Merge pull request #2052 from HackTricks-wiki/research_update_src_macos-hardening_macos-security-and-privilege-escalation_macos-files-folders-and-binaries_macos-memory-dumping_20260325_132445

carlospolop · web-flow · commit af64c1d1d23d · 2026-03-25T14:39:48.000+01:00
Research Update Enhanced src/macos-hardening/macos-security-...
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
@@ -11,6 +11,7 @@
 - [Pentesting Methodology](generic-methodologies-and-resources/pentesting-methodology.md)
 - [Fuzzing Methodology](generic-methodologies-and-resources/fuzzing.md)
 - [External Recon Methodology](generic-methodologies-and-resources/external-recon-methodology/README.md)
+  - [Database Leaks](generic-methodologies-and-resources/external-recon-methodology/database-leaks.md)
   - [Wide Source Code Search](generic-methodologies-and-resources/external-recon-methodology/wide-source-code-search.md)
   - [Github Dorks & Leaks](generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md)
 - [Pentesting Network](generic-methodologies-and-resources/pentesting-network/README.md)
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.md
@@ -24,7 +24,7 @@ Another important memory-related file in MacOS systems is the **memory pressure
 
 In order to dump the memory in a MacOS machine you can use [**osxpmem**](https://github.com/google/rekall/releases/download/v1.5.1/osxpmem-2.1.post4.zip).
 
-**Note**: The following instructions will only work for Macs with Intel architecture. This tool is now archived and the last release was in 2017. The binary downloaded using the instructions below targets Intel chips as Apple Silicon wasn't around in 2017. It may be possible to compile the binary for arm64 architecture but you'll have to try for yourself.
+**Note**: This is mostly a **legacy workflow** now. `osxpmem` depends on loading a kernel extension, the [Rekall](https://github.com/google/rekall) project is archived, the latest release is from **2017**, and the published binary targets **Intel Macs**. On current macOS releases, especially on **Apple Silicon**, kext-based full-RAM acquisition is usually blocked by modern kernel-extension restrictions, SIP, and platform-signing requirements. In practice, on modern systems you will more often end up doing a **process-scoped dump** instead of a whole-RAM image.
 
 ```bash
 #Dump raw format
@@ -52,7 +52,99 @@ sudo su
 cd /tmp; wget https://github.com/google/rekall/releases/download/v1.5.1/osxpmem-2.1.post4.zip; unzip osxpmem-2.1.post4.zip; chown -R root:wheel osxpmem.app/MacPmem.kext; kextload osxpmem.app/MacPmem.kext; osxpmem.app/osxpmem --format raw -o /tmp/dump_mem
 ```
 
-{{#include ../../../banners/hacktricks-training.md}}
+## Live process dumping with LLDB
+
+For **recent macOS versions**, the most practical approach is usually to dump the memory of a **specific process** instead of trying to image all physical memory.
+
+LLDB can save a Mach-O core file from a live target:
+
+```bash
+sudo lldb --attach-pid <pid>
+(lldb) process save-core /tmp/target.core
+```
+
+By default this usually creates a **skinny core**. To force LLDB to include all mapped process memory:
+
+```bash
+sudo lldb --attach-pid <pid>
+(lldb) process save-core /tmp/target-full.core --style full
+```
+
+Useful follow-up commands before dumping:
+
+```bash
+# Show loaded images and main binary
+(lldb) image list
+
+# Inspect mapped regions and permissions
+(lldb) memory region --all
+
+# Dump only one interesting range
+(lldb) memory read --force --outfile /tmp/region.bin --binary <start> <end>
+```
+
+This is usually enough when the goal is to recover:
+
+- Decrypted configuration blobs
+- In-memory tokens, cookies, or credentials
+- Plaintext secrets that are only protected at rest
+- Decrypted Mach-O pages after unpacking / JIT / runtime patching
+
+If the target is protected by the **hardened runtime**, or if `taskgated` denies the attach, you typically need one of these conditions:
 
+- The target carries **`get-task-allow`**
+- Your debugger is signed with the proper **debugger entitlement**
+- You are **root** and the target is a non-hardened third-party process
+
+For more background on obtaining a task port and what can be done with it:
+
+{{#ref}}
+../macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md
+{{#endref}}
+
+## Selective dumps with Frida or userland readers
+
+When a full core is too noisy, dumping only **interesting readable ranges** is often faster. Frida is especially useful because it works well for **targeted extraction** once you can attach to the process.
+
+Example approach:
+
+1. Enumerate readable/writable ranges
+2. Filter by module, heap, stack, or anonymous memory
+3. Dump only the regions that contain candidate strings, keys, protobufs, plist/XML blobs, or decrypted code/data
+
+Minimal Frida example to dump all readable anonymous ranges:
+
+```javascript
+Process.enumerateRanges({ protection: 'rw-', coalesce: true }).forEach(function (range) {
+  try {
+    if (range.file) return;
+    var dump = range.base.readByteArray(range.size);
+    var f = new File('/tmp/' + range.base + '.bin', 'wb');
+    f.write(dump);
+    f.close();
+  } catch (e) {}
+});
+```
+
+This is useful when you want to avoid giant core files and only collect:
+
+- App heap chunks containing secrets
+- Anonymous regions created by custom packers or loaders
+- JIT / unpacked code pages after changing protections
+
+Older userland tools such as [`readmem`](https://github.com/gdbinit/readmem) also exist, but they are mainly useful as **source references** for direct `task_for_pid`/`vm_read` style dumping and are not well-maintained for modern Apple Silicon workflows.
+
+## Quick triage notes
+
+- `sysctl vm.swapusage` is still a quick way to check **swap usage** and whether swap is **encrypted**.
+- `sleepimage` remains relevant mainly for **hibernate/safe sleep** scenarios, but modern systems commonly protect it, so it should be treated as an **artifact source to check**, not as a reliable acquisition path.
+- On recent macOS releases, **process-level dumping** is generally more realistic than **full physical memory imaging** unless you control boot policy, SIP state, and kext loading.
+
+## References
+
+- [https://www.appspector.com/blog/core-dump](https://www.appspector.com/blog/core-dump)
+- [https://afine.com/to-allow-or-not-to-get-task-allow-that-is-the-question](https://afine.com/to-allow-or-not-to-get-task-allow-that-is-the-question)
+
+{{#include ../../../banners/hacktricks-training.md}}
 
 
