Trail of Bits Open-Sources mquire: Linux Memory Forensics Tool That Eliminates Debug Symbol Dependency
Trail of Bits has released mquire, an open-source Linux memory forensics tool that extracts BTF type info and Kallsyms symbol addresses directly from memory dumps, enabling analysis of unknown or custom kernels without external debug symbols.
Trail of Bits has open-sourced mquire, a Linux memory forensics tool that eliminates the long-standing dependency on external debug symbols or kernel profiles. Announced on February 25, 2026, mquire extracts both BTF (BPF Type Format) type information and Kallsyms symbol addresses directly from the memory dump itself, allowing forensic analysts to analyze unknown, custom, or heavily patched kernels without hunting for matching symbol files. This represents a significant shift for incident responders who have historically been blocked when debug symbols were unavailable for a specific kernel build.
Traditional memory forensics tools like Volatility require debug symbols—often called "profiles"—that must match the exact kernel version in the memory dump. In practice, these symbols are rarely installed on production systems and must be sourced from third-party repositories that may not have the specific kernel version, or generated manually from the original system, which is often inaccessible during incident response. mquire bypasses this entire workflow by leveraging two sources of information that modern Linux kernels embed within themselves: BTF, which provides structural type definitions originally designed for eBPF's "compile once, run everywhere" architecture, and Kallsyms, which contains the memory addresses of kernel symbols.
To use mquire, the target kernel must meet specific requirements: BTF support is needed for kernels 4.18 or newer (most modern distributions enable it by default), and Kallsyms support requires kernel 6.4 or newer due to format changes in the scripts/kallsyms.c file. These features have been consistently enabled on major distributions because they are prerequisites for modern BPF tooling. By combining type information from BTF with symbol locations from Kallsyms, mquire can find and parse complex kernel data structures such as process lists, memory mappings, open file handles, and cached file data.
After initialization, mquire provides an interactive SQL interface directly inspired by osquery. Users can run one-off queries from the command line or explore interactively, executing relational queries across different data sources. For example, analysts can join process information with open file handles in a single query, or find processes with open SQLite databases. This relational approach allows reconstruction of complete file paths from kernel dentry objects and connects them with their originating processes—context that would require multiple commands with traditional tools.
Currently, mquire provides a comprehensive set of tables including os_version, system_info, tasks (running processes with PIDs, command lines, and binary paths), task_open_files (open files organized by process), memory_mappings, boot_time, dmesg (kernel ring buffer messages), kallsyms (kernel symbol addresses), kernel_modules, network_connections, and network_interfaces. The tool supports memory dump formats such as LiME and raw dumps, and is available on GitHub under an open-source license.
For forensic analysts and incident responders, mquire delivers reliable memory analysis even when traditional tools cannot. By eliminating the need to hunt for symbol files or generate profiles, it reduces the time and friction involved in investigating compromised Linux systems. The tool is particularly valuable in scenarios where the target system runs a custom or heavily patched kernel, or when the original system is no longer available for profile generation. As Linux continues to dominate server, cloud, and embedded environments, tools like mquire that lower the barrier to effective memory forensics are increasingly critical for cybersecurity operations.