{"id":21940626,"url":"https://github.com/vobst/bpfvol3","last_synced_at":"2025-10-09T21:32:12.641Z","repository":{"id":167815783,"uuid":"611614523","full_name":"vobst/BPFVol3","owner":"vobst","description":"Linux BPF plugins for Volatility3","archived":false,"fork":false,"pushed_at":"2024-01-19T18:34:21.000Z","size":18125,"stargazers_count":10,"open_issues_count":8,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-03T09:03:50.570Z","etag":null,"topics":["bpf","ebpf","forensics","forensics-tools","memory-forensics","plugin","volatility","volatility3"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vobst.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-03-09T07:26:38.000Z","updated_at":"2024-11-09T03:21:01.000Z","dependencies_parsed_at":null,"dependency_job_id":"f017e506-7c70-43ae-bbd6-697e4ba299bd","html_url":"https://github.com/vobst/BPFVol3","commit_stats":null,"previous_names":["vobst/bpfvol3"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/vobst/BPFVol3","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vobst%2FBPFVol3","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vobst%2FBPFVol3/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vobst%2FBPFVol3/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vobst%2FBPFVol3/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vobst","download_url":"https://codeload.github.com/vobst/BPFVol3/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vobst%2FBPFVol3/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279002051,"owners_count":26083286,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-09T02:00:07.460Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bpf","ebpf","forensics","forensics-tools","memory-forensics","plugin","volatility","volatility3"],"created_at":"2024-11-29T02:34:14.497Z","updated_at":"2025-10-09T21:32:12.274Z","avatar_url":"https://github.com/vobst.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# BPFVol3\n\n\u003cimg src=\"https://user-images.githubusercontent.com/89150207/224386992-f97755d1-ccf0-474d-bcd7-6d7f247d9103.jpeg\" width=40% height=40%\u003e\n\n## Description\n\nBPFVol3 is a set of [Volatility3](https://github.com/volatilityfoundation/volatility3) plugins for analyzing the [Linux BPF](https://docs.kernel.org/bpf/index.html) subsystem.\n\nDisclaimer: This project is in an __alpha__ state. In particular, it has not been tested in real-world scenarios or reviewed by forensic experts. Do __not__ use it in real-world investigations.\n\n## Requirements\n\n- [Docker](https://docs.docker.com/engine/install/)\n\n## Installation\n\n### Using the plugin with Docker (recommended)\n\n1. Clone this repository\n\n```\ngit clone https://github.com/vobst/BPFVol3\ncd BPFVol3\n```\n\n2. Build the analysis container\n\n```\n./vol.sh --build\n```\n\n2. Alternatively: pull the latest image from the Github Container Registry\n\n```\n./vol.sh --pull\n```\n\n### Using the plugin with an existing Volatility3 installation\n\nWhen using this method, it is recommended to stick to the __same__ release of Volatility3 as the Docker container, see `VOL_VER` in `vol.sh`  for the currently supported release.\n\nNote: Set `VOLHOME` to the root of your Volatility3 installation\n\n1. Clone this repository\n\n```\ngit clone https://github.com/vobst/BPFVol3\ncd BPFVol3\n```\n\n2. Copy the files under `source/plugins` to a place where Volatility can find them, e.g., `${VOLHOME}/volatility3/plugins/linux`, or make use of the `--plugin-dirs` command line option when running `vol.py`\n\n3. Create the directory `${VOLHOME}/volatility3/utility/` and copy the contents of `src/utility` into it\n\n4. `git apply` the patch in `src/patches`\n\n## Getting Started\n\nWe assume that you have some memory image that you want to analyze. If not, check out the `docs/examples` folder.\n\nNote: Commands prefixed with `$` or `#` are executed on the host or in the analysis container, respectively.\n\n1. Place the image in `io/dumps`. You can now read the banner using\n\n```\n$ ./vol.sh --run\n# ./vol.py -f /io/dumps/\u003cname_of_dump\u003e banners.Banners\n```\n\n2. Obtain the ISF file for the kernel in the dump and place it in `io/symbols`\n\n2. Alternatively: Download the debug package for the kernel in the dump, copy the debug kernel and its `System.map` into the `io/kernels` folder. You can now generate the ISF file yourself\n\n```\n$ ./scripts/prepare_kernel.sh \u003cpath/to/kernel\u003e \u003cpath/to/System.map\u003e --symbols\n```\n\n3. Start the container and run some plugin\n\n```\n$ ./scripts/vol.sh --run\n# ./vol.py -f /io/dumps/\u003cname_of_dump\u003e linux.bpf_graph\n```\n\n## Documentation\n\n- User manuals for the different plugins can be found in the `docs/` folder\n- Case studies (including memory dumps and symbol files) can be found in the `docs/examples` folder\n- There is a post about this project on [my blog](https://blog.eb9f.de/2023/12/21/bpf_memory_forensics_with_volatility_3.html)\n- Below you can get an overview of the project\n\n```\n.\n├── Dockerfile\n├── docs\n│   ├── bpf_graph.md\n│   ├── bpf_listlinks.md\n│   ├── bpf_listmaps.md\n│   ├── bpf_listprocs.md\n│   ├── bpf_listprogs.md\n│   ├── bpf_lsm.md\n│   ├── bpf_netdev.md\n│   ├── examples\n│   │   └── krie\n│   │       └── krie.md\n│   └── media\n│       ├── alpha_logo.jpeg\n│       ├── krie-3410c66d-26be0e1ef560.elf.png\n│       └── krie-3410c66d-26be0e1ef560_filtered.png\n├── io\n│   ├── cache\n│   ├── dumps\n│   ├── kernels\n│   ├── output\n│   └── symbols\n├── LICENSE.md\n├── pyproject.toml\n├── README.md\n├── scripts\n│   ├── bashrc\n│   ├── container_init\n│   ├── fix_symbols.sh\n│   ├── gen_symbols.sh\n│   └── pack_dump.sh\n├── src\n│   ├── patches\n│   │   ├── v2.4.2.patch\n│   │   └── v2.5.0.patch\n│   ├── plugins\n│   │   ├── bpf_graph.py\n│   │   ├── bpf_listlinks.py\n│   │   ├── bpf_listmaps.py\n│   │   ├── bpf_listprocs.py\n│   │   ├── bpf_listprogs.py\n│   │   ├── bpf_lsm.py\n│   │   ├── bpf_netdev.py\n│   │   └── ifconfig.py\n│   └── utility\n│       ├── btf.py\n│       ├── datastructures.py\n│       ├── enums.py\n│       ├── helpers.py\n│       ├── link.py\n│       ├── map.py\n│       └── prog.py\n└── vol.sh\n```\n\n## Contributing\n\nBugs report, feature requests and contributions are all highly welcome :)\n\nPlease use the standard GitHub issue/pull request workflow.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvobst%2Fbpfvol3","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvobst%2Fbpfvol3","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvobst%2Fbpfvol3/lists"}