mirror of
https://github.com/mubix/kaliwiki.git
synced 2025-10-29 16:59:26 +00:00
45 lines
1.5 KiB
Markdown
45 lines
1.5 KiB
Markdown
# volafox
|
|
|
|
Notes
|
|
-------
|
|
volafox: Mac OS X Memory Analysis Toolkit
|
|
|
|
Help Text
|
|
-------
|
|
```
|
|
volafox: Mac OS X Memory Analysis Toolkit
|
|
project: http://code.google.com/p/volafox
|
|
support: 10.6-8; 32/64-bit kernel
|
|
input: *.vmem (VMWare memory file), *.mmr (Mac Memory Reader, flattened x86, IA-32e)
|
|
usage: python /usr/bin/volafox -i IMAGE [-o COMMAND [-vp PID][-x PID][-x KEXT_ID][-x TASKID]]
|
|
|
|
Options:
|
|
-o CMD : Print kernel information for CMD (below)
|
|
-p PID : List open files for PID (where CMD is "lsof")
|
|
-v : Print all files, including unsupported types (where CMD is "lsof")
|
|
-x PID/KID/TASKID : Dump process/task/kernel extension address space for PID/KID/Task ID (where CMD is "ps"/"kextstat"/"tasks")
|
|
|
|
COMMANDS:
|
|
system_profiler : Kernel version, CPU, and memory spec, Boot/Sleep/Wakeup time
|
|
mount : Mounted filesystems
|
|
kextstat : KEXT (Kernel Extensions) listing
|
|
ps : Process listing
|
|
tasks : Task listing (& Matching Process List)
|
|
systab : Syscall table (Hooking Detection)
|
|
mtt : Mach trap table (Hooking Detection)
|
|
netstat : Network socket listing (Hash table)
|
|
lsof : Open files listing by process (research, osxmem@gmail.com)
|
|
pestate : Show Boot information (experiment)
|
|
efiinfo : EFI System Table, EFI Runtime Services(experiment)
|
|
keychaindump : Dump master key candidates for decrypting keychain(Lion, ML)
|
|
|
|
|
|
```
|
|
|
|
Example Usage
|
|
-------
|
|
|
|
Links
|
|
-------
|
|
[1] https://code.google.com/p/volafox/
|