VolaFox - Mac OS X Memory Analysis Toolkit
VolaFox is a Python-based Mac OS X memory analysis toolkit.
Requirements:
- Kernel Symbol List
- overlay data(Included repo from Snow Leopard to El Capitan)
- Memory Image
- Raw memory image(Firewire, VMware memory image)
- Exported raw memory image using rekal developed by Google
- command : rekal aff4export -D . [AFF4 IMAGE] => output filename : Physical Memory
- Flatten Mac Memory Reader Format using flatten.py(32bit, 64bit) => MMR doesn't support OS X Mountain Lion above now.
Usage:
python vol.py -i IMAGE [-o COMMAND [-vp PID][-x PID][-x KEXT_ID][-x TASKID]
[-x SYMFILENAME]]
Options:
-o CMD : Print kernel information for CMD (below)
-p PID : List open files for PID (where CMD is "lsof" and dumpfile)
-v : Print all files, including unsupported types (where CMD is "lsof")
-x PID/KID/TASKID/SYMBOLNAME/Virtual ADDRESS :
Dump process/task/kernel extension address space for PID/KID/Task ID
(where CMD is "ps"/"kextstat"/"tasks"/"machdump"/"dumpsym"/"dumpfile")
COMMANDS:
system_profiler : Kernel version, CPU, and memory spec, Boot/Sleep/Wakeup time
mount : Mounted filesystems
kextstat : KEXT (Kernel Extensions) listing
kextscan : Scanning KEXT (Kernel Extensions) (64bit OS only)
ps : Process listing
tasks : Task listing (Finding process hiding)
machdump : Dump macho binary and relocation for analysis
systab : Syscall table (Hooking detection)
=> Call Number 427 is bugged not hooked.
mtt : Mach trap table (Hooking detection)
netstat : Network socket listing (Hash table)
lsof : Open files listing by process (research, osxmem@gmail.com)
dumpfile : Dump a file on Memory (Required -p and -x option)
pestate : Show Boot information
efiinfo : EFI System Table, EFI Runtime Services
keychaindump : Dump master key candidates for decrypting keychain(Lion ~ El Capitan)
dmesg : Debug message at boot time
uname : Print a short for unix name(uname)
hostname : Print a hostname
notifiers : Detects I/O Kit function hooking
trustedbsd : Show TrustedBSD MAC Framework
bash_history : Show history in bash process
sysctl : show the result like sysctl command
dumpsym : Dump kernel symbol address considered of KASLR to file (for RCE)
Kernel Rootkit Detection: (testing code by n0fate) - Required Library : distorm3
kdebug_hook : Examination of the KDebug function code for mal-code detection
kauth_hook : Examination of the KAUTH for mal-code hiding detection from Anti-virus
bsm_hook : Examination of auto_commit function on the OpenBSM
fbt_syscall : Examination of syscall table for hooking by DTrace FBT Provider
You might also like:
- Matriux - A Debian Based Penetration Testing Distribution
- Bluelog - A Highly Configurable Linux Bluetooth Scanner
- HTTrack Website Copier - A Free Website Mirroring Tool
- HookME - Tool For Intercepting Communications with API Hooking
- 360-FAAR - An Open-source Firewall Analysis and Configuration Tool
- Binwalk - Firmware Analysis Tool
- Hackersh (Hacker Shell) - An Open Source Command-line Shell For Security Testing
- Chrome Download Unblocker - Tool For Quickly Disabling File Download Blocking In Google Chrome
- Capsa - Tool For Analyzing Network Traffic
- SSLyze - Tool For Analysing SSL/TLS Configurations
- DEFCON: World's Largest Hacking Conference (Documentary Film)
from Effect Hacking full article here