VolaFox - Mac OS X Memory Analysis Toolkit

VolaFox is a Python-based Mac OS X memory analysis toolkit.

Requirements:

• Kernel Symbol List
• overlay data(Included repo from Snow Leopard to El Capitan)
• Memory Image
• Raw memory image(Firewire, VMware memory image)
• Exported raw memory image using rekal developed by Google
• command : rekal aff4export -D . [AFF4 IMAGE] => output filename : Physical Memory
• Flatten Mac Memory Reader Format using flatten.py(32bit, 64bit) => MMR doesn't support OS X Mountain Lion above now.

Usage:

python vol.py -i IMAGE [-o COMMAND [-vp PID][-x PID][-x KEXT_ID][-x TASKID]
[-x SYMFILENAME]]

Options:
-o CMD            : Print kernel information for CMD (below)
-p PID            : List open files for PID (where CMD is "lsof" and dumpfile)
-v                : Print all files, including unsupported types (where CMD is "lsof")
-x PID/KID/TASKID/SYMBOLNAME/Virtual ADDRESS :
   Dump process/task/kernel extension address space for PID/KID/Task ID
   (where CMD is "ps"/"kextstat"/"tasks"/"machdump"/"dumpsym"/"dumpfile")

COMMANDS:
system_profiler : Kernel version, CPU, and memory spec, Boot/Sleep/Wakeup time
mount           : Mounted filesystems
kextstat        : KEXT (Kernel Extensions) listing
kextscan        : Scanning KEXT (Kernel Extensions) (64bit OS only)
ps              : Process listing
tasks           : Task listing (Finding process hiding)
machdump        : Dump macho binary and relocation for analysis
systab          : Syscall table (Hooking detection)
                  => Call Number 427 is bugged not hooked.
mtt             : Mach trap table (Hooking detection)
netstat         : Network socket listing (Hash table)
lsof            : Open files listing by process (research, osxmem@gmail.com)
dumpfile        : Dump a file on Memory (Required -p and -x option)
pestate         : Show Boot information
efiinfo         : EFI System Table, EFI Runtime Services
keychaindump    : Dump master key candidates for decrypting keychain(Lion ~ El Capitan)
dmesg           : Debug message at boot time
uname           : Print a short for unix name(uname)
hostname        : Print a hostname
notifiers       : Detects I/O Kit function hooking
trustedbsd      : Show TrustedBSD MAC Framework
bash_history    : Show history in bash process
sysctl          : show the result like sysctl command
dumpsym         : Dump kernel symbol address considered of KASLR to file (for RCE)

Kernel Rootkit Detection: (testing code by n0fate) - Required Library : distorm3
kdebug_hook     : Examination of the KDebug function code for mal-code detection
kauth_hook      : Examination of the KAUTH for mal-code hiding detection from Anti-virus
bsm_hook        : Examination of auto_commit function on the OpenBSM
fbt_syscall     : Examination of syscall table for hooking by DTrace FBT Provider

Download VolaFox

You might also like:

• Matriux - A Debian Based Penetration Testing Distribution
• Bluelog - A Highly Configurable Linux Bluetooth Scanner
• HTTrack Website Copier - A Free Website Mirroring Tool
• HookME - Tool For Intercepting Communications with API Hooking
• 360-FAAR - An Open-source Firewall Analysis and Configuration Tool
• Binwalk - Firmware Analysis Tool
• Hackersh (Hacker Shell) - An Open Source Command-line Shell For Security Testing
• Chrome Download Unblocker - Tool For Quickly Disabling File Download Blocking In Google Chrome
• Capsa - Tool For Analyzing Network Traffic
• SSLyze - Tool For Analysing SSL/TLS Configurations
• DEFCON: World's Largest Hacking Conference (Documentary Film)