{"id":13738911,"url":"https://github.com/n0fate/volafox","last_synced_at":"2025-05-08T18:31:20.853Z","repository":{"id":28787437,"uuid":"32310199","full_name":"n0fate/volafox","owner":"n0fate","description":"Mac OS X Memory Analysis Toolkit","archived":false,"fork":false,"pushed_at":"2016-07-25T00:39:38.000Z","size":14350,"stargazers_count":162,"open_issues_count":0,"forks_count":38,"subscribers_count":16,"default_branch":"master","last_synced_at":"2024-08-04T04:04:31.295Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/n0fate.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-03-16T08:12:08.000Z","updated_at":"2024-08-01T03:35:46.000Z","dependencies_parsed_at":"2022-07-16T06:00:29.817Z","dependency_job_id":null,"html_url":"https://github.com/n0fate/volafox","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n0fate%2Fvolafox","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n0fate%2Fvolafox/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n0fate%2Fvolafox/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n0fate%2Fvolafox/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/n0fate","download_url":"https://codeload.github.com/n0fate/volafox/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224753263,"owners_count":17364182,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T04:00:19.814Z","updated_at":"2024-11-15T08:31:21.977Z","avatar_url":"https://github.com/n0fate.png","language":"Python","funding_links":[],"categories":["Tools","Tool"],"sub_categories":["Analysis / Gathering tool (Know your ennemies)","Memory Analysis"],"readme":"# volafox\n## Introduction\nvolafox a.k.a 'Mac OS X Memory Analysis Toolkit' is developed on python 2.x\n\n*_please check out our repository for all of features included experiment_*\n\n## License\nGNU GPL v2\n\n## System Environment\n*Language*: Python 2.x \u003cbr\u003e\n*Architecture*: Intel 32/64 bit\u003cbr\u003e\n*Officially supported os*: Snow Leopard(10.6), Lion(10.7), Mountain Lion(10.8), Mavericks(10.9), *Yosemite(10.10), El Capitan(10.11)*\u003cbr\u003e\n\n### Requirement\n* Kernel Symbol List\n * overlay data(Included repo from Snow Leopard to El Capitan)\n\n* Memory Image\n * Raw memory image(Firewire, VMware memory image)\n * Exported raw memory image using rekal developed by google\n    * command : rekal aff4export -D . [AFF4 IMAGE] =\u003e output filename : Physical Memory\n * Flatten Mac Memory Reader Format using flatten.py(32bit, 64bit) =\u003e MMR doesn't support OS X Mountain Lion above now.\n\n## Information\n    volafox: Mac OS X Memory Analysis Toolkit\n    project: https://github.com/n0fate/volafox\n    support: 10.6-11(Snow Leopard ~ El Capitan); 32/64-bit kernel\n      input: raw memory image (*.mem or exported raw memory image using rekal developed by google\n      -\u003e If you get a AFF4 format, you can export linear memory image as following cmd : rekal aff4export -D . [AFF4 MEMORY IMAGE]\n    \n      usage: python vol.py -i IMAGE [-o COMMAND [-vp PID][-x PID][-x KEXT_ID][-x TASKID][-x SYMFILENAME]]\n    \n    Options:\n    -o CMD            : Print kernel information for CMD (below)\n    -p PID            : List open files for PID (where CMD is \"lsof\" and dumpfile)\n    -v                : Print all files, including unsupported types (where CMD is \"lsof\")\n    -x PID/KID/TASKID/SYMBOLNAME/Virtual ADDRESS :\n       Dump process/task/kernel extension address space for PID/KID/Task ID (where CMD is \"ps\"/\"kextstat\"/\"tasks\"/\"machdump\"/\"dumpsym\"/\"dumpfile\")\n    \n    COMMANDS:\n    system_profiler : Kernel version, CPU, and memory spec, Boot/Sleep/Wakeup time\n    mount           : Mounted filesystems\n    kextstat        : KEXT (Kernel Extensions) listing\n    kextscan        : Scanning KEXT (Kernel Extensions) (64bit OS only)\n    ps              : Process listing\n    tasks           : Task listing (Finding process hiding)\n    machdump        : Dump macho binary and relocation for analysis\n    systab          : Syscall table (Hooking detection)\n                      =\u003e Call Number 427 is bugged not hooked.\n    mtt             : Mach trap table (Hooking detection)\n    netstat         : Network socket listing (Hash table)\n    lsof            : Open files listing by process (research, osxmem@gmail.com)\n    dumpfile        : Dump a file on Memory (Required -p and -x option)\n    pestate         : Show Boot information\n    efiinfo         : EFI System Table, EFI Runtime Services\n    keychaindump    : Dump master key candidates for decrypting keychain(Lion ~ El Capitan)\n    dmesg           : Debug message at boot time\n    uname           : Print a short for unix name(uname)\n    hostname        : Print a hostname\n    notifiers       : Detects I/O Kit function hooking\n    trustedbsd      : Show TrustedBSD MAC Framework\n    bash_history    : Show history in bash process\n    sysctl          : show the result like sysctl command\n    dumpsym         : Dump kernel symbol address considered of KASLR to file (for RCE)\n    \n    Kernel Rootkit Detection: (testing code by n0fate) - Required Library : distorm3\n    kdebug_hook     : Examination of the KDebug function code for mal-code detection\n    kauth_hook      : Examination of the KAUTH for mal-code hiding detection from Anti-virus\n    bsm_hook        : Examination of auto_commit function on the OpenBSM\n    fbt_syscall     : Examination of syscall table for hooking by DTrace FBT Provider\n\n\n# volafox for BSD\n* Experimental - I just keep it for researcher\n\n# Introduction\n*FreeBSD Memory Analysis Toolkit*\u003cbr\u003e\n*Tested OS:* FreeBSD x86 7.x, 8.x\u003cbr\u003e\n\n### Requirement*\n* Kernel Image(kernel)\n* Memory Image\n\n## Information*\n* KLD list\n* KLD dump\n* System call hooking detection\n* Process list(LIST, HASH) (0.2 beta2\u003c=)\n* *Process dump* (HASH)\n* Network Information (IP, Port, flag) (0.2 beta2\u003c=)\n* Module list in KLD (0.2 beta1\u003c=)\u003cbr\u003e\n\n\n\u003cb\u003eicon source\u003c/b\u003e : www.kaishinlab.com\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fn0fate%2Fvolafox","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fn0fate%2Fvolafox","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fn0fate%2Fvolafox/lists"}