█
▄▄▄▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄█ ▄ ▄ ▄▄▄▄▄ ▄▄▄▄ ▄ ▄
█ █ █ █▀ █ █ █ █ █▀ ▀█ █ █ █ █ █ █▀ ▀█ █▄█
█ █ █ █▀▀▀▀ █ █ █ █ █ █ █ █ █ █ █ █ ▄█▄
█ █ █ ▀█▄▄▀ █ █ █ ▀█▄██ ▀▄▄▀█ █ █ █ ██▄█▀ ▄▀ ▀▄
█
▀
m e m d u m p x f o r m a c O S
memdumpx is a further-developed macOS successor to the original readmem tool. It is now written in Swift, adds improved diagnostics and workflow features, and has been verified to work on Apple Silicon Macs.
The original C implementation came from readmem by fG!: gdbinit/readmem.
- The active implementation is Swift in
memdumpx/memdumpx.swift. - The upstream project for the original C implementation is gdbinit/readmem.
- The project is macOS-only.
bin/compile.shis the supported build path.Entitlements.macOS.plistis the active signing configuration.
bin/compile.shThis compiles bin/memdumpx, signs it with Entitlements.macOS.plist, and prints signature verification details.
Inspect attachability and important regions:
./bin/memdumpx --diagnose-pid -p <pid>
./bin/memdumpx --diagnose-pid --verbose-diagnose -p <pid>
./bin/memdumpx --diagnose-pid --diagnose-json -p <pid>Read memory:
./bin/memdumpx -p <pid>
./bin/memdumpx -p <pid> -a 0xADDRESS -s 64
./bin/memdumpx -p <pid> -s 64 -o /tmp/dump.binIf -a is omitted for read or dump operations, memdumpx resolves the main binary address automatically.
Locate or dump the main binary:
./bin/memdumpx -p <pid> -m
./bin/memdumpx -p <pid> -m -o /tmp/main-binaryWrite memory:
./bin/memdumpx -p <pid> -a 0xADDRESS -s 1 -w -b CCWrite mode requires an explicit -a.
task_for_pidstill depends on macOS security policy and the target process being attachable.- System processes and non-debuggable apps will still be denied even when
memdumpxis signed correctly.