VolaFox - Mac OS X Memory Analysis Toolkit

VolaFox -  Mac OS X Memory Analysis Toolkit

VolaFox is a Python-based Mac OS X memory analysis toolkit.


  • Kernel Symbol List
  • overlay data(Included repo from Snow Leopard to El Capitan)
  • Memory Image
  • Raw memory image(Firewire, VMware memory image)
  • Exported raw memory image using rekal developed by Google
  • command : rekal aff4export -D . [AFF4 IMAGE] => output filename : Physical Memory
  • Flatten Mac Memory Reader Format using flatten.py(32bit, 64bit) => MMR doesn't support OS X Mountain Lion above now.


python vol.py -i IMAGE [-o COMMAND [-vp PID][-x PID][-x KEXT_ID][-x TASKID]
-o CMD            : Print kernel information for CMD (below)
-p PID            : List open files for PID (where CMD is "lsof" and dumpfile)
-v                : Print all files, including unsupported types (where CMD is "lsof")
   Dump process/task/kernel extension address space for PID/KID/Task ID
   (where CMD is "ps"/"kextstat"/"tasks"/"machdump"/"dumpsym"/"dumpfile")

system_profiler : Kernel version, CPU, and memory spec, Boot/Sleep/Wakeup time
mount           : Mounted filesystems
kextstat        : KEXT (Kernel Extensions) listing
kextscan        : Scanning KEXT (Kernel Extensions) (64bit OS only)
ps              : Process listing
tasks           : Task listing (Finding process hiding)
machdump        : Dump macho binary and relocation for analysis
systab          : Syscall table (Hooking detection)
                  => Call Number 427 is bugged not hooked.
mtt             : Mach trap table (Hooking detection)
netstat         : Network socket listing (Hash table)
lsof            : Open files listing by process (research, osxmem@gmail.com)
dumpfile        : Dump a file on Memory (Required -p and -x option)
pestate         : Show Boot information
efiinfo         : EFI System Table, EFI Runtime Services
keychaindump    : Dump master key candidates for decrypting keychain(Lion ~ El Capitan)
dmesg           : Debug message at boot time
uname           : Print a short for unix name(uname)
hostname        : Print a hostname
notifiers       : Detects I/O Kit function hooking
trustedbsd      : Show TrustedBSD MAC Framework
bash_history    : Show history in bash process
sysctl          : show the result like sysctl command
dumpsym         : Dump kernel symbol address considered of KASLR to file (for RCE)

Kernel Rootkit Detection: (testing code by n0fate) - Required Library : distorm3
kdebug_hook     : Examination of the KDebug function code for mal-code detection
kauth_hook      : Examination of the KAUTH for mal-code hiding detection from Anti-virus
bsm_hook        : Examination of auto_commit function on the OpenBSM
fbt_syscall     : Examination of syscall table for hooking by DTrace FBT Provider

No comments

Powered by Blogger.