blackosx Posted August 14, 2014 Share Posted August 14, 2014 I've created a bash script to dump memory regions to disk and scan them for a byte sequence. This may come in handy when looking for specific data in memory. The script uses: - pmem.kext driver - FirmwareMemoryMap dtrace script - bgrep tool An overview of the process is: - Create memory map, or check for one previously saved. - Check for pmem driver. Load it if not installed. - Ask for a hex string to find, or use a previously saved one. - Ask for which memory region types you wish to scan. - Display the regions to scan and their sizes. - Check for available disk space for total size of regions then ask to proceed. - Create a directory for saving the memory blocks - Write each block to disk and scan for byte sequence, printing offset of any match. - Unload pmem driver (if the script loaded it). On first run the script will ask to create a memory map which it saves as memmap.txt to the same directory as the script. Note: This memory map will probably only be useful for the currently booted system (though it may remain the same if rebooting in to the same OS X install using the same loader without making any changes). It will definitely be incorrect if you reboot in to a different version of OS X or use a different loader. Best practice will be to delete the memmap.txt file after a reboot. It will then need some hex bytes to search for. You can type these in to the terminal when prompted. The script will save these search bytes to a hexStringToFind.txt file. If you have a long byte sequence to search for then you may be better off creating yourself a hexStringToFind.txt file with the bytes already in before hand. If this file is in the same directory as the script then the script will read it in and use the contents as the search string. Once you've chosen which memory type to scan and agreed to proceed, the script will create a 'MemoryDumps' directory in the same directory as the script and continue to write the memory blocks in to it. The script does check to make sure there's enough available space before it begins writing. Each block is then scanned for a match of the hex string. Any matches have the offset displayed. If there are no matches then you won't see anything. The script ends with the 'Scanning complete' message. After you've run the script and have some dump memory regions saved to disk, you can search the same dumped regions again by either running v0.3+ of the script, or manually searching for byte sequences in the regions using the Terminal: /path/to/bgrep <Hex> <Region> Example: ~/Desktop/DumpAndScanMem_v0.31/Resources/bgrep 4150504C45 ~/Desktop/DumpAndScanMem_v0.31/MemoryDumps/LoaderData\ /LoaderData\ _0000000000800000 If you wish to use the script to search the same memory regions again for a different hex string you will need to either manually edit the hexStringToFind.txt file (in the same directory as the script) and change the contents to the new byte sequence, or delete the hexStringToFind.txt file and the script will ask you for a new hex string. DumpAndScanMem_v0.2.zip EDIT: - Added option to scan existing memory dumps on next run to save writing new dumps. - Print hex search string to stdout. DumpAndScanMem_v0.3.zip EDIT2: - Added an option to dump just the specific regions as listed by Pike below. (Thanks Pike). DumpAndScanMem_v0.31.zip EDIT3: - Simplify memory map reading routine. - Available memory regions are now listed dynamically rather than from a static list. - Changed wording of ‘Specific’ memory region dump to ‘Intel Graphics Memory Regions’. - Human readable size routine now also prints bytes. DumpAndScanMem_v0.32.zip EDIT4: - Removed unused AUTO option from code. - User now chooses which memory region type to dump first, then supplies search string. - User now has the option of not scan for any hex and just dump memory regions. - User can now opt to not use previously saved hex search string. DumpAndScanMem_v0.33.zip 5 Link to comment Share on other sites More sharing options...
Pike R. Alpha Posted August 14, 2014 Share Posted August 14, 2014 Excellent work! You may want to add a few lines to dump the following regions in darwin dumper: 0x00000, 0x00fff); /* VGA registers */ 0x02000, 0x02fff); /* instruction, memory, interrupt control registers */ 0x03000, 0x031ff); /* FENCE and PPGTT control registers */ 0x03200, 0x03fff); /* frame buffer compression registers */ 0x05000, 0x05fff); /* I/O control registers */ 0x06000, 0x06fff); /* clock control registers */ 0x07000, 0x07fff); /* 3D internal debug registers */ 0x07400, 0x088ff); /* GPE debug registers */ 0x0a000, 0x0afff); /* display palette registers */ 0x10000, 0x13fff); /* MMIO MCHBAR */ 0x30000, 0x3ffff); /* overlay registers */ 0x60000, 0x6ffff); /* display engine pipeline registers */ 0x70000, 0x72fff); /* display and cursor registers */ 0x73000, 0x73fff); /* performance counters */ Link to comment Share on other sites More sharing options...
blackosx Posted August 15, 2014 Author Share Posted August 15, 2014 Thanks for your input Pike. I have added the memory regions you've listed as a 'Specific' dump option to v0.31 of this script. I have to admit that I don't yet know how to interpret those regions but I will look for some documentation about them. EDIT: Found an Intel data sheet showing these are from the Graphics Controller Register Memory and I/O Map. With regards to DarwinDumper, I will add some memory dumping options, though I just haven't worked out exactly what yet. Link to comment Share on other sites More sharing options...
Pike R. Alpha Posted August 15, 2014 Share Posted August 15, 2014 Great. Thank you! Link to comment Share on other sites More sharing options...
Recommended Posts