microsoft/avml

microsoft/avml

Description: AVML - Acquire Volatile Memory for Linux

Language: Rust

License: MIT

Stars: 1098

Forks: 90

Open issues: 3

Created: 2019-06-06T23:01:51Z

Pushed: 2026-06-19T03:23:28Z

Default branch: main

Fork: no

Archived: no

README:

AVML (Acquire Volatile Memory for Linux)

Summary

*A portable volatile memory acquisition tool for Linux.*

AVML is an X86\_64 userland volatile memory acquisition tool written in Rust, intended to be deployed as a static binary. AVML can be used to acquire memory without knowing the target OS distribution or kernel a priori. No on-target compilation or fingerprinting is needed.

Features

• Save recorded images to external locations via Azure Blob Store or HTTP PUT
• Azure Blob Storage uploads retry transient failures via the Azure SDK's default exponential backoff policy (8 attempts, capped at one minute total elapsed).
• Optional page level compression using Snappy.
• Uses LiME output format (when not using compression).

Memory Sources

• /dev/crash
• /proc/kcore
• /dev/mem

If the memory source is not specified on the commandline, AVML will iterate over the memory sources to find a functional source.

> NOTE: If the kernel feature kernel\_lockdown is enabled, AVML will not be able to acquire memory.

Tested Distributions

• Ubuntu: 12.04, 14.04, 16.04, 18.04, 18.10, 19.04, 19.10, 20.04, 21.04, 22.04
• Centos: 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.9
• RHEL: 6.7, 6.8, 6.9, 7.0, 7.2, 7.3, 7.4, 7.5, 7.7, 8.5, 9.0
• Debian: 8, 9, 10, 11, 12
• Oracle Linux: 6.8, 6.9, 6.10, 7.3, 7.4, 7.5, 7.6, 7.9, 8.5, 9.0
• CBL-Mariner: 1.0, 2.0

Subcommands

avml is a single binary with subcommands. Each subcommand is gated by a Cargo feature so a minimal build only includes the capability you need:

| Subcommand | Feature | Default | What it does | |------------|-----------|---------|----------------------------------------------------------------| | acquire | (always) | yes | Snapshot memory to a local file (optional upload after). | | convert | convert | yes | Convert between AVML / LiME / raw formats. | | upload | upload | yes | Upload a local file via HTTP PUT or to Azure Block Blob. | | stream | stream | yes | Stream a snapshot directly to a destination, no local file. |

Build a minimal acquire-only binary with cargo build --release --no-default-features.

Getting Started

Capturing a compressed memory image

On the target host:

avml acquire --compress output.lime.compressed

Capturing an uncompressed memory image

On the target host:

avml acquire output.lime

Capturing a memory image & uploading to Azure Blob Store

On a secure host with az cli credentials, generate a SAS URL.

EXPIRY=$(date -d '1 day' '+%Y-%m-%dT%H:%MZ')
SAS_URL=$(az storage blob generate-sas --account-name ACCOUNT --container CONTAINER test.lime --full-uri --permissions c --output tsv --expiry ${EXPIRY})

On the target host, execute avml with the generated SAS token.

avml acquire --sas-url ${SAS_URL} --delete output.lime

Streaming a memory image without writing to local disk

For hosts where writing the snapshot to a local file first is undesirable (read-only root, limited disk, forensic chain-of-custody concerns), use the stream subcommand. It picks the memory source once up front (same preference order as acquire's /dev/stdout path — /proc/kcore, then /dev/crash, then /dev/mem; pass --source to override) and writes bytes sequentially to the chosen destination. The source cannot be changed mid-stream, so there is no automatic source fallback.

To Azure Block Blob Storage

avml stream blob ${SAS_URL}

• The block size is derived automatically so the snapshot fits within

Azure's per-blob 50,000-block limit. --sas-block-size (MiB) acts as a *floor*; if the derived minimum is larger, the larger value wins.

• --sas-block-concurrency caps the number of in-flight stage_block

calls. Peak RAM is approximately (concurrency + 1) * block_size.

• If the snapshot fails mid-upload, staged blocks are abandoned without

being committed; Azure discards them automatically per its standard policy.

To a remote TCP listener

On the collector host:

nc -l 9000 > snapshot.lime

On the target host:

avml stream tcp collector.example.com:9000

avml connects once and writes the snapshot sequentially. If the connection drops mid-stream, the snapshot aborts; there is no resume. No TLS — pair with an SSH tunnel or stunnel for confidentiality and integrity if needed.

Uploading a previously-captured snapshot

avml upload put ./output.lime ${URL} # HTTP PUT
avml upload blob ./output.lime ${SAS_URL} # Azure Block Blob

Capturing a memory image of an Azure VM using VM Extensions

On a secure host with az cli credentials, do the following:

1. Generate a SAS URL (see above) 2. Create config.json containing the following information:

{
"commandToExecute": "./avml acquire --compress --sas-url --delete",
"fileUris": ["https://FULL.URL.TO.AVML.example.com/avml"]
}

3. Execute the customScript extension with the specified config.json

az vm extension set -g RESOURCE_GROUP --vm-name VM_NAME --publisher Microsoft.Azure.Extensions -n customScript --settings config.json

To upload to AWS S3 or GCP Cloud Storage

On a secure host, generate a S3 pre-signed URL or generate a GCP pre-signed URL.

On the target host, execute avml with the generated pre-signed URL.

avml acquire --url ${URL} --delete output.lime

To decompress an AVML-compressed image

avml convert ./compressed.lime ./uncompressed.lime

To compress an uncompressed LiME image

avml convert --source-format lime --format lime_compressed ./uncompressed.lime ./compressed.lime

Usage

A portable volatile memory acquisition tool for Linux

Usage: avml

Commands:
acquire Acquire a memory snapshot to a local file...