Support for macOS Mojave (10.14.3)?
162 views
Skip to first unread message
sim...@gmail.com
Feb 23, 2019, 9:02:14 PM2/23/19
to rekall-discuss
Are there any tools that will dump ram on macOS Mojave?
Michael Cohen
Feb 24, 2019, 12:37:38 AM2/24/19
to rekall-...@googlegroups.com
osxpmem works on mojave if you manually click the accept popup.
Simson Garfinkel
Feb 24, 2019, 7:18:15 AM2/24/19
to Michael Cohen Cohen (GG), rekall-...@googlegroups.com
Hi Michael,
Thanks. I was finally able to get MacPmem.kext to load when I moved it out of my download directory and the root directory (presumably none of the directories from / to MacPmem.kext may be writable by anyone but root.)
Thanks. I was finally able to get MacPmem.kext to load when I moved it out of my download directory and the root directory (presumably none of the directories from / to MacPmem.kext may be writable by anyone but root.)
I htink that the website is pretty confusing, though, and you may wish to clean it up. Right now it is not clear from where the osxpmem agent should be downloaded.
There is no obvious download link for osxpmem at http://www.rekall-forensic.com.
That web page points to https://github.com/scudette/rekall-agent-server, but https://github.com/scudette/rekall-agent-server states “This repository has been archived by the owner. It is now read-only.”
There is no obvious download link for osxpmem at http://www.rekall-forensic.com.
That web page points to https://github.com/scudette/rekall-agent-server, but https://github.com/scudette/rekall-agent-server states “This repository has been archived by the owner. It is now read-only.”
The string “osxpmem” does not appear in the git repo at https://github.com/scudette/rekall-agent-server
osxpmem does not appear in Release 1.7.2 RC1 at https://github.com/google/rekall/releases
Version osxpmem-2.1.post4.zip can be downloaded from https://github.com/google/rekall/releases. However, it doesn’t do anything when I double-click on it — there are no error messages. One needs to look inside the app wrapper for the executable.
Strangely, when I run osxpmem manually, it reports that the kernel extension can’t load. When I try to load the kernel extension manually, I get this error:
[nimi ~/Downloads/osxpmem.app 07:02:58]# kextutil -t MacPmem.kext/
Kext rejected due to improper filesystem permissions: <OSKext 0x7fb256523270 [0x7fff8e5d38f0]> { URL = "file:///Library/StagedExtensions/Users/simsong/Downloads/osxpmem.app/MacPmem.kext/", ID = "com.google.MacPmem" }
Diagnostics for MacPmem.kext:
Authentication Failures:
File owner/permissions are incorrect (must be root:wheel, nonwritable by group/other):
/Library/StagedExtensions/Users/simsong/Downloads/osxpmem.app/MacPmem.kext
Contents
_CodeSignature
CodeResources
MacOS
MacPmem
Info.plist
Kext rejected due to improper filesystem permissions: <OSKext 0x7fb256523270 [0x7fff8e5d38f0]> { URL = "file:///Library/StagedExtensions/Users/simsong/Downloads/osxpmem.app/MacPmem.kext/", ID = "com.google.MacPmem" }
Diagnostics for MacPmem.kext:
Authentication Failures:
File owner/permissions are incorrect (must be root:wheel, nonwritable by group/other):
/Library/StagedExtensions/Users/simsong/Downloads/osxpmem.app/MacPmem.kext
Contents
_CodeSignature
CodeResources
MacOS
MacPmem
Info.plist
And that error is incorrect, as here were the permissions:
[nimi ~/Downloads/osxpmem.app 07:02:56]# find . -ls
33089294 0 dr-xr-xr-- 6 root wheel 192 May 23 2016 .
