mem_scan (Mac OS X memory scanner)

Reading memory screenshot

About

mem_scan is a POC memory editor that uses the mach_vm kernel calls to scan, read, and write integer memory regions of other userland processes. Included in the project is an example target that can be tested against.

It must be run as root to attach to userland processes.

Options

  • -p : The pid of the target process. Can be retrieved through ps.
  • -m : Display a memory map of all active regions of the target process.
  • -u : The upper limit of addresses to search.
  • -r : Display all addresses that have the passed integer value.
  • -f : Path to a file which contains a list of addresses generated by -r. Used to filter addresses successively.
  • -w : Address to write.
  • -v : Integer to write to address passed via the -w param.

Example Usage

# Use ps to get the pid
$ ps
  PID TTY           TIME CMD
 0001 ttys000    0:00.12 -bash
 1234 ttys001    0:00.06 target

# Search for our desired value
$ ./mem_scan -p 1234 -r 56 > addresses

# Filter until we find our address
$ ./mem_scan -p 1234 -r 55 -f addresses > addresses

# Write to our found address
$ ./mem_scan -p 1234 -w 0xDEADBEEF -v 100

Code can be found here.