OSX Plugins

Support for OSX/Darwin analysis.

address_resolver

View Source

A Darwin specific address resolver plugin.

Plugin Arguments

symbol

List of symbols to lookup (type: ArrayString)

  • Default:

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

arp

View Source

Show information about arp tables.

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

boot_cmdline

View Source

Prints the kernel command line.

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

check_syscalls

View Source

Checks the syscall table.

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

check_trap_table

View Source

Checks the traps table for hooks.

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

dmesg

View Source

Print the kernel debug messages.

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

dump_zone

View Source

Dumps an allocation zone’s contents.

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

zone

  • Default: buf.512

dumpcompressedmemory

View Source

Dumps all compressed pages.

Plugin Arguments

dump_dir

Path suitable for dumping files. (type: String)

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

find_dtb

View Source

Tries to find the DTB address for the Darwin/XNU kernel.

As the XNU kernel developed over the years, the best way of deriving this information changed. This class now offers multiple methods of finding the DTB. Calling find_dtb should automatically select the best method for the job, based on the profile. It will also attempt to fall back on less ideal ways of getting the DTB if the best way fails.

Plugin Arguments

vm_kernel_slide

OS X 10.8 and later: kernel ASLR slide. (type: IntParser)

find_kaslr

View Source

A scanner for KASLR slide values in the Darwin kernel.

The scanner works by looking up a known data structure and comparing its actual location to its expected location. Verification is a similar process, using a second constant. This takes advantage of the fact that both data structures are in a region of kernel memory that maps to the physical memory in a predictable way (see ID_MAP_VTOP).

Human-readable output includes values of the kernel version string (which is used for validation) for manual review, in case there are false positives.

ip_filters

View Source

Check IP Filters for hooks.

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

lsmod

View Source

Lists all kernel modules.

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

lsof

View Source

Walks open files of each proc in order and prints PID, FD and the handle.

Each process has an array of pointers to fileproc structs - the offset into the array is the file descriptor and each fileproc struct represents a handle on some resource. A type field in the fileproc determines the type of the resource pointed to from the fileproc (e.g. vnode, socket, pipe…).

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

machine_info

View Source

Show information about this machine.

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

maps

View Source

Display the process maps.

Plugin Arguments

pids

One or more pids of processes to select. (type: ArrayIntParser)

proc

Kernel addresses of proc structs. (type: ArrayIntParser)

proc_regex

A regex to select a process by name. (type: RegEx)

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

mount

View Source

Show mount points.

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

netstat

View Source

Prints all open sockets we know about, from any source.

Netstat will display even connections that lsof doesn’t know about, because they were either recovered from an allocation zone, or found through a secondary mechanism (like system call handler cache).

On the other hand, netstat doesn’t know the file descriptor or, really, the process that owns the connection (although it does know the PID of the last process to access the socket.)

Netstat will also tell you, in the style of psxview, if a socket was only found using some of the methods available.

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

notifiers

View Source

Detects hooks in I/O Kit IONotify objects.

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

phys_map

View Source

Prints the EFI boot physical memory map.

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

psaux

View Source

List processes with their commandline.

Plugin Arguments

pids

One or more pids of processes to select. (type: ArrayIntParser)

proc

Kernel addresses of proc structs. (type: ArrayIntParser)

proc_regex

A regex to select a process by name. (type: RegEx)

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

psxview

View Source

A mixin for plugins which require a valid kernel address space.

Args: dtb: A potential dtb to be used.

Plugin Arguments

pids

One or more pids of processes to select. (type: ArrayIntParser)

proc

Kernel addresses of proc structs. (type: ArrayIntParser)

proc_regex

A regex to select a process by name. (type: RegEx)

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

route

View Source

Show routing table.

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

sysctl

View Source

Dumps the sysctl database.

On OSX the kernel is configured through the sysctl mechanism. This is analogous to /proc or /sysfs on Linux. The configuration space is broken into MIBs - or hierarchical namespace.

https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/sysctl.8.html

For example:

net.inet.ip.subnets_are_local net.inet.ip.ttl net.inet.ip.use_route_genid

This is implemented via a singly linked list of sysctl_oid structs. The structs can be on the following types:

  • CTLTYPE_INT means this MIB will handle an int.
  • CTLTYPE_STRING means this MIB will handle a string.
  • CTLTYPE_QUAD means this MIB will handle a long long int.
  • CTLTYPE_NODE means this is a node which handles a sublevel of MIBs. It is actually a pointer to a new sysctl_oid_list which handles the sublevel.

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

vaddump

View Source

Dump the VMA memory for a process.

Plugin Arguments

dump_dir

Path suitable for dumping files. (type: String)

pids

One or more pids of processes to select. (type: ArrayIntParser)

proc

Kernel addresses of proc structs. (type: ArrayIntParser)

proc_regex

A regex to select a process by name. (type: RegEx)

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

yarascan

View Source

Scan using yara signatures.

Plugin Arguments

binary_string

A binary string (encoded as hex) to search for. e.g. 000102[1-200]0506 (type: String)

context

Context to print after the hit. (type: IntParser)

  • Default: 64

hits

Quit after finding this many hits. (type: IntParser)

  • Default: 10

pids

One or more pids of processes to select. (type: ArrayIntParser)

pre_context

Context to print before the hit. (type: IntParser)

  • Default: 0

proc

Kernel addresses of proc structs. (type: ArrayIntParser)

proc_regex

A regex to select a process by name. (type: RegEx)

scan_kernel

Scan the entire kernel address space. (type: Boolean)

  • Default: False

scan_physical

Scan the physical address space only. (type: Boolean)

  • Default: False

scan_process_memory

Scan all of process memory. Uses process selectors to narrow down selections. (type: Boolean)

  • Default: False

string

A verbatim string to search for. (type: String)

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

yara_expression

If provided we scan for this yara expression. (type: String)

yara_file

The yara signature file to read. (type: String)