[memory] volafox

sec

Memory analyzer for Mac OS X & BSD
http://code.google.com/p/volafox/

SnowLeopardのメモリダンプ
http://forensic.korea.ac.kr/volafox/files/SnowLeopard/MemoryImage.zip

$ python volafox.py -i MemoryImage.mem -o proc_info
[+] Memory Image: MemoryImage.mem
[+] Information: proc_info
[+] Get Memory Image Information
[-] Difference(Catfish Signature): 0
[-] Valid Mac Linear File Format
[-] 32-bit memory image
[-] Kernel Version: 10.6.0

  • = process list =-

list_entry_next pid ppid process name username
03290d20 0 0 kernel_task
03290a80 1 0 launchd n0fate
032902a0 2 1 launchctl root
032907e0 10 1 kextd root
03290540 11 1 DirectoryService root
03290000 12 1 notifyd root
0359bd20 13 1 diskarbitrationd root
0359ba80 14 1 configd root
0359b7e0 15 1 syslogd root
0359b540 16 1 distnoted root
0359b000 17 1 mDNSResponder _mdnsresponder
0359b2a0 19 1 securityd _mdnsresponder
03a5a7e0 24 1 ntpd _mdnsresponder
03bc7d20 26 1 usbmuxd _usbmuxd
03bc7a80 30 1 mds _mdnsresponder
03bc77e0 31 1 loginwindow n0fate
03bc72a0 32 1 KernelEventAgent _mdnsresponder
03bc7000 34 1 hidd _mdnsresponder
03bdaa80 35 1 fseventsd _mdnsresponder
03befd20 37 1 dynamic_pager _mdnsresponder
03bef7e0 42 1 autofsd _mdnsresponder
03a5a2a0 53 1 taskgated _usbmuxd
03bdad20 54 1 coreservicesd root
03a5a540 55 1 WindowServer root
03bda540 57 1 vmware-tools-dae _mdnsresponder
03a5a000 74 1 airportd _atsserver
03befa80 78 1 coreaudiod _coreaudiod
03bda2a0 79 1 launchd n0fate
03bef000 83 79 Dock n0fate
03bc7540 84 79 SystemUIServer n0fate
04166d20 85 79 Finder n0fate
03bef2a0 92 79 fontd n0fate
041667e0 95 79 pboard n0fate
04166000 96 79 quicklookd n0fate
044ddd20 99 79 UserEventAgent n0fate
044dd000 100 79 ServerScanner n0fate
044fed20 105 79 AirPort Base Sta n0fate
044dd7e0 106 79 vmware-tools-use n0fate
044dd540 108 79 CCacheServer n0fate
03bda000 110 79 TISwitcher n0fate
0085e758 120 1 backupd n0fate

$ python volafox.py -i MemoryImage.mem -o net_info
[+] Memory Image: MemoryImage.mem
[+] Information: net_info
[+] Get Memory Image Information
[-] Difference(Catfish Signature): 0
[-] Valid Mac Linear File Format
[-] 32-bit memory image
[-] Kernel Version: 10.6.0

  • = NETWORK INFORMATION (hashbase) =-

ipi_count: 4
[TCP] Local Address: 0.0.0.0:22, Foreign Address: 0.0.0.0:0, flag: 8000
[TCP] Local Address: 127.0.0.1:631, Foreign Address: 0.0.0.0:0, flag: 8000
ipi_count: 30
[UDP] Local Address: 0.0.0.0:49794, Foreign Address: 0.0.0.0:0, flag: 808300
[UDP] Local Address: 0.0.0.0:63588, Foreign Address: 0.0.0.0:0, flag: 808300
[UDP] Local Address: 0.0.0.0:65509, Foreign Address: 0.0.0.0:0, flag: 808300
[UDP] Local Address: 0.0.0.0:57654, Foreign Address: 0.0.0.0:0, flag: 808300
[UDP] Local Address: 0.0.0.0:5353, Foreign Address: 0.0.0.0:0, flag: 808300
[UDP] Local Address: 192.168.1.128:123, Foreign Address: 17.83.253.7:0, flag: 8000
[UDP] Local Address: 0.0.0.0:50364, Foreign Address: 0.0.0.0:0, flag: 808300