MAC OS X 메모리 덤프/분석 관련 툴…

MAC OS X 메모리 덤프 및 분석 관련 글….

https://github.com/google/rekall/releases/tag/v1.5.1

MacBook-Pro:Downloads root# unzip osxpmem-2.1.post4.zip

Archive:  osxpmem-2.1.post4.zip

creating: osxpmem.app/

creating: osxpmem.app/libs/

inflating: osxpmem.app/libs/libaff4.0.dylib

inflating: osxpmem.app/libs/libcrypto.1.0.0.dylib

inflating: osxpmem.app/libs/libcurl.4.dylib

inflating: osxpmem.app/libs/libglog.0.dylib

inflating: osxpmem.app/libs/libiconv.2.dylib

inflating: osxpmem.app/libs/liblzma.5.dylib

inflating: osxpmem.app/libs/libpcre++.0.dylib

inflating: osxpmem.app/libs/libpcre.1.dylib

inflating: osxpmem.app/libs/libraptor2.0.dylib

inflating: osxpmem.app/libs/libsnappy.1.dylib

inflating: osxpmem.app/libs/libssl.1.0.0.dylib

inflating: osxpmem.app/libs/liburiparser.1.dylib

inflating: osxpmem.app/libs/libuuid.16.dylib

inflating: osxpmem.app/libs/libxml2.2.dylib

inflating: osxpmem.app/libs/libxslt.1.dylib

inflating: osxpmem.app/libs/libz.1.2.8.dylib

creating: osxpmem.app/MacPmem.kext/

creating: osxpmem.app/MacPmem.kext/Contents/

creating: osxpmem.app/MacPmem.kext/Contents/_CodeSignature/

inflating: osxpmem.app/MacPmem.kext/Contents/_CodeSignature/CodeResources

inflating: osxpmem.app/MacPmem.kext/Contents/Info.plist

creating: osxpmem.app/MacPmem.kext/Contents/MacOS/

inflating: osxpmem.app/MacPmem.kext/Contents/MacOS/MacPmem

inflating: osxpmem.app/osxpmem

inflating: osxpmem.app/README.md

MacBook-Pro:Downloads root# kextload -t osxpmem.app/MacPmem.kext/

Notice: -print-diagnostics (-t) ignored; use kextutil(8) to test kexts.

/Users/franc3sco/Downloads/osxpmem.app/MacPmem.kext failed to load – (libkern/kext) authentication failure (file ownership/permissions); check the system/kernel logs for errors or try kextutil(8).

MacBook-Pro:Downloads root# chown -R root:wheel osxpmem.app/

MacBook-Pro:Downloads root# kextload osxpmem.app/MacPmem.kext/

MacBook-Pro:Downloads root#

MacBook-Pro:Documents root# clear

MacBook-Pro:Documents root# dd if=/dev/pmem of=macram.raw

dd: /dev/pmem: Input/output error

37728256+0 records in

37728256+0 records out

19316867072 bytes transferred in 567.741078 secs (34024079 bytes/sec)

MacBook-Pro:Documents root#

 

https://github.com/volatilityfoundation/profiles/tree/master/Mac

MacBook-Pro:volatility-master franc3sco$ pwd

/Users/franc3sco/Documents/volatility-master

MacBook-Pro:mac franc3sco$ cp ~franc3sco/Downloads/HighSierra_10.13.2_17C88.zip  volatility/plugins/overlays/mac/

MacBook-Pro:volatility-master franc3sco$ python2 vol.py -f ~franc3sco/Documents/macram.raw  mac_get_profile

Volatility Foundation Volatility Framework 2.6

Profile                                            Shift Address

————————————————– ————-

MacHighSierra_10_13_2_17C88x64                     0x00016e00000

MacBook-Pro:volatility-master franc3sco$ python2 vol.py -f ~franc3sco/Documents/macram.raw –profile=MacHighSierra_10_13_2_17C88x64 mac_bash

Volatility Foundation Volatility Framework 2.6

Pid      Name                 Command Time                   Command

——– ——————– —————————— ——-

1415 bash                 2018-01-27 04:10:57 UTC+0000   python

1415 bash                 2018-01-27 04:10:57 UTC+0000   pwd

1415 bash                 2018-01-27 04:10:57 UTC+0000   ssh

1415 bash                 2018-01-27 04:10:57 UTC+0000   clear

1415 bash                 2018-01-27 04:10:57 UTC+0000   ls -alc

1415 bash                 2018-01-27 04:10:57 UTC+0000   mkdir .ssh

1415 bash                 2018-01-27 04:10:57 UTC+0000   mv ~/Downloads/MyKEYPair.pem .ssh/

Advertisements

답글 남기기

아래 항목을 채우거나 오른쪽 아이콘 중 하나를 클릭하여 로그 인 하세요:

WordPress.com 로고

WordPress.com의 계정을 사용하여 댓글을 남깁니다. 로그아웃 /  변경 )

Google+ photo

Google+의 계정을 사용하여 댓글을 남깁니다. 로그아웃 /  변경 )

Twitter 사진

Twitter의 계정을 사용하여 댓글을 남깁니다. 로그아웃 /  변경 )

Facebook 사진

Facebook의 계정을 사용하여 댓글을 남깁니다. 로그아웃 /  변경 )

%s에 연결하는 중

%d 블로거가 이것을 좋아합니다: