Light

hexploitable / memscan Goto Github PK

View Code? Open in Web Editor NEW

90.0 11.0 23.0 99 KB

A memory scanning tool which uses mach_vm* to either dump memory or look for a specific sequence of bytes.

C 26.35% Objective-C++ 68.87% Makefile 4.78%

memscan's Introduction

MEMSCAN

As far as the scanner is concerned, I'm finished with it. I'm going to do a final sweep and remove superfluous code and then I'll land the final commit.

Tweet me: @Hexploitable

Building MEMSCAN

To build MEMSCAN, you will need to have theos installed. Well, you don't really need it but it makes life easier.

Once Theos is installed, simply navigate to the MEMSCAN folder in terminal and run:

make package install

Usage

Dumping the memory of a process

Obtain the target process PID, using ps.
Provide the PID to memscan:
./memscan -p <PID> -d

Finding objects in memory

Open your target app or process in a disassembler, grab first ~16 bytes (customise this number as you will) of the method you want to hook and these bytes will be your "signature".
Write the signature to a file, make sure to encode the bytes like so:

echo -n -e '\x55\x48\x89\xE5\xB8\x15\x00\x00\x00\x5D' > needle
Run the scanner against the target process. It will locate the signature in memory and print it's address. The signature has to be passed in as bytes, not a literal string so use the scanner as shown:

./memscan -p <pid> -s <Path to file containing needle>

e.g:

./memscan -p 1234 -s ./needle
MEMSCAN should then print the address where the needle is located in memory.

Resources

There are some fantastic resources out there which can help you develop similar concepts or to improve on this utility.
The most useful resource was a book called "Mac OS X Internals: A Systems Approach" which even provides sample code snippets to help you.

It's been brought to my attention there is another stack of tools which does similar things, called Radare, which you should check out as it's pretty cool.

Contact

For any issues or concerns, contact me on Twitter: @Hexploitable.
If you need more than 140 characters, open an issue here.

memscan's People

Contributors

Stargazers

Watchers

memscan's Issues

memscan cannot work for current Pangu 1.0.0 iOS 9.x jailbreak

Due to Pangu omitting the tfp0 patch in the 9.x jailbreak, memscan doesn't work for iOS 9 yet.

Needs the platform-application entitlement

You don't technically need to update the package since this can be fixed after but to get it working on iOS 11 you need to do the following:

Copy this into a file, call it ent.xml or whatever

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>com.apple.springboard.debugapplications</key>
        <true/>
        <key>get-task-allow</key>
        <true/>
        <key>proc_info-allow</key>
        <true/>
        <key>task_for_pid-allow</key>
        <true/>
        <key>run-unsigned-code</key>
        <true/>
       	<key>platform-application</key>
       	<true/>
</dict>
</plist>

Install ldid
Run ldid -S<path_to_ent.xml> /usr/bin/memscan

memscan should now run again instead of getting killed by the system.

Clean the code

The code was mashed together in a hurry and is poorly written - needs re-worked completely.
Probably going to skip this though as v2 will use Frida.re.

Flag to ommit superfluous regions in dumps/scans

Multi Threading

Some processes don't scan

I have noticed a few processes which when scanned, return zero regions.

Issues scanning Swift apps

Bus error: 10 when dumping memory of an online game

Memory dumps fine when game is not yet connected to the game server. But when connection is established I only get Bus error: 10 error.

Added entitlements stuff to Makefile

As it says on the tin.

ARM64 enhancements

I need to re-think how to scan memory on ARM64 as it's going to take far too long on iOS.
I'm likely going to add an option to only dump the appropriate regions instead of all mach regions.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.