Typical behavior is:

• very low ranges may be readable,
• then reads fail with Permission denied, or
• resulting artifact is incomplete.

MemForge uses this strategy:

• try /dev/mem first (default physical path),
• if that cannot read full memory, use memforge-kac fallback (when available).

Without the module, full physical dumps may be impossible on hardened kernels.

When you need it

You should build/load memforge-kac when:

• memforge doctor reports /dev/mem limitations,
• physical dump fails early with access errors,
• you need reliable full physical acquisition on production kernels.

You may skip it when:

• /dev/mem works for your environment and use case,
• you only do process dumps (--type process),
• you intentionally avoid kernel module loading.

Security and privilege notes

• Building/loading a kernel module requires root privileges.
• The module runs in kernel space; treat it as sensitive code.
• Only use on systems where you are authorized to perform memory acquisition.
• Keep kernel headers matching your running kernel (uname -r).

Automatic module build (recommended)

Both installers support automatic dependency detection and module build:

• ./install.sh (standard install)
• ./install_static.sh (static standalone build)

Default behavior is to build memforge-kac. To skip module build explicitly:

INSTALL_MEMFORGE_KAC=0 ./install.sh
INSTALL_MEMFORGE_KAC=0 ./install_static.sh

Manual module build and load (step-by-step)

If you want full manual control:

1. Install matching kernel headers for the running kernel

uname -r
# install headers/devel package matching this exact kernel release

Examples by distribution:

# Debian / Ubuntu / Kali
sudo apt-get update
sudo apt-get install -y "linux-headers-$(uname -r)"

# Fedora
sudo dnf install -y kernel-devel kernel-headers

# RHEL / Rocky / Alma / CentOS
sudo dnf install -y kernel-devel kernel-headers
# or (older systems)
sudo yum install -y kernel-devel kernel-headers

# Arch / Manjaro
sudo pacman -Sy --needed linux-headers

# openSUSE / SLES
sudo zypper --non-interactive install -y kernel-default-devel kernel-devel
# fallback:
sudo zypper --non-interactive install -y kernel-devel

# Alpine
sudo apk add --no-cache linux-headers

2. Build module

cd memforge-kac
make

Expected output artifact:

• memforge-kac/memforge_kac.ko

3. Load module

sudo insmod ./memforge_kac.ko

Alternative (if installed under module tree):

sudo modprobe memforge_kac

4. Verify module is active

lsmod | grep memforge_kac
test -e /proc/memforge_kac/control && echo "control interface ready"

5. Optional unload

sudo rmmod memforge_kac

Troubleshooting

• No such file or directory on module load:
  • module was built for a different kernel version than uname -r.
• Invalid module format:
  • kernel ABI/version mismatch; rebuild with matching headers.
• Operation not permitted:
  • root privileges or module loading policy restrictions (e.g. secure boot lockdown).
• build fails in make -C /lib/modules/.../build:
  • kernel headers/devel package is missing or mismatched.

Practical recommendation

For most users, keep default installer behavior (build module automatically), run memforge doctor, then use:

memforge dump --type physical --physical-backend auto

This gives best effort /dev/mem first and reliable fallback through memforge-kac.

Common commands

memforge dump
memforge dump -o /path/to/dir/
memforge dump -o /path/file.zst
memforge dump --type process --pid 1234 -o ./proc1234.zst
memforge doctor
memforge kac status

Use memforge <subcommand> --help for options.

Environment (optional)

RUST_LOG, MEMFORGE_CONFIG_DIR, MEMFORGE_PREFIX, MEMFORGE_KAC_KO, MEMFORGE_AUTOLOAD_KAC

Legal

Use only for authorized security work, forensics, and legitimate administration.

License

AGPL-3.0-only — see LICENSE.

Links

Issues · SECURITY.md · CHANGELOG.md