weyne/kaliwiki
1
0
Fork 0
mirror of https://github.com/mubix/kaliwiki.git synced 2025-10-29 16:59:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
kaliwiki/tools/volafox.md
Stefan Molls 788305a83e Added forensics section
2014-04-23 10:38:32 -05:00

1.5 KiB
Raw Blame History

volafox

Notes

volafox: Mac OS X Memory Analysis Toolkit

Help Text

volafox: Mac OS X Memory Analysis Toolkit
project: http://code.google.com/p/volafox
support: 10.6-8; 32/64-bit kernel
  input: *.vmem (VMWare memory file), *.mmr (Mac Memory Reader, flattened x86, IA-32e)
  usage: python /usr/bin/volafox -i IMAGE [-o COMMAND [-vp PID][-x PID][-x KEXT_ID][-x TASKID]]

Options:
-o CMD            : Print kernel information for CMD (below)
-p PID            : List open files for PID (where CMD is "lsof")
-v                : Print all files, including unsupported types (where CMD is "lsof")
-x PID/KID/TASKID : Dump process/task/kernel extension address space for PID/KID/Task ID (where CMD is "ps"/"kextstat"/"tasks")

COMMANDS:
system_profiler : Kernel version, CPU, and memory spec, Boot/Sleep/Wakeup time
mount           : Mounted filesystems
kextstat        : KEXT (Kernel Extensions) listing
ps              : Process listing
tasks           : Task listing (& Matching Process List)
systab          : Syscall table (Hooking Detection)
mtt             : Mach trap table (Hooking Detection)
netstat         : Network socket listing (Hash table)
lsof            : Open files listing by process (research, osxmem@gmail.com)
pestate         : Show Boot information (experiment)
efiinfo         : EFI System Table, EFI Runtime Services(experiment)
keychaindump    : Dump master key candidates for decrypting keychain(Lion, ML)

Example Usage

Links

[1] https://code.google.com/p/volafox/