• Stars
    star
    218
  • Rank 181,805 (Top 4 %)
  • Language
    C
  • Created almost 13 years ago
  • Updated about 11 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A small OS X/iOS userland util to dump processes memory
 _____           _ _____           
| __  |___ ___ _| |     |___ _____ 
|    -| -_| .'| . | | | | -_|     |
|__|__|___|__,|___|_|_|_|___|_|_|_|

A small userland util to dump processes memory
Useful to dump stuff or verify stuff without gdb or running under gdb
(c) fG! - 2012, 2013 - [email protected] - http://reverse.put.as
                                   
This is a small and simple userland util to dump processes memory on the screen or to a binary file.
Useful to dump stuff or verify something without gdb or running under gdb.

A new option as been added as of version 0.3 that will dump the mach-o app or lib that is located
at the given address. This makes process dumping easier (dumped binaries will not work because objective-c
related stuff!), especially in iOS where there is no vmmap utility by default.
With this, you can dump the main binary or any of its loaded libraries. You need to find the start address,
which usually can be done using "info shared" command inside gdb. 
To use this feature, pass the -f option to the util (no need to specify the size in this case).
Usage:
readmem -p XXX -a ADDRESS -o WHATEVERNAMEYOUWANT -f

It is compatible with Mac OS X and iOS. If you want to compile to iOS you need to modify the project target
and add the below information to Xcode configurations. 
They will allow to build command-line executables for iOS.

Don't forget that you need to give procmod permissions to the OS X version and the correct entitlements
to the iOS version.
For a good reference regarding entitlements go to http://246tnt.com/iPhone/.

Nothing fancy to be seen here :-)

Version 0.5 introduces code to locate and dump main binary of a given PID. No need anymore to input start address.

fG!
[email protected]

Changes to iPhoneOSPackageTypes.xcspec:

    // Mach-O executable
    {   Type = PackageType;
        Identifier = com.apple.package-type.mach-o-executable;
        Name = "Mach-O Executable";
        Description = "Mach-O executable";
        DefaultBuildSettings = {
            EXECUTABLE_PREFIX = "";
            EXECUTABLE_SUFFIX = "";
            EXECUTABLE_NAME = "$(EXECUTABLE_PREFIX)$(PRODUCT_NAME)$(EXECUTABLE_VARIANT_SUFFIX)$(EXECUTABLE_SUFFIX)";
            EXECUTABLE_PATH = "$(EXECUTABLE_NAME)";
        };
        ProductReference = {
            FileType = compiled.mach-o.executable;
            Name = "$(EXECUTABLE_NAME)";
            IsLaunchable = YES;
        };
    },

Changes to iPhoneOSProductTypes.xcspec:

    // Tool (normal Unix command-line executable)
    {   Type = ProductType;
        Identifier = com.apple.product-type.tool;
        Class = PBXToolProductType;
        Name = "Command-line Tool";
        Description = "Standalone command-line tool";
        IconNamePrefix = "TargetExecutable";
        DefaultTargetName = "Command-line Tool";
        DefaultBuildProperties = {
            FULL_PRODUCT_NAME = "$(EXECUTABLE_NAME)";
            EXECUTABLE_PREFIX = "";
            EXECUTABLE_SUFFIX = "";
            REZ_EXECUTABLE = YES;
            INSTALL_PATH = "/usr/local/bin";
            FRAMEWORK_FLAG_PREFIX = "-framework";
            LIBRARY_FLAG_PREFIX = "-l";
            LIBRARY_FLAG_NOSPACE = YES;
            GCC_DYNAMIC_NO_PIC = NO;
            GCC_SYMBOLS_PRIVATE_EXTERN = YES;
            GCC_INLINES_ARE_PRIVATE_EXTERN = YES;
            STRIP_STYLE = "all";
            CODE_SIGNING_ALLOWED = YES;
        };
        PackageTypes = (
            com.apple.package-type.mach-o-executable   // default
        );
    },

More Repositories

1

MachOView

MachOView fork
C
2,495
star
2

Gdbinit

Gdbinit for OS X, iOS and others - x86, x86_64 and ARM
1,596
star
3

lldbinit

A gdbinit clone for LLDB
Python
325
star
4

firmware_vault

A repo for all Apple EFI firmware files
255
star
5

onyx-the-black-cat

Kernel extension to disable anti-debug tricks and other useful XNU "features"
C
209
star
6

rootfool

A small tool to dynamically disable and enable SIP in El Capitan
C
163
star
7

EFISwissKnife

An IDA plugin to improve (U)EFI reversing
C++
142
star
8

HexRaysDeob

Hex-Rays OLLVM Deobfuscator and MicroCode Explorer
C++
118
star
9

hydra

A kernel extension and userland daemon to patch applications
C
104
star
10

otool-ng

Some improvements to Apple's otool.
C
100
star
11

gopher

A OS X crypto ransomware PoC
C
90
star
12

mach_race

Exploit code for CVE-2016-1757
C
81
star
13

efi_dxe_emulator

EFI DXE Emulator and Interactive Debugger
C
79
star
14

pydbg64

PyDBG64 - OS X PyDbg with 64 bits support
C
68
star
15

osx_boubou

A PoC Mach-O infector via library injection
C
64
star
16

mpress_dumper

MPRESS dumper for OS X
Assembly
64
star
17

gimmedebugah

A small utility to inject a Info.plist into binaries.
C
57
star
18

gdb-ng

Apple's gdb fork with some fixes and enhancements
C
54
star
19

ExtractMachO

IDA plugin to extract Mach-O binaries located in the disassembly or data
C
54
star
20

