How to access /dev/mem in OSX?

macos command-line kernel virtual-memory

How I can access /dev/mem (or /dev/kmem, /dev/pmap) equivalent device in OSX?

As far as I know it was removed in some point.

Can I create this node manually somehow or any other way of dumping the physical memory?

See:

  • Visualization in testing a volatile memory forensic tool
  • Kernel Debug Kit OS X

Solution 1:

According to Accessing Kernel Memory on the x86 Version of Mac OS X, /dev/mem and /dev/kmem were removed when Apple released OS X for Intel processors.

The (excellent) article also explains how to reenable the memory devices, namely using the kmem=1 kernel boot argument.

Note that, as commented below by neal, in macOS 10.15 Catalina (and probably since macOS 10.12 Sierra), NVRAM settings can only be changed when your Mac is booted into recovery mode. To enter Recovery mode, power on your Mac and immediately hold -R until the logo appears, launch Terminal from the Utilities menu in the menu bar, run:

sudo nvram boot-args="kmem=1"

and reboot. You should see these two devices:

$ ls -l /dev/*mem
crw-r----- 1 root kmem 3, 1 2014-02-28 22:09 /dev/kmem
crw-r----- 1 root kmem 3, 0 2014-02-28 22:09 /dev/mem

(In previous versions of macOS like OS X Mavericks 10.9.2, you can reenable the memory devices within the operating system, so simply launch Terminal, type the command above and reboot.)

If your Mac won't boot or you have any issues, reset the NVRAM by pressing optionPR and holding the keys down until you hear the startup sound for the second time, as explained in "Resetting NVRAM / PRAM" in KB HT1379 About NVRAM and PRAM.

If you wish to reset the argument, type sudo nvram -d boot-args and check that nvram -p | grep boot-args does not print any results.

Solution 2:

I think I got it to work on macOS Sierra! I downloaded comex's project: Kmem Project I compiled the kext, fixed the permissions and then loaded it! Using terminal I went into /dev and ls showed both mem and kmem...

Edit: If you download the project you will just need to change the compiler in Xcode to use the latest ( for example... I don't know if other versions work though... ) For quick access to results I have already made a fork of comex's project which compiles on macOS Sierra! Kmem for Sierra Fork

Again, this is comex's work, not mine, I just changed the compiler setting and uploaded it! :)

Related

How can I uninstall Safari Technology Preview?
Send notification from command line [duplicate]
How to force MacOS to regenerate /etc/resolv.conf file?
macOS: Is there a way to maximize a window but does not go full-screen?
How to fix Run-time error 53 every time I open a document in Word or a worksheet in Excel on Big Sur?
Is it possible to view passwords through Terminal?
If I upgrade to iOS 5, can I restore a 4.2 backup?
Safari 6 rendering issues/artifacts (on Mountain Lion)
Are there keyboard mappings to make Ubuntu more like MacOS?
Command line tool to convert DOC and DOCX files to PDF
Does the Apple Genius Bar replace Macbook Air battery on site?
Forcing the wifi password entry dialogue to display