Skip to content

Commit bd43773

Browse files
authored
Merge pull request #2477 from HackTricks-wiki/research_update_src_macos-hardening_macos-security-and-privilege-escalation_macos-files-folders-and-binaries_macos-memory-dumping_20260707_144959
Research Update Enhanced src/macos-hardening/macos-security-...
2 parents bd8abc0 + 19824c7 commit bd43773

1 file changed

Lines changed: 71 additions & 0 deletions

File tree

  • src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries

src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.md

Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,28 @@ For more background on obtaining a task port and what can be done with it:
102102
../macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md
103103
{{#endref}}
104104

105+
### Fast pre-attach checks
106+
107+
Before spending time on LLDB/Frida, quickly verify whether the target is realistically **dumpable**:
108+
109+
```bash
110+
# Check entitlements that commonly decide whether an attach will work
111+
codesign -d --entitlements - /Applications/Target.app 2>/dev/null | \
112+
egrep -A1 'get-task-allow|com.apple.security.cs.debugger'
113+
114+
# Quick view of hardened runtime / code-signing flags
115+
codesign -dvvv /Applications/Target.app 2>&1 | egrep 'Runtime Version|flags='
116+
117+
# Inspect memory layout before deciding between a full core and a selective dump
118+
vmmap <pid>
119+
```
120+
121+
Operationally, this usually means:
122+
123+
- A third-party app shipped with **`get-task-allow`** is often directly dumpable with LLDB, and the resulting dump may expose TCC-protected data that the app already accessed.
124+
- A **hardened** target without `get-task-allow` will commonly reject attaches, even as `root`, unless you control the relevant debugger entitlements / policy path.
125+
- Unhardened third-party processes are still the easiest place to use `lldb`, `vmmap`, Frida, or custom `task_for_pid`/`vm_read` readers.
126+
105127
## Selective dumps with Frida or userland readers
106128

107129
When a full core is too noisy, dumping only **interesting readable ranges** is often faster. Frida is especially useful because it works well for **targeted extraction** once you can attach to the process.
@@ -134,6 +156,55 @@ This is useful when you want to avoid giant core files and only collect:
134156

135157
Older userland tools such as [`readmem`](https://github.com/gdbinit/readmem) also exist, but they are mainly useful as **source references** for direct `task_for_pid`/`vm_read` style dumping and are not well-maintained for modern Apple Silicon workflows.
136158

159+
## Heap / VM snapshots with `.memgraph`
160+
161+
If you mainly care about **heap objects**, **allocation provenance**, or a snapshot that can be moved to another machine, a `.memgraph` is often more practical than a giant Mach-O core. The `leaks` tooling can generate one from a live process:
162+
163+
```bash
164+
# Capture a memory graph from a live process
165+
leaks <pid> -outputGraph /tmp/target.memgraph
166+
167+
# Include richer object content when you expect to inspect strings / heap data offline
168+
leaks <pid> -outputGraph /tmp/target-full.memgraph -fullContent
169+
```
170+
171+
Then triage it offline with standard Apple tooling:
172+
173+
```bash
174+
vmmap /tmp/target.memgraph
175+
heap /tmp/target.memgraph
176+
stringdups /tmp/target-full.memgraph
177+
malloc_history /tmp/target.memgraph 0xADDR
178+
```
179+
180+
`stringdups` is the main reason to keep a `-fullContent` capture around, because the labels describing memory contents are omitted from a minimal `.memgraph`.
181+
182+
This is especially useful when:
183+
184+
- You want a **smaller, shareable snapshot** instead of a full core
185+
- `MallocStackLogging` was enabled and you want **allocation backtraces**
186+
- You already know an **interesting heap address** and want to pivot with `malloc_history`
187+
- You need a quick **VM/heap breakdown** before deciding whether a full dump is worth the noise
188+
189+
## Swift-heavy targets: `swift-inspect`
190+
191+
For applications that keep high-value data inside **Swift runtime objects**, `swift-inspect` can be a good complement to LLDB or Frida. Instead of dumping everything first, you can query specific Swift runtime structures from a live process:
192+
193+
```bash
194+
# Usually available from the Xcode / Swift toolchain
195+
swift-inspect dump-raw-metadata <pid-or-name>
196+
swift-inspect dump-arrays <pid-or-name>
197+
swift-inspect dump-concurrency <pid-or-name> # Darwin-only
198+
```
199+
200+
This is handy to identify:
201+
202+
- Large Swift arrays buffering interesting data
203+
- Metadata allocations that reveal types loaded at runtime
204+
- Swift concurrency state (`Task`, actor, thread relationships) before doing a more targeted dump
205+
206+
For more object-level runtime triage once you can already inspect the process, check [the dedicated page on objects in memory](../macos-apps-inspecting-debugging-and-fuzzing/objects-in-memory.md).
207+
137208
## Quick triage notes
138209

139210
- `sysctl vm.swapusage` is still a quick way to check **swap usage** and whether swap is **encrypted**.

0 commit comments

Comments
 (0)