def get_macho_dump(x86_mem_pae, sym_addr, arch, os_version, build, pid, base_address, mempath, nproc):
if pid == -1:
print '[+] Check -x [PID] options'
return 0
print '[+] Process Dump Start => PID : %d'%pid
dumped_proc = []
ProcMan = ps.process_manager(x86_mem_pae, arch, os_version, build, base_address, nproc)
ret = ProcMan.get_proc_list(sym_addr, dumped_proc, pid)
if ret == 1:
print '[+] Process(PID : %d) is not loaded'%pid
return 1
task_struct = ProcMan.get_task(dumped_proc[0], dumped_proc[0][2])
retData = ProcMan.get_proc_region(task_struct[3], dumped_proc[0][5], 0)
vm_list = retData[0]
vm_struct = retData[1]
pm_cr3 = ProcMan.get_proc_cr3(vm_list, vm_struct)
MachO = machdump(x86_mem_pae, arch, os_version, build, base_address)
MachO.get_mach_dump(vm_list, vm_struct, str(dumped_proc[0][1])+'-'+dumped_proc[0][14], mempath, pm_cr3)
return
def __init__(self, x86_mem_pae, arch, os_version, build, base_address): self.x86_mem_pae = x86_mem_pae self.arch = arch self.os_version = os_version self.build = build self.base_address = base_address self.processmanager = process_manager(self.x86_mem_pae, self.arch, self.os_version, self.build, self.base_address)
def __init__(self, x86_mem_pae, arch, os_version, build, base_address): self.x86_mem_pae = x86_mem_pae self.arch = arch self.os_version = os_version self.build = build self.base_address = base_address self.processmanager = process_manager(self.x86_mem_pae, self.arch, self.os_version, self.build, self.base_address)
def get_macho_dump(x86_mem_pae, sym_addr, arch, os_version, build, pid,
base_address, mempath):
print '[+] Process Dump Start'
proclist = []
ProcMan = ps.process_manager(x86_mem_pae, arch, os_version, build,
base_address)
MachO = machdump(x86_mem_pae, arch, os_version, build, base_address)
ret = ProcMan.get_proc_list(sym_addr, proclist, pid)
if ret == 1:
return 1
dumped_proc = proclist
task_struct = ProcMan.get_task(dumped_proc[0], dumped_proc[0][2])
retData = ProcMan.get_proc_region(task_struct[3], dumped_proc[0][5], 0)
vm_list = retData[0]
vm_struct = retData[1]
pm_cr3 = ProcMan.get_proc_cr3(vm_list, vm_struct)
MachO.get_mach_dump(vm_list, vm_struct,
str(dumped_proc[0][1]) + '-' + dumped_proc[0][14],
mempath, pm_cr3)
return
def get_macho_dump(x86_mem_pae, sym_addr, arch, os_version, build, pid, base_address, mempath):
print '[+] Process Dump Start'
proclist = []
ProcMan = ps.process_manager(x86_mem_pae, arch, os_version, build, base_address)
MachO = machdump(x86_mem_pae, arch, os_version, build, base_address)
ret = ProcMan.get_proc_list(sym_addr, proclist, pid)
if ret == 1:
return 1
dumped_proc = proclist
task_struct = ProcMan.get_task(dumped_proc[0], dumped_proc[0][2])
retData = ProcMan.get_proc_region(task_struct[3], dumped_proc[0][5], 0)
vm_list = retData[0]
vm_struct = retData[1]
pm_cr3 = ProcMan.get_proc_cr3(vm_list, vm_struct)
MachO.get_mach_dump(vm_list, vm_struct, str(dumped_proc[0][1])+'-'+dumped_proc[0][14], mempath, pm_cr3)
return
