-
Stars218
-
Rank 176,144 (Top 4 %)
-
LanguageC
-
Created about 12 years ago
-
Updated over 10 years ago
Reviews
There are no reviews yet. Be the first to send feedback to the community and the maintainers!
Repository Details
A small OS X/iOS userland util to dump processes memory
_____ _ _____ | __ |___ ___ _| | |___ _____ | -| -_| .'| . | | | | -_| | |__|__|___|__,|___|_|_|_|___|_|_|_| A small userland util to dump processes memory Useful to dump stuff or verify stuff without gdb or running under gdb (c) fG! - 2012, 2013 - [email protected] - http://reverse.put.as This is a small and simple userland util to dump processes memory on the screen or to a binary file. Useful to dump stuff or verify something without gdb or running under gdb. A new option as been added as of version 0.3 that will dump the mach-o app or lib that is located at the given address. This makes process dumping easier (dumped binaries will not work because objective-c related stuff!), especially in iOS where there is no vmmap utility by default. With this, you can dump the main binary or any of its loaded libraries. You need to find the start address, which usually can be done using "info shared" command inside gdb. To use this feature, pass the -f option to the util (no need to specify the size in this case). Usage: readmem -p XXX -a ADDRESS -o WHATEVERNAMEYOUWANT -f It is compatible with Mac OS X and iOS. If you want to compile to iOS you need to modify the project target and add the below information to Xcode configurations. They will allow to build command-line executables for iOS. Don't forget that you need to give procmod permissions to the OS X version and the correct entitlements to the iOS version. For a good reference regarding entitlements go to http://246tnt.com/iPhone/. Nothing fancy to be seen here :-) Version 0.5 introduces code to locate and dump main binary of a given PID. No need anymore to input start address. fG! [email protected] Changes to iPhoneOSPackageTypes.xcspec: // Mach-O executable { Type = PackageType; Identifier = com.apple.package-type.mach-o-executable; Name = "Mach-O Executable"; Description = "Mach-O executable"; DefaultBuildSettings = { EXECUTABLE_PREFIX = ""; EXECUTABLE_SUFFIX = ""; EXECUTABLE_NAME = "$(EXECUTABLE_PREFIX)$(PRODUCT_NAME)$(EXECUTABLE_VARIANT_SUFFIX)$(EXECUTABLE_SUFFIX)"; EXECUTABLE_PATH = "$(EXECUTABLE_NAME)"; }; ProductReference = { FileType = compiled.mach-o.executable; Name = "$(EXECUTABLE_NAME)"; IsLaunchable = YES; }; }, Changes to iPhoneOSProductTypes.xcspec: // Tool (normal Unix command-line executable) { Type = ProductType; Identifier = com.apple.product-type.tool; Class = PBXToolProductType; Name = "Command-line Tool"; Description = "Standalone command-line tool"; IconNamePrefix = "TargetExecutable"; DefaultTargetName = "Command-line Tool"; DefaultBuildProperties = { FULL_PRODUCT_NAME = "$(EXECUTABLE_NAME)"; EXECUTABLE_PREFIX = ""; EXECUTABLE_SUFFIX = ""; REZ_EXECUTABLE = YES; INSTALL_PATH = "/usr/local/bin"; FRAMEWORK_FLAG_PREFIX = "-framework"; LIBRARY_FLAG_PREFIX = "-l"; LIBRARY_FLAG_NOSPACE = YES; GCC_DYNAMIC_NO_PIC = NO; GCC_SYMBOLS_PRIVATE_EXTERN = YES; GCC_INLINES_ARE_PRIVATE_EXTERN = YES; STRIP_STYLE = "all"; CODE_SIGNING_ALLOWED = YES; }; PackageTypes = ( com.apple.package-type.mach-o-executable // default ); },
More Repositories
1
MachOView
MachOView forkC
2,495
2
Gdbinit
Gdbinit for OS X, iOS and others - x86, x86_64 and ARM
1,596
3
lldbinit
A gdbinit clone for LLDBPython
325
4
firmware_vault
A repo for all Apple EFI firmware files
255
5
onyx-the-black-cat
Kernel extension to disable anti-debug tricks and other useful XNU "features"C
209
6
rootfool
A small tool to dynamically disable and enable SIP in El CapitanC
163
7
EFISwissKnife
An IDA plugin to improve (U)EFI reversingC++
142
8
HexRaysDeob
Hex-Rays OLLVM Deobfuscator and MicroCode ExplorerC++
118
9
hydra
A kernel extension and userland daemon to patch applicationsC
104
10
otool-ng
Some improvements to Apple's otool.C
100
11
gopher
A OS X crypto ransomware PoCC
90
12
mach_race
Exploit code for CVE-2016-1757C
