Skip to main content

Memory Dumps

There are many applications and scripts available to dump the process memory. The easiest way is to use the Fridump tool.
FRIDUMP

Connect your iOS device to the Mac via the USB cable.

  1. Run frida-ps to get the exact name of the app you are testing.

    frida-ps -Uai

  2. Run fridump against the mobile app.

    python3 fridump.py -U ‘AppName'

  3. This will dump all of the memory regions associated with the app. The files will be named something like 0x1a7400000_dump.data and will be binary files. You can run the strings command against these files, or instruct fridump to perform this step for you.

    Command Options:  	

    -o output directory
    -s (automatically run the strings command against the output files)
    -U (connect to the device over the USB cable)

  4. The “strings.txt” file will also be stored in the output directory that was specified. Review that file for sensitive information.

Attack Vector

Be careful what you report from the memory dump. If an attacker gets physical access to a device, and that device is not already jailbroken, then the attacker will not be able to access memory contents. To jailbreak the device requires a complete restart of the device, which will clear any active memory pages.

Memory Search Using Objection

If you want to search memory for a specific string, then you can use Objection. It will allow you to search memory, show you the offset address where the string was found, and then allow you to dump that information out.

objection -g 'exampleapp' explore

exampleapp on (iPhone: 12.4) [usb] ## memory search steve --string
Searching for: 75 33 38 37 39 33 32
11179fb03  75 33 38 37 39 33 32 00 00 00 00 00 00 10 f4 99  steve.........
11179fb13  b2 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00  ................
11179fb23  00 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Pattern matched at 1 address
exampleapp on (iPhone: 12.4) [usb] #

If you want to dump the memory address where the data was found:

exampleapp on (iPhone: 12.4) [usb] # memory dump from_base 0x11179fb03 1024 username.bin
Dumping 1.0 KiB from 0x11179fb03 to username.bin
Memory dumped to file: username.bin

exampleapp on (iPhone: 12.4) [usb] # !strings username.bin
Running OS command: strings username.bin

steve
https://host.exampleapp.com/ExampleApp/ds/users/STEVE
content-type: application/json;charset=UTF-8

exampleapp on (iPhone: 12.4) [usb] #

Memory Dump – Objection Style

Objection can also be used to dump all memory segments allocated to the running process. Keep in mind that this process sometimes kills the app when it accesses the memory segments.

exampleapp on (iPhone: 12.4) [usb] # memory dump all appMemoryDump
Will dump 569 rw- images, totalling 859.6 MiB
Dumping 512.0 MiB from base: 0x280000000  [####################################]  100%
Memory dumped to file: appMemoryDump

exampleapp on (iPhone: 12.4) [usb] # !ls appMemoryDump
Running OS command: ls appMemoryDump

appMemoryDump

exampleapp on (iPhone: 12.4) [usb] #

At this point, you can run strings against the output file (which will be in binary format) and review the information that it contains.

strings appMemoryDump > appMemoryDump.txt