search

Abyss-W4tcher / volatility3-symbols

Collection of Linux and macOS Volatility3 Intermediate Symbol Files (ISF), suitable for memory analysis 🔍
61 stars 14 forks source link

[Consult] How to extract the symbols of macOS 12.7.5_21H1222 #64

Closed gaory1 closed 2 months ago

gaory1 commented 2 months ago

I installed KDK on a macOS computer and tried to extract the symbols, but the banner in the resulting JSON file is garbled. No useful information was found on the Internet. Do you have any suggestion?

This is the command I used:

dwarf2json mac --macho /Library/Developer/KDKs/KDK_12.7.5_21H1222.kdk/System/Library/Kernels/kernel.dSYM/Contents/Resources/DWARF/kernel

Here is the banner(version) information the command outputs:

    "version": {
      "type": {
        "count": 104,
        "kind": "array",
        "subtype": {
          "kind": "base",
          "name": "char"
        }
      },
      "address": 18446743523965599488,
      "constant_data": "6/0FAA4UAACoUewAgP///wv+BQAOFAAA+FHsAID///8q/gUADhQAAEhS7ACA////Sf4FAA4UAACYUuwAgP///2j+BQAOFAAA6FLsAID///98/gUADhQAADhT7ACA////jv4FAA4UAAA="
    },

The value of 'constant_data' is expected to be the base64-encoded string of 'Darwin Kernel Version ...' but it turns out to be some kind of binary string.

More information:

fun@FundeMacBook-Pro ~ % sw_vers 
ProductName:    macOS
ProductVersion: 12.7.5
BuildVersion:   21H1222

fun@FundeMacBook-Pro ~ % system_profiler SPHardwareDataType
Hardware:

    Hardware Overview:

      Model Name: MacBook Pro
      Model Identifier: MacBookPro13,2
      Processor Name: Dual-Core Intel Core i5
      Processor Speed: 2.9 GHz
      Number of Processors: 1
      Total Number of Cores: 2
      L2 Cache (per Core): 256 KB
      L3 Cache: 4 MB
      Hyper-Threading Technology: Enabled
      Memory: 8 GB
      System Firmware Version: 529.120.1.0.0
      OS Loader Version: 540.120.3~37
      SMC Version (system): 2.37f25
      Serial Number (system): C02T913XGTFJ
      Hardware UUID: B767BD55-CC06-56BD-B0F4-FD6878AD9D04
      Provisioning UDID: B767BD55-CC06-56BD-B0F4-FD6878AD9D04

fun@FundeMacBook-Pro ~ % file /Library/Developer/KDKs/KDK_12.7.5_21H1222.kdk/System/Library/Kernels/kernel.dSYM/Contents/Resources/DWARF/kernel
/Library/Developer/KDKs/KDK_12.7.5_21H1222.kdk/System/Library/Kernels/kernel.dSYM/Contents/Resources/DWARF/kernel: Mach-O 64-bit dSYM companion file x86_64

fun@FundeMacBook-Pro ~ % go version 
go version go1.22.4 darwin/amd64

Thanks in advance.

Abyss-W4tcher commented 2 months ago

Hello, you can try the following : 

dwarf2json mac --macho /Library/Developer/KDKs/KDK_12.7.5_21H1222.kdk/System/Library/Kernels/kernel.dSYM/Contents/Resources/DWARF/kernel --macho-symbols /Library/Developer/KDKs/KDK_12.7.5_21H1222.kdk/System/Library/Kernels/kernel
gaory1 commented 2 months ago

Oh yes, it works! Now I realize that I have to pass different 'kernel' files to --macho and --macho-symbols. Thank you very much.