vmmap(1) Listing

Used for discussing the various tools in the book as well as encouraging members to share tools

vmmap(1) Listing

Postby darkknight » Mon Jun 27, 2016 9:32 pm

Quick question. What command line options do you currently use to compile your examples? Using the suggested options below for example on the vmmap listing produces a number of errors:
Code: Select all
SDK=iPhoneOS9.2.sdk


export SDKROOT=/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk
#XCODE_DEVELOPER_USR_PATH=/Developer   # don't really need this..

gcc -arch arm64 \
-framework IOKit \
-framework CoreFoundation \
-F /iOSDev/SDKs/$SDK/System/Library/Frameworks \
-F /iOSDev/SDKs/$SDK/System/Library/PrivateFrameworks \
-L /iOSDev/SDKs/$SDK/usr/lib \
-L /iOSDev/SDKs/$SDK/usr/lib/system \
-I /iOSDev/SDKs/$SDK/usr/include \
$*


Errors:
vmmap.c:130:52: error: use of undeclared identifier 'DYLD_ALL_IMAGE_INFOS_OFFSET_OFFSET'
memcpy (&dyld_all_image_infos_offset, readData+DYLD_ALL_IMAGE_INFOS_OFFSET_OFFSET, sizeof (unsigned int));
^
/iOSDev/SDKs/iPhoneOS9.2.sdk/usr/include/secure/_string.h:65:33: note: expanded from macro 'memcpy'
__builtin___memcpy_chk (dest, src, len, __darwin_obsz0 (dest))
^
vmmap.c:141:23: error: use of undeclared identifier 'dyld_all_image_infos'
dataCnt = sizeof(dyld_all_image_infos);

vmmap.c:260:10: error: implicit declaration of function 'mach_vm_region' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
kret = mach_vm_region (task, &address, &size, VM_REGION_BASIC_INFO,
^
vmmap.c:260:10: note: did you mean 'mach_vm_read'?
vmmap.c:97:15: note: 'mach_vm_read' declared here
kern_return_t mach_vm_read (vm_map_t, mach_vm_address_t, mach_vm_size_t, vm_offset_t *, mach_msg_type_number_t *);
^
vmmap.c:266:7: error: non-void function 'macosx_debug_regions' should return a value [-Wreturn-type]
return;


So was curious...I use the above to compile other binaries though...

Reading the forums I see the issue with DYLD_ALL_...did you ever post the updated version with those references removed?
darkknight
 
Posts: 65
Joined: Mon Apr 18, 2016 10:49 pm

Re: vmmap(1) Listing

Postby morpheus » Tue Jul 05, 2016 5:54 am

The gcc-iphone hasn't been modified - what has is particularly vmmap(1), because Apple now hides that symbol. Apple likewise hides mach_vm APIs, so it sometimes takes copying from the OSX SDK to the iOS SDK. Otherwise, options pretty much are as in gcc-iphone. Most of the time things compile cleanly with no mods - but certain binaries (vmmap, procexp, and other undocumented APIs) will require tweaking. I never did provide an update, honestly, since integrating it into procexp and updating it significantly (try
Code: Select all
procexp .... regions
)
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm

Re: vmmap(1) Listing

Postby darkknight » Tue Jul 05, 2016 6:28 pm

So for what I wanted to do I eventually got it working. Basically I wanted to dump each region to a file for later processing. Like determining if the application(primarily 3rd party apps) is storing sensitive data in memory etc.

One thing I noticed though is output similar to the following:

I get this from vmmap
Code: Select all
...  0x19e464000-0x19e600000 [1M](---/rwx; share, private, reserved) default
...  0x19e600000-0x1a0000000 [26M](---/rwx; share, private, reserved) default
mach_vm_region failed for address 0x1a8000000 - Error: 1


And this from procexp:
Code: Select all
Unshared PMAP        0x00000000 000000019e464000-000000019e600000 [   1M]r--/rwx NUL
Shared PMAP            0x00000000 000000019e600000-00000001a0000000 [  26M]r--/rwx NUL
Shared PMAP            0x00000000 00000001a0000000-00000001a8000000 [ 128M]r--/rwx NUL


So was curious how procexp handled the 0x1a8000000 region because vmmap always fails there. Thoughts??
darkknight
 
Posts: 65
Joined: Mon Apr 18, 2016 10:49 pm

Re: vmmap(1) Listing

Postby morpheus » Fri Jul 08, 2016 3:04 am

Hello Dark one,

Much easier approach - procexp ...pid... core - will core dump and then you can take the full dump and gdb/lldb on the host, happily exploring the contents without a single line of code :-).

