Mac OS X sistemlerin RAM imajını almak için ‘Mac Memory Reader’ uygulamasını tercih etmekteyiz. 32 bit ve 64 bit hemen hemen tüm Mac OS X sürümlerini destekleyen, ücretsiz bir komut satırı aracıdır.
Kullanım parametreleri
$ sudo ./MacMemoryReader -h
Password:
ATC-NY Mac Marshal Mac Memory Reader 3.0.2 ($Revision: 1.24 $)
Copyright (c) Architecture Technology Corporation. All rights reserved.
Usage: ./MacMemoryReader [-g] [-d] [-H hashtype] [-r] [-p] [-P] [-k] <filename>
-g print progress messages suitable for parsing by a GUI
-d print verbose debugging information to stderr
-H compute the given hash on the output data (where hashtype
is one of MD5, SHA-1, SHA-256, or SHA-512); can be given
multiple times; hash is printed on stderr-r also copy “reserved” areas of memory, such as that used
by shared-memory graphics adapters; EXPERIMENTAL
-p dump memory in plain raw DD format instead of Mach-O, then write
a table of contents to stderr listing file offsets versus
physical memory offsets
-P dump memory in plain raw DD format, inserting zeros for un-mapped
regions in the memory map; no table of contents is needed,
because file offsets will correspond to physical memory
offsets, but the resulting file may be much larger than RAM
-k load the RAM dump kernel extension and set up /dev/mem and
/dev/pmap, but do not dump memory; for EXPERTS ONLY
dumps physical memory to <filename> in Mach-O (the default) or
raw/DD format. The resulting file may be slightly larger than
physical memory due to the Mach-O header and alignment constraints.
If the filename is ‘-‘, memory is dumped to stdout.
Ram İmajı Almak (Memory Dump)
$ sudo ./MacMemoryReader -H SHA-256 memory.img
No kernel file specified, using ‘/mach_kernel’
Dumping memory regions:
available 0000000000000000 (572.00 KB) [WRITTEN]
available 0000000000090000 (64.00 KB) [WRITTEN]
available 0000000000100000 (511.00 MB) [WRITTEN]
available 0000000020200000 (21.00 MB) [WRITTEN]
LoaderData 0000000021700000 (76.00 KB) [WRITTEN]
available 0000000021713000 (948.00 KB) [WRITTEN]
LoaderData 0000000021800000 (5.25 MB) [WRITTEN]
available 0000000021d41000 (764.00 KB) [WRITTEN]
LoaderData 0000000021e00000 (27.25 MB) [WRITTEN]
RT_data 0000000023940000 (200.00 KB) [WRITTEN]
RT_code 0000000023972000 (156.00 KB) [WRITTEN]
RT_data 0000000023999000 (4.00 KB) [WRITTEN]
LoaderData 000000002399a000 (196.00 KB) [WRITTEN]
available 00000000239cb000 (454.21 MB) [WRITTEN]
available [WRITTEN]
available 000000008ae8f000 (292.00 KB) [WRITTEN]
available 000000008aed8000 (156.00 KB) [WRITTEN]
available 000000008aeff000 (656.00 KB) [WRITTEN]
available 000000008afff000 (4.00 KB) [WRITTEN]
available 0000000100000000 (5.75 GB) [WRITTEN]
HASH: size=8498995200 SHA-256=12b1b795ff8b67e6f8d920c49b1230e9d9abcc9c0e172c46f0c345ed46afc8bb
Reported physical memory: 8589934592 bytes (8.00 GB)
Statistics for each physical memory segment type:
reserved: 6 segments, 82300928 bytes (78.49 MB) — assigned to unreadable device
LoaderCode: 2 segments, 516096 bytes (504.00 KB) — WRITTEN
LoaderData: 4 segments, 34361344 bytes (32.77 MB) — WRITTEN
BS_code: 66 segments, 3416064 bytes (3.26 MB) — WRITTEN
BS_data: 71 segments, 34652160 bytes (33.05 MB) — WRITTEN
RT_code: 1 segment, 159744 bytes (156.00 KB) — WRITTEN
RT_data: 2 segments, 208896 bytes (204.00 KB) — WRITTEN
available: 21 segments, 8425365504 bytes (7.85 GB) — WRITTEN
ACPI_recl: 1 segment, 126976 bytes (124.00 KB) — WRITTEN
ACPI_NVS: 1 segment, 176128 bytes (172.00 KB) — WRITTEN
MemMapIO: 3 segments, 184320 bytes (180.00 KB) — assigned to unreadable device
Total memory written: 8498982912 bytes (7.92 GB)
Total memory assigned to unreadable devices (not written): 82485248 bytes (78.66 MB)
Reported memory not in the physical memory map: 8466432 bytes (8.07 MB)
$ ls -lah memory.img
-rw-r–r– 1 root wheel 7.9G Feb 25 14:46 memory.img
$ file memory.img
memory.img: Mach-O 64-bit core x86_64
Yazar: Ozan UÇAR // ozan.ucar@bga.com.tr
