_macOS

MemProcFS on macOS

MemProcFS is supported on macOS with some limitations (see below). However; MemProcFS will only analyze Windows memory images - not Linux or macOS memory!

MemProcFS is dependent on macFuse which may be downloaded and installed from here.

Limitations:

• MemProcFS as a mounted file system depends on macFuse which requires a .kext to be installed.
• MemProcFS API availability is: C/C++/Rust. Python and Java APIs are not yet supported on macOS.

Building:

MemProcFS is dependent on macFuse. When building it's recommended to have installed xcode as well as macFuse via homebrew.

Example Build Commands:

~$  brew install macfuse
~$  mkdir build
~$  cd build
~/build$  git clone https://github.com/ufrisk/LeechCore
~/build$  git clone https://github.com/ufrisk/MemProcFS
~/build$  cd LeechCore/leechcore
~/build/LeechCore/leechcore$  make -f Makefile.macos
~/build/LeechCore/leechcore$  cd ../../MemProcFS/vmm
~/build/MemProcFS/vmm$  make -f Makefile.macos
~/build/MemProcFS/vmm$  cd ../memprocfs
~/build/MemProcFS/memprocfs$  make -f Makefile.macos
~/build/MemProcFS/memprocfs$  cd ../files
### NOTE! before running memprocfs it's recommended to copy the file 'info.db' from the latest binary
### release at https://github.com/ufrisk/MemProcFS/releases/latest and put it alongside memprocfs binary.
### info.db is an sqlite database which contains common type and symbol offsets required for some tasks.
~/build/MemProcFS/files$  ./memprocfs -device <your_dumpfile_or_device> -mount <your_full_mount_point>