Don't remember off top of my head what might be there, but it might be either shared cache or comm page. Try the core approach and tell me what you find? I'd reproduce it myself and tell you, but I'm fresh back from China and still traveling.
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm

Re: vmmap(1) Listing

Postby darkknight » Fri Jul 08, 2016 12:53 pm

Hey!!

So yeah I already used
Code: Select all
procexp....regions
and dumped the contents from there. So that's trivial and all good. This is more along the lines of diving into coding/api use etc....

BTW, does
Code: Select all
procexp pid core
provide dumpdecrypted functionality?
darkknight
 
Posts: 65
Joined: Mon Apr 18, 2016 10:49 pm

Re: vmmap(1) Listing

Postby morpheus » Sat Jul 09, 2016 6:57 am

Yes; That functionality is entirely transparent, brought to you courtesy of the Apple Protect Pager, which handles all that in kernel mode. By the time the process (or procexp) sees the memory, it is decrypted.
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm

Re: vmmap(1) Listing

Postby darkknight » Sat Jul 09, 2016 3:40 pm

Administrator wrote:Yes; That functionality is entirely transparent, brought to you courtesy of the Apple Protect Pager, which handles all that in kernel mode. By the time the process (or procexp) sees the memory, it is decrypted.


Hmmmm ok this is the result I get for any process. And the resulting binary is not a valid MACH-O binary...

Code: Select all
Ironman:~ root# ps aux | grep Skype
root       695   3.6  0.0   538432    496 s000  R+   10:33AM   0:00.01 grep Skype
mobile     684   0.0  4.6   840240  46868   ??  Ss   10:33AM   0:02.60 /var/mobile/Containers/Bundle/Application/86EB6F00-B5B2-4FD8-B52C-BADB85A50837/Skype.app/Skype
Ironman:~ root#
Ironman:~ root#
Ironman:~ root# procexp.universal 684 core
Failed to read c0000 bytes of memory from 102ce8000 - Error 10
Warning: Segment at 102ce8000 only read partially (0/c0000 bytes)
Failed to read 4000 bytes of memory from 102e20000 - Error 10
Warning: Segment at 102e20000 only read partially (0/4000 bytes)
Failed to read 4000 bytes of memory from 103168000 - Error 10
Warning: Segment at 103168000 only read partially (0/4000 bytes)
Failed to read 195c000 bytes of memory from 103400000 - Error 10
Warning: Segment at 103400000 only read partially (0/195c000 bytes)
Failed to read 8000 bytes of memory from 104dc8000 - Error 10
Warning: Segment at 104dc8000 only read partially (0/8000 bytes)
Failed to read 4000 bytes of memory from 104e08000 - Error 1
Warning: Segment at 104e08000 only read partially (0/4000 bytes)
Failed to read d0000 bytes of memory from 104efc000 - Error 10
Warning: Segment at 104efc000 only read partially (0/d0000 bytes)
Failed to read 74000 bytes of memory from 105098000 - Error 10
Warning: Segment at 105098000 only read partially (0/74000 bytes)
Failed to read c8000 bytes of memory from 10510c000 - Error 10
Warning: Segment at 10510c000 only read partially (0/c8000 bytes)
Failed to read b8000 bytes of memory from 1052a8000 - Error 10
Warning: Segment at 1052a8000 only read partially (0/b8000 bytes)
Failed to read 34000 bytes of memory from 105360000 - Error 10
Warning: Segment at 105360000 only read partially (0/34000 bytes)
Failed to read 498000 bytes of memory from 105fc0000 - Error 10
Warning: Segment at 105fc0000 only read partially (0/498000 bytes)
Failed to read 88000 bytes of memory from 16e0ac000 - Error 1
Warning: Segment at 16e0ac000 only read partially (0/88000 bytes)
Full core dumped to /tmp/core.684
darkknight
 
Posts: 65
Joined: Mon Apr 18, 2016 10:49 pm

Re: vmmap(1) Listing

Postby morpheus » Sun Jul 24, 2016 2:45 am

The warnings on partially dumped segments are actually ok, since iOS sometimes swaps back file mapped pages to the files whence they came. I'm wondering why the resulting file is not a Mach-O, however, since procexp does dump it and formats it as a Mach-O core file. Try "file" on it? and also make sure this is the latest procexp?
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm


Return to Tools

Who is online

Users browsing this forum: No registered users and 1 guest