33089295 0 dr-xr-xr-- 18 root wheel 576 May 23 2016 ./libs
33089309 2312 -r-xr-xr-- 1 root wheel 1180500 May 23 2016 ./libs/libxml2.2.dylib
33089303 856 -r-xr-xr-- 1 root wheel 435408 May 23 2016 ./libs/libpcre.1.dylib
33089307 184 -r-xr-xr-- 1 root wheel 94044 May 23 2016 ./libs/liburiparser.1.dylib
33089310 424 -r-xr-xr-- 1 root wheel 214368 May 23 2016 ./libs/libxslt.1.dylib
33089311 160 -r-xr-xr-- 1 root wheel 80356 May 23 2016 ./libs/libz.1.2.8.dylib
33089300 2056 -r--r--r-- 1 root wheel 1052104 May 23 2016 ./libs/libiconv.2.dylib
33089302 88 -r-xr-xr-- 1 root wheel 44988 May 23 2016 ./libs/libpcre++.0.dylib
33089297 4008 -r-xr-xr-- 1 root wheel 2048916 May 23 2016 ./libs/libcrypto.1.0.0.dylib
33089304 672 -r-xr-xr-- 1 root wheel 342660 May 23 2016 ./libs/libraptor2.0.dylib
33089306 760 -r-xr-xr-- 1 root wheel 388176 May 23 2016 ./libs/libssl.1.0.0.dylib
33089298 728 -r-xr-xr-- 1 root wheel 370268 May 23 2016 ./libs/libcurl.4.dylib
33089299 480 -r-xr-xr-- 1 root wheel 245424 May 23 2016 ./libs/libglog.0.dylib
33089301 272 -r-xr-xr-- 1 root wheel 138340 May 23 2016 ./libs/liblzma.5.dylib
33089305 64 -r-xr-xr-- 1 root wheel 29172 May 23 2016 ./libs/libsnappy.1.dylib
33089296 2376 -r-xr-xr-- 1 root wheel 1214960 May 23 2016 ./libs/libaff4.0.dylib
33089308 88 -r--r--r-- 1 root wheel 44184 May 23 2016 ./libs/libuuid.16.dylib
33089320 16 -r--r--r-- 1 root wheel 4433 May 23 2016 ./README.md
33089312 0 dr-xr-xr-- 3 root wheel 96 Mar 15 2016 ./MacPmem.kext
33089313 0 dr-xr-xr-- 5 root wheel 160 Mar 15 2016 ./MacPmem.kext/Contents
33089314 0 dr-xr-xr-- 3 root wheel 96 Mar 15 2016 ./MacPmem.kext/Contents/_CodeSignature
33089315 8 -r--r--r-- 1 root wheel 2004 Mar 15 2016 ./MacPmem.kext/Contents/_CodeSignature/CodeResources
33089317 0 dr-xr-xr-- 3 root wheel 96 Mar 15 2016 ./MacPmem.kext/Contents/MacOS
33089318 80 -r-xr-xr-- 1 root wheel 37040 Mar 15 2016 ./MacPmem.kext/Contents/MacOS/MacPmem
33089316 8 -r--r--r-- 1 root wheel 1628 Mar 15 2016 ./MacPmem.kext/Contents/Info.plist
33089319 1272 -r-xr-xr-- 1 root wheel 647392 May 23 2016 ./osxpmem
[nimi ~/Downloads/osxpmem.app 07:02:58]#
33089294 0 dr-xr-xr-- 6 root wheel 192 May 23 2016 .
33089295 0 dr-xr-xr-- 18 root wheel 576 May 23 2016 ./libs
33089309 2312 -r-xr-xr-- 1 root wheel 1180500 May 23 2016 ./libs/libxml2.2.dylib
33089303 856 -r-xr-xr-- 1 root wheel 435408 May 23 2016 ./libs/libpcre.1.dylib
33089307 184 -r-xr-xr-- 1 root wheel 94044 May 23 2016 ./libs/liburiparser.1.dylib
33089310 424 -r-xr-xr-- 1 root wheel 214368 May 23 2016 ./libs/libxslt.1.dylib
33089311 160 -r-xr-xr-- 1 root wheel 80356 May 23 2016 ./libs/libz.1.2.8.dylib
33089300 2056 -r--r--r-- 1 root wheel 1052104 May 23 2016 ./libs/libiconv.2.dylib
33089302 88 -r-xr-xr-- 1 root wheel 44988 May 23 2016 ./libs/libpcre++.0.dylib
33089297 4008 -r-xr-xr-- 1 root wheel 2048916 May 23 2016 ./libs/libcrypto.1.0.0.dylib
33089304 672 -r-xr-xr-- 1 root wheel 342660 May 23 2016 ./libs/libraptor2.0.dylib
33089306 760 -r-xr-xr-- 1 root wheel 388176 May 23 2016 ./libs/libssl.1.0.0.dylib
33089298 728 -r-xr-xr-- 1 root wheel 370268 May 23 2016 ./libs/libcurl.4.dylib
33089299 480 -r-xr-xr-- 1 root wheel 245424 May 23 2016 ./libs/libglog.0.dylib
33089301 272 -r-xr-xr-- 1 root wheel 138340 May 23 2016 ./libs/liblzma.5.dylib
33089305 64 -r-xr-xr-- 1 root wheel 29172 May 23 2016 ./libs/libsnappy.1.dylib
33089296 2376 -r-xr-xr-- 1 root wheel 1214960 May 23 2016 ./libs/libaff4.0.dylib
33089308 88 -r--r--r-- 1 root wheel 44184 May 23 2016 ./libs/libuuid.16.dylib
33089320 16 -r--r--r-- 1 root wheel 4433 May 23 2016 ./README.md
33089312 0 dr-xr-xr-- 3 root wheel 96 Mar 15 2016 ./MacPmem.kext
33089313 0 dr-xr-xr-- 5 root wheel 160 Mar 15 2016 ./MacPmem.kext/Contents
33089314 0 dr-xr-xr-- 3 root wheel 96 Mar 15 2016 ./MacPmem.kext/Contents/_CodeSignature
33089315 8 -r--r--r-- 1 root wheel 2004 Mar 15 2016 ./MacPmem.kext/Contents/_CodeSignature/CodeResources
33089317 0 dr-xr-xr-- 3 root wheel 96 Mar 15 2016 ./MacPmem.kext/Contents/MacOS
33089318 80 -r-xr-xr-- 1 root wheel 37040 Mar 15 2016 ./MacPmem.kext/Contents/MacOS/MacPmem
33089316 8 -r--r--r-- 1 root wheel 1628 Mar 15 2016 ./MacPmem.kext/Contents/Info.plist
33089319 1272 -r-xr-xr-- 1 root wheel 647392 May 23 2016 ./osxpmem
[nimi ~/Downloads/osxpmem.app 07:02:58]#
The permissions problem, as I note above, had to do with the containing directories.
