VolaFox

Description

volafox a.k.a ‘Mac OS X Memory Analysis Toolkit’ is developed on python 2.x

Usage

Syntax

volafox -i MEMORY_IMAGE -s KERNEL_IMAGE -[o INFORMATION][-x pid]

Options

-o	: Gathering information using symbol
-x	 Dump process using pid (Beta - 32bit process only)
INFORMATION:
os_version	 Dawin kernel detail version
machine_info	 Kernel version, cpu, memory information
mount_info	 Mount information
kern_kext_info	 Kernel KEXT(Kernel Extensions) information
kext_info	 KEXT(Kernel Extensions) information
proc_info	 Process list
syscall_info	 Kernel systemcall information

Example

cyborg@cyborg:~$ volafox -i MemoryImage.mem -s mach_kernel -o proc_info -x 120
Memory Image: MemoryImage.mem
Kernel Image: mach_kernel
Information: proc_info
Dump PID: 120
 
-= process: 120=-
list_entry_next	pid	ppid	process name		username
0085e758	120	1	backupdask	cyborg
task_ptr: 3bd81f4
vm_map_t: 41b2520
prev: 46145d8
next: 461402c
start: 100000000
end: 7fffffe00000
neutries: 3a
entries_pageable: 1
pmap_t: 3bf59f8
page directory pointer: 3bf5828
phys.address of dirbase: 4705c2400000000
object to pde: 1
ref count: 1
nx_enabled: 2
task_map: 0
pm_cr3: 0
pm_pdpt: 25c00000259
pm_pml4: 127df00000000000
0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?