Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/theopolis/volafoxie
Volafoxie is a custom version of n0fate's volafox. Volafoxie intends to bring a volatility look/feel to the application, as well as provide a small playground for my volatile analysis learning. Definitely a WIP.
https://github.com/theopolis/volafoxie
Last synced: 19 days ago
JSON representation
Volafoxie is a custom version of n0fate's volafox. Volafoxie intends to bring a volatility look/feel to the application, as well as provide a small playground for my volatile analysis learning. Definitely a WIP.
- Host: GitHub
- URL: https://github.com/theopolis/volafoxie
- Owner: theopolis
- Created: 2012-05-18T22:59:27.000Z (over 12 years ago)
- Default Branch: master
- Last Pushed: 2012-05-19T17:25:44.000Z (over 12 years ago)
- Last Synced: 2023-03-22T18:12:44.692Z (over 1 year ago)
- Language: Python
- Size: 2.89 MB
- Stars: 2
- Watchers: 3
- Forks: 2
- Open Issues: 0
-
Metadata Files:
- Readme: README
Awesome Lists containing this project
README
== Intro ==
Volafoxie is a custom version of n0fate's volafox. Volafoxie intends to bring a
volatility look/feel to the application, as well as provide a small playground for
my volatile analysis learning. Definitely a WIP.
== Reading Physical Memory ==
There are several ways on OS X (as of this writing, 10.7.3) to read Physical Memory:
(1) Download MacMemoryReader
[http://www.cybermarshal.com/index.php/cyber-marshal-utilities/mac-memory-reader]
Without using their program, look in 'supportfiles' for the devmem 10X
for your version of OS X:
../MacMemoryReader/supportfiles/
├── PE_state_raw.dtrace
├── devmem.104x.tgz
├── devmem.105x.tgz
├── devmem.106x.tgz
├── devmem.107x.tgz
$ tar xzf devmem.107x.tgz
# chown -R root:wheel devmem.kext
# kextload devmem.kext
(2) Follow the Chapter 8 guide from OS X Internals
[http://osxbook.com/book/bonus/chapter8/kma/]
This requires you to compile a KernelMemoryAccess driver using Xcode. I tried
to write a Makefile for it without success. And I wasn't able to compile without
XNU version 1228.9.59.
(3) Set kmem=1 in your boot-args through nvram
Check to make sure you don't have any existing boot-args
$ nvram -p | grep boot-args
If you do, make sure you include them:
# nvram boot-args="kmem=1"
(4) Create an OS X VMware Virtual Machine using VMware Fusion, then use the
corresponding *.vmem file.
(5) Others, like reading the memory using RDMA.
== How to Use Volafoxie ==
It requires Python >2.7 at the moment.
$ python ./volafoxie -h
== Volafox / Volatility ==
Check out [http://code.google.com/p/volafox/] volafox!
Check out [http://code.google.com/p/volatility/] volatility!