Thanks again.
Michael Cohen
Feb 24, 2019, 8:31:02 AM2/24/19
to Simson Garfinkel, rekall-...@googlegroups.com
You are right - I should have been more helpful previously.
The latest OSX pmem is available from:
https://github.com/Velocidex/c-aff4
It is now part of the C++ AFF4 project. The current version loads
itself and fixes its own permissions. Although on Mojave you need to
click through a permission box because the kext signature is not super
trusted by Apple (its trusted a bit but not enough to dismiss the
dialog). This is annoying because it stops us from automating memory
acquisition - if you know how to get around it I am interested :-).
We probably should update the Rekall site - its a little bit rotted :-(
We have not had a release for a long time.
The Rekall agent has been deprecated in favor of Velociraptor (which I
spend all my time on now) and Rekall has not had much attention in a
while. Ideally I need to remove all the deprecated components from
Rekall but these days I dont do much python :-(. Maybe one day I will
get back into memory analysis :-).
Thanks
Michael.
The latest OSX pmem is available from:
https://github.com/Velocidex/c-aff4
It is now part of the C++ AFF4 project. The current version loads
itself and fixes its own permissions. Although on Mojave you need to
click through a permission box because the kext signature is not super
trusted by Apple (its trusted a bit but not enough to dismiss the
dialog). This is annoying because it stops us from automating memory
acquisition - if you know how to get around it I am interested :-).
We probably should update the Rekall site - its a little bit rotted :-(
We have not had a release for a long time.
The Rekall agent has been deprecated in favor of Velociraptor (which I
spend all my time on now) and Rekall has not had much attention in a
while. Ideally I need to remove all the deprecated components from
Rekall but these days I dont do much python :-(. Maybe one day I will
get back into memory analysis :-).
Thanks
Michael.
Simson Garfinkel
Feb 24, 2019, 10:19:51 AM2/24/19
to Michael Cohen Cohen (GG), rekall-...@googlegroups.com
Hi Michael,
Thanks for these details. I’ll give it a try.
Is Rekall still an active project, and does it support the current OSX? I’m having problems with Volatility, specifically getting profiles for the kernels that I’m using.
Thanks.
> --
> You received this message because you are subscribed to a topic in the Google Groups "rekall-discuss" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/rekall-discuss/fUvzOERzQMw/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to rekall-discus...@googlegroups.com.
> To post to this group, send email to rekall-...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Thanks for these details. I’ll give it a try.
Is Rekall still an active project, and does it support the current OSX? I’m having problems with Volatility, specifically getting profiles for the kernels that I’m using.
Thanks.
> You received this message because you are subscribed to a topic in the Google Groups "rekall-discuss" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/rekall-discuss/fUvzOERzQMw/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to rekall-discus...@googlegroups.com.
> To post to this group, send email to rekall-...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Michael Cohen
Feb 24, 2019, 10:48:26 AM2/24/19
to Simson Garfinkel, rekall-...@googlegroups.com
Hi Simson,
We have not had up to date OSX support for quite some time. I think
Apple are pretty slow in releasing debug kernels and even while I was at
Google we did not have the resources to keep profile support up to date.
I would say OSX support is currently pretty broken in Rekall.
Thanks
Michael.
We have not had up to date OSX support for quite some time. I think
Apple are pretty slow in releasing debug kernels and even while I was at
Google we did not have the resources to keep profile support up to date.
I would say OSX support is currently pretty broken in Rekall.
Thanks
Michael.
Reply all
Reply to author
Forward
0 new messages