From 1a216ec66ac421ea44582f8a04b2f3707140279b Mon Sep 17 00:00:00 2001 From: CPol Date: Mon, 5 Jul 2021 10:17:10 +0000 Subject: [PATCH] GitBook: [master] one page modified --- linux-unix/privilege-escalation/README.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/linux-unix/privilege-escalation/README.md b/linux-unix/privilege-escalation/README.md index a248e6af1..60760b354 100644 --- a/linux-unix/privilege-escalation/README.md +++ b/linux-unix/privilege-escalation/README.md @@ -286,6 +286,22 @@ Typically, `/dev/mem` is only readable by **root** and **kmem** group. strings /dev/mem -n10 | grep -i PASS ``` +#### osxpmem + +In order to dump the memory in a MacOS machine you can use [**osxpmem**](https://github.com/google/rekall/releases/download/v1.5.1/osxpmem-2.1.post4.zip). + +```bash +sudo osxpmem.app/osxpmem --format raw -o /tmp/dump_mem +``` + +If you find this error: `osxpmem.app/MacPmem.kext failed to load - (libkern/kext) authentication failure (file ownership/permissions); check the system/kernel logs for errors or try kextutil(8)` You can fix it doing: + +```bash +sudo cp -r osxpmem.app/MacPmem.kext "/tmp/" +sudo kextutil "/tmp/MacPmem.kext" +sudo osxpmem.app/osxpmem --format raw -o /tmp/dump_mem +``` + #### Tools To dump a process memory you could use: