Skip to content

Latest commit

 

History

History
 
 

MacPmem

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Common
Common
 
 
MacPmem.xcodeproj
MacPmem.xcodeproj
 
 
MacPmem
MacPmem
 
 
MacPmemTest
MacPmemTest
 
 
README.md
README.md
 
 
STYLE.md
STYLE.md
 
 
uncrustify.cfg
uncrustify.cfg
 
 

README.md

MacPmem - OS X Physical Memory Access

MacPmem enables read/write access to physical memory on OS X 10.8 through 10.11. It simultaneously exposes a wealth of useful information about the operating system and hardware it's running on through a informational device and sysctl interface.

It exposes two devices:

  • /dev/pmem # Physical memory read access (can be built with write support).
  • /dev/pmem_info # Informational dump.

Quick Example

> sudo kextload MacPmem.kext
> sudo cat /dev/pmem_info

# Outputs:
# %YAML 1.2
# ---
# meta:
#   pmem_api_version: 2
#   cr3: 5773611222
#   dtb_off: 5773611008
#   phys_mem_size: 17179869184
#   pci_config_space_base: 3758096384
#   mmap_poffset: 353394688
#   mmap_desc_version: 1
#   mmap_size: 11856
#   mmap_desc_size: 48
#   kaslr_slide: 304087040
#   kernel_poffset: 305135616
#   kernel_version: "Darwin Kernel Version 14.4.0: Thu May 28 11:35:04 PDT 2015; root:xnu-2782.30.5~1/RELEASE_X86_64"
#   version_poffset: 313959808

> sudo xxd -s 313959808 /dev/pmem | head

# Outputs:
# 12b6a580:4461 7277 696e 204b 6572 6e65 6c20 5665  Darwin Kernel Ve
# 12b6a590:7273 696f 6e20 3134 2e34 2e30 3a20 5468  rsion 14.4.0: Th
# 12b6a5a0:7520 4d61 7920 3238 2031 313a 3335 3a30  u May 28 11:35:0
# 12b6a5b0:3420 5044 5420 3230 3135 3b20 726f 6f74  4 PDT 2015; root
# 12b6a5c0:3a78 6e75 2d32 3738 322e 3330 2e35 7e31  :xnu-2782.30.5~1
# 12b6a5d0:2f52 454c 4541 5345 5f58 3836 5f36 3400  /RELEASE_X86_64.
# 12b6a5e0:0e00 0000 0400 0000 0000 0000 8000 0000  ................
# 12b6a5f0:0000 0000 3000 726f 6f74 0031 342e 342e  ....0.root.14.4.
# 12b6a600:3000 4461 7277 696e 0000 0000 0000 0000  0.Darwin........
# 12b6a610:0000 0000 0100 0000 0200 0000 0300 0000  ................

> sudo rekall -f /dev/pmem  # Analyze the running memory of my own system.

SYSCTL controls

Logging level

# Enable debug logging.
> sudo sysctl -w kern.pmem_logging=4

# Set to warn-level logging (default).
> sudo sysctl -w kern.pmem_logging=2

Read/write safety

By default, IO operations to /dev/pmem will silently fail (return zeros) for any reads or writes to parts of memory marked as inaccessible by the EFI. The EFI creates a physical memory map early in the boot process for the bootloader and the kernel to interpret. This map demarks regions that are physically damaged, backed by a PCI device (as opposed to RAM) or otherwise deserving special consideration.

# Disable read/write safety.
> sudo sysctl -w kern.pmem_allow_unsafe_operations=1

# Re-enable read/write safety.
> sudo sysctl -w kern.pmem_allow_unsafe_operations=0