Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/hexploitable/MEMSCAN

A memory scanning tool which uses mach_vm* to either dump memory or look for a specific sequence of bytes.
https://github.com/hexploitable/MEMSCAN

Last synced: 3 months ago
JSON representation

A memory scanning tool which uses mach_vm* to either dump memory or look for a specific sequence of bytes.

Host: GitHub
URL: https://github.com/hexploitable/MEMSCAN
Owner: hexploitable
Created: 2015-02-10T10:17:18.000Z (over 9 years ago)
Default Branch: master
Last Pushed: 2017-04-18T10:39:15.000Z (over 7 years ago)
Last Synced: 2024-04-20T18:22:17.863Z (7 months ago)
Language: Objective-C++
Size: 96.7 KB
Stars: 90
Watchers: 11
Forks: 23
Open Issues: 5
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - hexploitable/MEMSCAN - A memory scanning tool which uses mach_vm* to either dump memory or look for a specific sequence of bytes. (Objective-C++)

README

# MEMSCAN

[![Build Status](https://travis-ci.org/hexploitable/MEMSCAN.svg?branch=master)](https://travis-ci.org/hexploitable/MEMSCAN)

![image](screenshots/memscan_banner.png)

As far as the scanner is concerned, I'm finished with it. I'm going to do a final sweep and remove superfluous code and then I'll land the final commit.

Tweet me: `@Hexploitable`

## Building MEMSCAN
To build MEMSCAN, you will need to have theos installed. Well, you don't really need it but it makes life easier.

Once Theos is installed, simply navigate to the MEMSCAN folder in terminal and run:

`make package install`

## Usage
### Dumping the memory of a process
1. Obtain the target process PID, using `ps`.
2. Provide the PID to memscan:

`./memscan -p -d`

### Finding objects in memory

1. Open your target app or process in a disassembler, grab first ~16 bytes (customise this number as you will) of the method you want to hook and these bytes will be your "signature".

2. Write the signature to a file, make sure to encode the bytes like so:

`echo -n -e '\x55\x48\x89\xE5\xB8\x15\x00\x00\x00\x5D' > needle`

3. Run the scanner against the target process. It will locate the signature in memory and print it's address. The signature has to be passed in as bytes, not a literal string so use the scanner as shown:

`./memscan -p -s `

e.g:

`./memscan -p 1234 -s ./needle`

4. MEMSCAN should then print the address where the needle is located in memory.

## Resources
There are some fantastic resources out there which can help you develop similar concepts or to improve on this utility.

The most useful resource was a book called "Mac OS X Internals: A Systems Approach" which even provides sample code snippets to help you.

It's been brought to my attention there is another stack of tools which does similar things, called [Radare](https://github.com/radare/radare2), which you should check out as it's pretty cool.

## Contact
For any issues or concerns, contact me on Twitter: `@Hexploitable`.

If you need more than 140 characters, open an issue here.