Gatekeerper

A kernel extension to mitigate Gatekeeper bypasses
C
48
star
21

kextstat_aslr

Implementation of kexstat via /dev/kmem with kernel ASLR support
C
38
star
22

can_I_suid

A TrustedBSD module to control execution of binaries with suid bit set
C
37
star
23

crackme_nr1

fG!'s crackme #1 source code
C
36
star
24

bruteforcesysent

Small util to discover OS X sysent via bruteforce
C
33
star
25

tcplognke

Apple's tcplognke code sample
C
29
star
26

TELoader

A TE executable format loader for IDA
C
28
star
27

unicorn_string_deobfuscator

A Unicorn based emulator to deobfuscate Equation Group string XOR obfuscation
C
27
star
28

mario

The kernel component of rootpipe fix for Mavericks
C
27
star
29

adium-ng-preview

Repo to dump some preview info and builds for adium-ng
27
star
30

MicrocodeExplorer

Hex-Rays MicrocodeExplorer
C++
26
star
31

readkmem

small utility to dump kernel memory
C
25
star
32

rex_versus_the_romans

Anti Hacking Team TrustedBSD module
C
25
star
33

readphysmem

A small utility to read and write to Macs physical memory using default AppleHWAccess.kext.
Objective-C
25
star
34

llvmpatches

Misc llvm patches
CMake
22
star
35

hello_santa_bye_santa

Bypass Google's Santa
C
21
star
36

fixobjc

IDA IDC script to improve Objective-C disassembly output
21
star
37

checkidt

Small util to dump the IDT table of a running OS X system with kmem enabled
C
20
star
38

armorysandbox

A USB armory based USB sandbox
Makefile
20
star
39

MachOPlugin

IDA plugin to Display Mach-O headers
C
19
star
40

icetheguardianv2

A TrustedBSD module PoC to monitor writes to Daemons and Agents folders
C
19
star
41

diagnostic_service

OS X rootkit loader version #1
C++
18
star
42

kgmacros

Fixed kgmacros to work with VMware kernel gdb stub
17
star
43

ExtractMacho2

IDA plugin to extract Mach-O binaries located in the disassembly or data
C++
17
star
44

syscall-benchmark

macOS syscall performance benchmark
Assembly
16
star
45

av-monster

PoC kext to disable OS X anti-virus software
C
15
star
46

luigi

The userland component of rootpipe fix for Mavericks
Objective-C
14
star
47

carbon_copy_cloner_keychaingen

A keygen for Carbon Copy Cloner private keychain
Objective-C
14
star
48

Crisis-Analysis-Tools

Scripts and other material related to OS.X/Crisis malware analysis
C
13
star
49

diagnostic_service2

OS X rootkit loader version #2
C++
12
star
50

calcspace

Small util to calculate available free space in mach-o binaries for code injection
C
12
star
51

idc-scripts

Random collection of IDA's IDC scripts
11
star
52

Disable-m3u

iTunes plugin to disable creation of m3u playlists
C
11
star
53

rexthewonderdog

A lazy PoC for implementing backdoors in OS X TrustedBSD Mac framework.
C
10
star
54

fuckyouilfak

A IDA Pro 9.0 Beta 2 macOS x86 Fix Loader
C
10
star
55

delambert

GreenLambert macOS IDA plugin to deobfuscate strings
C++
10
star
56

GiveMeHex

A quick IDA hack to get addresses with 0x prefix
C++
9
star
57

twitterwipe

A Go utillty to delete your Twitter history
Go
9
star
58

how_crap_is_ida

An IDA plugin to compare IDA detected functions output versus LC_FUNCTION_STARTS information
C++
9
star
59

evilquest_stats

Small utility to hash EvilQuest code and cstrings sections
Go
7
star
60

keygen_CrackMe_nr1_qwertyoruiop

Keygen for qwertyoruiop's CrackMe nr1
C
7
star
61

spiflash

Very fast reader for SPI flashes for Teensy 2.x.
C
7
star
62

bpf_dbg_output

Small tool to convert bpf binary bytecode to bpf_dbg format
C
7
star
63

evilquest_deobfuscator

EvilQuest/ThiefQuest malware strings decrypter/deobfuscator
Go
6
star
64

icetheguardian

A PoC to protect critical OS X files using TrustedBSD Mac framework.
C
5
star
65

SMBIOSKeygen

macserial and GenSMBIOS merged and ported to Go
Go
4
star
66

yage

An age fork with internal Yubikeys support
Go
2
star
67

snake_queue_parser

A decryptor for Snake/Turla configuration files
Objective-C
2
star
68

Mach-O-Lib

Library to access and manipulate Mach-O headers
1
star
69

macserial

macserial Go module
1
star