81
13
efi_dxe_emulator
EFI DXE Emulator and Interactive DebuggerC
79
14
pydbg64
PyDBG64 - OS X PyDbg with 64 bits supportC
68
15
osx_boubou
A PoC Mach-O infector via library injectionC
64
16
mpress_dumper
MPRESS dumper for OS XAssembly
64
17
gimmedebugah
A small utility to inject a Info.plist into binaries.C
57
18
gdb-ng
Apple's gdb fork with some fixes and enhancementsC
54
19
ExtractMachO
IDA plugin to extract Mach-O binaries located in the disassembly or dataC
54
20
Gatekeerper
A kernel extension to mitigate Gatekeeper bypassesC
48
21
kextstat_aslr
Implementation of kexstat via /dev/kmem with kernel ASLR supportC
38
22
can_I_suid
A TrustedBSD module to control execution of binaries with suid bit setC
37
23
crackme_nr1
fG!'s crackme #1 source codeC
36
24
bruteforcesysent
Small util to discover OS X sysent via bruteforceC
33
25
tcplognke
Apple's tcplognke code sampleC
29
26
TELoader
A TE executable format loader for IDAC
28
27
unicorn_string_deobfuscator
A Unicorn based emulator to deobfuscate Equation Group string XOR obfuscationC
27
28
mario
The kernel component of rootpipe fix for MavericksC
27
29
adium-ng-preview
Repo to dump some preview info and builds for adium-ng
27
30
MicrocodeExplorer
Hex-Rays MicrocodeExplorerC++
26
31
readkmem
small utility to dump kernel memoryC
25
32
rex_versus_the_romans
Anti Hacking Team TrustedBSD moduleC
25
33
readphysmem
A small utility to read and write to Macs physical memory using default AppleHWAccess.kext.Objective-C
25
34
llvmpatches
Misc llvm patches
CMake
22
35
hello_santa_bye_santa
Bypass Google's SantaC
21
36
fixobjc
IDA IDC script to improve Objective-C disassembly output
21
37
checkidt
Small util to dump the IDT table of a running OS X system with kmem enabledC
20
38
armorysandbox
A USB armory based USB sandbox
Makefile
20
39
MachOPlugin
IDA plugin to Display Mach-O headersC
19
40
icetheguardianv2
A TrustedBSD module PoC to monitor writes to Daemons and Agents foldersC
19
41
diagnostic_service
OS X rootkit loader version #1C++
18
42
kgmacros
Fixed kgmacros to work with VMware kernel gdb stub
17
43
ExtractMacho2
IDA plugin to extract Mach-O binaries located in the disassembly or dataC++
17
44
syscall-benchmark
macOS syscall performance benchmarkAssembly
16
45
av-monster
PoC kext to disable OS X anti-virus softwareC
15
46
luigi
The userland component of rootpipe fix for MavericksObjective-C
14
47
carbon_copy_cloner_keychaingen
A keygen for Carbon Copy Cloner private keychainObjective-C
14
48
Crisis-Analysis-Tools
Scripts and other material related to OS.X/Crisis malware analysisC
13
49
diagnostic_service2
OS X rootkit loader version #2C++
12
50
calcspace
Small util to calculate available free space in mach-o binaries for code injectionC
12
51
idc-scripts
Random collection of IDA's IDC scripts
11
52
Disable-m3u
iTunes plugin to disable creation of m3u playlistsC
11
53
rexthewonderdog
A lazy PoC for implementing backdoors in OS X TrustedBSD Mac framework.C
10
54
delambert
GreenLambert macOS IDA plugin to deobfuscate stringsC++
10
55
GiveMeHex
A quick IDA hack to get addresses with 0x prefixC++
9
56
twitterwipe
A Go utillty to delete your Twitter historyGo
9
57
how_crap_is_ida
An IDA plugin to compare IDA detected functions output versus LC_FUNCTION_STARTS informationC++
9
58
spiflash
Very fast reader for SPI flashes for Teensy 2.x.C
7
59
keygen_CrackMe_nr1_qwertyoruiop
Keygen for qwertyoruiop's CrackMe nr1C
7
60
evilquest_stats
Small utility to hash EvilQuest code and cstrings sectionsGo
7
61
bpf_dbg_output
Small tool to convert bpf binary bytecode to bpf_dbg formatC
7
62
evilquest_deobfuscator
EvilQuest/ThiefQuest malware strings decrypter/deobfuscatorGo
6
63
icetheguardian
A PoC to protect critical OS X files using TrustedBSD Mac framework.C
5
64
SMBIOSKeygen
macserial and GenSMBIOS merged and ported to GoGo
4
65
yage
An age fork with internal Yubikeys supportGo
2
66
snake_queue_parser
A decryptor for Snake/Turla configuration filesObjective-C
2
67
Mach-O-Lib
Library to access and manipulate Mach-O headers
1
68
macserial
macserial Go module
1