Dump memory | Notion

Some application store sensitive information in memory.

Objection

List modules

* on (iPhone: 14.6) [usb] # memory list modules
Save the output by adding `--json modules.json` to this command
Name                                 Base         Size                 Path
-----------------------------------  -----------  -------------------  ------------------------------------------------------------------------------
DVIA-v2                              0x104678000  3817472 (3.6 MiB)    /private/var/containers/Bundle/Application/789ED0D5-7FB1-4148-B102-1EF9ED19...
libc++.1.dylib                       0x1b1537000  368640 (360.0 KiB)   /usr/lib/libc++.1.dylib
libsqlite3.dylib                     0x1b6201000  1568768 (1.5 MiB)    /usr/lib/libsqlite3.dylib
libz.1.dylib                         0x1e57fc000  73728 (72.0 KiB)     /usr/lib/libz.1.dylib
Bolts                                0x104da8000  65536 (64.0 KiB)     /private/var/containers/Bundle/Application/789ED0D5-7FB1-4148-B102-1EF9ED19...
CoreUtils                            0x1a895c000  1683456 (1.6 MiB)    /System/Library/PrivateFrameworks/CoreUtils.framework/CoreUtils
libFontParser.dylib                  0x1d6803000  1294336 (1.2 MiB)    /System/Library/PrivateFrameworks/FontServices.framework/libFontParser.dyli...
IOSurface                            0x1bdf62000  73728 (72.0 KiB)     /System/Library/Frameworks/IOSurface.framework/IOSurface
---SNIP-----
SAObjects                            0x1b3d2c000  487424 (476.0 KiB)   /System/Library/PrivateFrameworks/SAObjects.framework/SAObjects
MediaRemote                          0x1a86d8000  2637824 (2.5 MiB)    /System/Library/PrivateFrameworks/MediaRemote.framework/MediaRemote
SiriInstrumentation                  0x1bd634000  757760 (740.0 KiB)   /System/Library/PrivateFrameworks/SiriInstrumentation.framework/SiriInstrum...
VoiceServices                        0x1b3da3000  290816 (284.0 KiB)   /System/Library/PrivateFrameworks/VoiceServices.framework/VoiceServices
RemoteTextInput                      0x1db950000  65536 (64.0 KiB)     /System/Library/PrivateFrameworks/RemoteTextInput.framework/RemoteTextInput
MediaServices                        0x1b1211000  266240 (260.0 KiB)   /System/Library/PrivateFrameworks/MediaServices.framework/MediaServices
SiriTTS                              0x1ca103000  6234112 (5.9 MiB)    /System/Library/PrivateFrameworks/SiriTTS.framework/SiriTTS
libedit.3.dylib                      0x1e4cfb000  118784 (116.0 KiB)   /usr/lib/libedit.3.dylib
libncurses.5.4.dylib                 0x1b5c94000  196608 (192.0 KiB)   /usr/lib/libncurses.5.4.dylib
CallKit                              0x1bb598000  405504 (396.0 KiB)   /System/Library/Frameworks/CallKit.framework/CallKit
dyld                                 0x10503c000  442368 (432.0 KiB)   /usr/lib/dyld
* on (iPhone: 14.6) [usb] #

Dump

Dump memory from all modules

* on (iPhone: 14.6) [usb] # memory dump all /Users/iron/Documents/DVIA-v2/dvia_dump.txt
Will dump 255 rw- images, totalling 864.7 MiB
Dumping 32.0 MiB from base: 0x1f4000000  [###################################-]   98%  00:00:00  
(frida:16045): GLib-GIO-WARNING **: 15:29:57.774: _g_dbus_worker_do_read_cb: error determining bytes needed: Blob indicates that message exceeds maximum message length (128MiB)
Dumping 128.0 MiB from base: 0x1f6000000  [###################################-]   99%  00:00:00 (session detach message) server-terminated
Dumping 512.0 MiB from base: 0x280000000  [####################################]  100%           
Memory dumped to file: /Users/iron/Documents/DVIA-v2/dvia_dump.txt
* on (iPhone: 14.6) [usb] #

Search for the files for sensitive data

iron@MacOS DVIA-v2 % ls -la
total 557600
drwxr-xr-x  12 eh  staff        384 18 Jun 15:29 .
drwx------@ 15 eh  staff        480  9 Jun 13:56 ..
drwxr-xr-x  12 eh  staff        384  2 Jun 14:51 .git
drwxr-xr-x   3 eh  staff         96  2 Jun 14:51 .github
drwxr-xr-x   9 eh  staff        288  2 Jun 14:51 DVIA-v2
-rw-r--r--   1 eh  staff   45350777 16 Jun 12:12 DVIA-v2-swift-frida-codesigned.ipa
-rw-r--r--   1 eh  staff   20307491  2 Jun 14:51 DVIA-v2-swift.ipa
-rw-r--r--   1 eh  staff       1077  2 Jun 14:51 LICENSE
drwxr-xr-x   3 eh  staff         96 19 Apr  2018 Payload
drwxr-xr-x   4 eh  staff        128 16 Jun 16:13 Payload-signed
-rw-r--r--   1 eh  staff       2180  2 Jun 14:51 README.md
-rw-r--r--   1 eh  staff  219824128 18 Jun 15:29 dvia_dump.txt

iron@MacOS DVIA-v2 % strings dvia_dump.txt | grep -i 'password'
password's
ng their username and password. Original Idea by Krause.
A user is often asked to enter their iTunes password by iOS. This could be to update the apps, operating system or a failure with the connection to iCloud etc. These pop-ups sometimes overlay existing running apps. Users are generally unaware of the fact that the exact same pop-up can be generated by the running app itself thereby tricking the user into entering their username and password. Original Idea by Krause..
ct that the exact same pop-up can be generated by the running app itself thereby tricking the user into entering their username and password. Original Idea by Krause.
 @@"FLHSA2PasswordResetNotification"
 @@"_SFPasswordCredential"
@@?<v@?@"_SFPasswordCredential"@"NSString"@"NSError">
 @@"_SFPasswordCredential"
password secretMaster Key IdetBacku Publickey
eh@Ethicals-MacBook-Pro DVIA-v2 %