mem_scan is a POC memory editor that uses the mach_vm kernel calls to scan, read, and write integer memory regions of other userland processes. Included in the project is an example target that can be tested against.
It must be run as root to attach to userland processes.
-p: The pid of the target process. Can be retrieved through ps.
-m: Display a memory map of all active regions of the target process.
-u: The upper limit of addresses to search.
-r: Display all addresses that have the passed integer value.
-f: Path to a file which contains a list of addresses generated by
-r. Used to filter addresses successively.
-w: Address to write.
-v: Integer to write to address passed via the
# Use ps to get the pid $ ps PID TTY TIME CMD 0001 ttys000 0:00.12 -bash 1234 ttys001 0:00.06 target # Search for our desired value $ ./mem_scan -p 1234 -r 56 > addresses # Filter until we find our address $ ./mem_scan -p 1234 -r 55 -f addresses > addresses # Write to our found address $ ./mem_scan -p 1234 -w 0xDEADBEEF -v 100
Code can be found here.