hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.md

5.6 KiB
Raw Blame History

macOS Memory Dumping

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

Memory Artifacts

Swap Files

  • /private/var/vm/swapfile0: This file is used as a cache when physical memory fills up. Data in physical memory will be pushed to the swapfile and then swapped back into physical memory if its needed again. More than one file can exist in here. For example, you might see swapfile0, swapfile1, and so on.

  • /private/var/vm/sleepimage: When OS X goes into hibernation, data stored in memory is put into the sleepimage file. When the user comes back and wakes the computer, memory is restored from the sleepimage and the user can pick up where they left off.

    By default in modern MacOS systems this file will be encrypted, so it might be not recuperable.

    • However, the encryption of this file might be disabled. Check the out of sysctl vm.swapusage.

Dumping memory with osxpmem

In order to dump the memory in a MacOS machine you can use osxpmem.

Note: The following instructions will only work for Macs with Intel architecture. This tool is now archived and the last release was in 2017. The binary downloaded using the instructions below targets Intel chips as Apple Silicon wasn't around in 2017. It may be possible to compile the binary for arm64 architecture but you'll have to try for yourself.

#Dump raw format
sudo osxpmem.app/osxpmem --format raw -o /tmp/dump_mem

#Dump aff4 format
sudo osxpmem.app/osxpmem -o /tmp/dump_mem.aff4

If you find this error: osxpmem.app/MacPmem.kext failed to load - (libkern/kext) authentication failure (file ownership/permissions); check the system/kernel logs for errors or try kextutil(8) You can fix it doing:

sudo cp -r osxpmem.app/MacPmem.kext "/tmp/"
sudo kextutil "/tmp/MacPmem.kext"
#Allow the kext in "Security & Privacy --> General"
sudo osxpmem.app/osxpmem --format raw -o /tmp/dump_mem

Other errors might be fixed by allowing the load of the kext in "Security & Privacy --> General", just allow it.

You can also use this oneliner to download the application, load the kext and dump the memory:

{% code overflow="wrap" %}

sudo su
cd /tmp; wget https://github.com/google/rekall/releases/download/v1.5.1/osxpmem-2.1.post4.zip; unzip osxpmem-2.1.post4.zip; chown -R root:wheel osxpmem.app/MacPmem.kext; kextload osxpmem.app/MacPmem.kext; osxpmem.app/osxpmem --format raw -o /tmp/dump_mem

{% endcode %}

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