Memoryze for the Mac: Support Added for OS X Mountain Lion (10.8)

Earlier this year, Mandiant launched a new freeware tool: Memoryze for the Mac™. The tool brings many of the features of Memoryze™ to the Apple® Macintosh platform, enabling acquisition of memory images via the command-line or a simple GUI. We are excited to announce it now fully supports OS X 10.6-10.8.

Recently, OS X Mountain Lion added kernel Address Space Layout Randomization. It is a welcome security feature, raising the bar for kernel exploitation. This feature adds an extra step into the memory analysis tool. Previously, we could depend on the paging table IdlePML4 and IdlePDPT addresses being at the same physical memory location. With 10.8 and KASLR the physical memory addresses of IdlePML4 and IdlePDPT became BootPML4 and BootPDPT, while IdlePML4 and IdlePDPT are now randomized with ASLR. The boot paging tables do not contain the full kernel virtual memory layout. Since Memoryze for Mac does not depend on any symbol information, we developed a mechanism to uniformly discover the randomized location of the kernel paging tables.

Once again, Mountain Lion has changed the memory location of nsysent. Prior to the change, it was located directly after the sysent table itself. As documented in several locations on the web, this made automated discovery and verification of the table size convenient. Unfortunately, Apple decided to move the location of nsysent, causing us to develop a new sysent size discovery mechanism.

We have a growing list of cool new features to add to Memoryze for Mac, but it may be until after the new year before we are able to dev the features.