InfiniteMac OSx86
Page 1 of 2 1 2 >
Show 50 post(s) from this thread on one page

InfiniteMac OSx86 (http://infinitemac.com/forum.php)
-   10.X (http://infinitemac.com/forumdisplay.php?f=36)
-   -   Direct kernel memory access kernel extension (http://infinitemac.com/showthread.php?t=2822)

andyvand 05-10-2009 07:00 PM
Direct kernel memory access kernel extension
 
I recently made a kext that can completely dump out the kernel memory through a /dev/kmem device.
You can get the kernel extensions & the sources from:
http://rapidshare.com/files/21853726...cess-1.0.1.zip
I've used this for dumping out my BIOS ROM modules and so...
This is the command I used to completely dump the kernel memory:
Code:
sudo dd if=/dev/kmem of=test.bin iseek=638976 bs=1
Every ROM module starts with 0x55 0xAA
An example of this can be found here:
http://rapidshare.com/files/231432488/BIOS_ROMS.zip
Enjoy and learn ;)
Credits go to Amit Singh (www.osxbook.com)
and me...

andyvand 05-10-2009 09:24 PM
Anybody tried this on their computers?
If one would be able to provide dumps from real Macs (complete ones) they could be used to examine some things (and maybe find some interesting things which could be used to improve certain kernel, etc... features)

naquaada 05-10-2009 09:36 PM
Perhaps the people don't really know hat's it for... nether do I :) Maybe explain a bit better what's the use for it. But anyway, I'm just repairing permissions and will reboot my test system in a moment. Let's see what big crash you have planned for our pleasure... :D

andyvand 05-10-2009 09:46 PM
Quote:
Originally Posted by naquaada (Post 26252)
Perhaps the people don't really know hat's it for... nether do I :) Maybe explain a bit better what's the use for it. But anyway, I'm just repairing permissions and will reboot my test system in a moment. Let's see what big crash you have planned for our pleasure... :D
It's ment to get kernel memory data and do kernel memory patches through the /dev/kmem device...
The second requires a lot of knowledge on how the kernel memory works...
Crash? lol no... I extensively tested this and it works great ;)

naquaada 05-10-2009 09:49 PM
OMG it reads out all my passwords and sends them to Microsoft! :confused:

Hm, don't know what this is. When I enter the line above in Terminal I'll get always this output:
Code:
dd: /dev/kmem: Bad address
0+0 records in
0+0 records out
0 bytes transferred in 0.000185 secs (0 bytes/sec)
The same happens when I specify a file name of the bios files of the other archive, only the time varies.

Oh yeah, I'm using XxX 10.5.6 and a 9.6.0 kernel from you, but don't ask me which one.

andyvand 05-10-2009 10:06 PM
Quote:
Originally Posted by naquaada (Post 26254)
OMG it reads out all my passwords and sends them to Microsoft! :confused:

Hm, don't know what this is. When I enter the line above in Terminal I'll get always this output:
Code:
dd: /dev/kmem: Bad address
0+0 records in
0+0 records out
0 bytes transferred in 0.000185 secs (0 bytes/sec)
The same happens when I specify a file name of the bios files of the other archive, only the time varies.

Oh yeah, I'm using XxX 10.5.6 and a 9.6.0 kernel from you, but don't ask me which one.
Yeah it probably the iseek part...
It needs to be the addres of the start of the kernel memory...
Then it'll dump out XXX records (like it did for me...)
The eventual file generated was +- 6MB for me
-rw-r--r-- 1 andyvand staff 6262784 1 apr 12:36 /Users/andyvand/Documents/EasyNote MZ-35 Kernel Mem/kmem.bin

naquaada 05-10-2009 10:08 PM
Do you have an Intel or AMD system? Add your system specs in the sinature plz.

Kabyl 05-10-2009 10:08 PM
Code:
#include "/Users/andyvand/Downloads/Kernels/voodoobuild-0.3.2/xnu-1228.9.59/bsd/sys/uio_internal.h"
Why not include that header instead? and fix what remains to be fixed, it should be a trivial thing.

And one request: please credit the original author in your starting post.

This isn't something average users would need/want, might be worth noting that too, even better, posting this link ( http://www.osxbook.com/book/bonus/chapter8/kma/ ) would be more helpful.

Thanks.

andyvand 05-10-2009 10:12 PM
Quote:
Originally Posted by Kabyl (Post 26257)
Code:
#include "/Users/andyvand/Downloads/Kernels/voodoobuild-0.3.2/xnu-1228.9.59/bsd/sys/uio_internal.h"
Why not include that header instead? and fix what remains to be fixed, it should be a trivial thing.

And one request: please credit the original author in your starting post.

This isn't something average users would need/want, might be worth noting that too, even better, posting this link ( http://www.osxbook.com/book/bonus/chapter8/kma/ ) would be more helpful.

Thanks.
The credits are present in the sources and now they have been said...
He used a standard driver which depended on deprecated .kernel components...
I fixed it up to an iokit driver and I've made sure it was all .kpi components...
It's a great tool for many things...
But OK ... I will

Kabyl 05-10-2009 10:36 PM
Quote:
Originally Posted by andyvand (Post 26259)
The credits are present in the sources and now they have been said...
...
But OK ... I will
I know it's in the sources/README, I specifically said in your "starting post", which means here in this thread; it was more of a reply to clear a likely possible misunderstanding of your announcement:
Quote:
I recently made a kext that can completely dump out the kernel memory through a /dev/kmem device.
...