Pentest Tools
Published on April 20th, 2016 📆 | 8368 Views ⚑
0MemScan — Memory Scanning Tool
A memory scanning tool which uses mach_vm* to either
dump memory or look for a specific sequence of bytes.
Building MEMSCAN
To build MEMSCAN, you will need to have theos installed. Well, you don’t really need it but it makes life easier. Once Theos is installed, simply navigate to the MEMSCAN folder in terminal and run:
make package install
Memory Scanning Tool: MemScan Usage
Dumping the memory of a process
- Obtain the target process PID, using
ps
. - Provide the PID to memscan:
./memscan -p <PID> -d
[adsense size='1']
Finding objects in memory
- Open your target app or process in a disassembler, grab first ~16 bytes (customise this number as you will) of the method you want to hook and these bytes will be your “signature”.
- Write the signature to a file, make sure to encode the bytes like so:
echo -n -e '\x55\x48\x89\xE5\xB8\x15\x00\x00\x00\x5D' > needle
- Run the scanner against the target process. It will locate the signature in memory and print it’s address. The signature has to be passed in as bytes, not a literal string so use the scanner as shown:
./memscan -p <pid> -s <Path to file containing needle>
e.g:./memscan -p 1234 -s ./needle
- MEMSCAN should then print the address where the needle is located in memory.
Source && Download
https://github.com/hexploitable/MEMSCAN/
Gloss