5.1 KiB
macOS Memory Dumping
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Memory Artifacts
Swap Files
Swap files, such as /private/var/vm/swapfile0
, serve as caches when the physical memory is full. When there's no more room in physical memory, its data is transferred to a swap file and then brought back to physical memory as needed. Multiple swap files might be present, with names like swapfile0, swapfile1, and so on.
Hibernate Image
The file located at /private/var/vm/sleepimage
is crucial during hibernation mode. Data from memory is stored in this file when OS X hibernates. Upon waking the computer, the system retrieves memory data from this file, allowing the user to continue where they left off.
It's worth noting that on modern MacOS systems, this file is typically encrypted for security reasons, making recovery difficult.
- To check if encryption is enabled for the sleepimage, the command
sysctl vm.swapusage
can be run. This will show if the file is encrypted.
Memory Pressure Logs
Another important memory-related file in MacOS systems is the memory pressure log. These logs are located in /var/log
and contain detailed information about the system's memory usage and pressure events. They can be particularly useful for diagnosing memory-related issues or understanding how the system manages memory over time.
Dumping memory with osxpmem
In order to dump the memory in a MacOS machine you can use osxpmem.
Note: The following instructions will only work for Macs with Intel architecture. This tool is now archived and the last release was in 2017. The binary downloaded using the instructions below targets Intel chips as Apple Silicon wasn't around in 2017. It may be possible to compile the binary for arm64 architecture but you'll have to try for yourself.
#Dump raw format
sudo osxpmem.app/osxpmem --format raw -o /tmp/dump_mem
#Dump aff4 format
sudo osxpmem.app/osxpmem -o /tmp/dump_mem.aff4
If you find this error: osxpmem.app/MacPmem.kext failed to load - (libkern/kext) authentication failure (file ownership/permissions); check the system/kernel logs for errors or try kextutil(8)
You can fix it doing:
sudo cp -r osxpmem.app/MacPmem.kext "/tmp/"
sudo kextutil "/tmp/MacPmem.kext"
#Allow the kext in "Security & Privacy --> General"
sudo osxpmem.app/osxpmem --format raw -o /tmp/dump_mem
Other errors might be fixed by allowing the load of the kext in "Security & Privacy --> General", just allow it.
You can also use this oneliner to download the application, load the kext and dump the memory:
{% code overflow="wrap" %}
sudo su
cd /tmp; wget https://github.com/google/rekall/releases/download/v1.5.1/osxpmem-2.1.post4.zip; unzip osxpmem-2.1.post4.zip; chown -R root:wheel osxpmem.app/MacPmem.kext; kextload osxpmem.app/MacPmem.kext; osxpmem.app/osxpmem --format raw -o /tmp/dump_mem
{% endcode %}
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.