Saturday, November 15, 2014

Viewing Thread Information in Mac Memory

This a short post to talk about my mac_threads plugin. The plugin can be used to analyze process/task threads in an OS X system. The information provided by the plugin includes each thread’s registers, argument (exec string), stack information, start address, user id, debugging information, priority, and more. Threads can be viewed filtered by process id or can display threads for all processes.


Plugin Use Cases:

  • The plugin can be used to find owner/uid of a thread.
  • The plugin can be used to detect DTrace probing.
  • The plugin can be used to detect hardware debugging.
  • The plugin can be used to view thread execution state.
You can grab the plugin from my GitHub repository [1].

 References
[1] https://github.com/siliconblade/volatility/blob/master/mac/threads.py

Posted by at
Labels: , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)