IOKit Reverse

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

IOKit Reverse

Postby Andrew » Tue Jul 21, 2015 4:01 pm


I have some questions related to IOKit which I have trouble to understand. If without source code and only by referring to disassembled code, how do I know 1) The name of IOService in that IOKit driver, 2) how many functions it exposed to user land and 3) which selector is related to which function?

Thank in advance.
Posts: 1
Joined: Tue Jul 21, 2015 3:57 pm

Re: IOKit Reverse

Postby morpheus » Fri Jul 24, 2015 2:00 pm

Great question. I'm actually talking about it in three weeks in our OS X/iOS Reverse Engineering training... There's actually a surprising amount of information in the disassembly that will tell you all you asked about and much more. The name of the IOService will usually be visible clearly as a string. This will be passed in a call to constructors. For example:

Code: Select all
morpheus@Zephyr (~)$ otool -tV /System/Library/Extensions/AppleMobileFileIntegrity.kext/Contents/MacOS/AppleMobileFileIntegrity  | more
(__TEXT,__text) section
00000000000007b9        leaq    0x2777(%rip), %rsi      ## literal pool for: "AppleMobileFileIntegrityUserClient"
00000000000007c0        movq    0x3841(%rip), %rdx
00000000000007c7        movl    $0xe8, %ecx
00000000000007cc        callq   __ZN11OSMetaClassC2EPKcPKS_j

If you pass the output of otool (or on ARM, jtool) through c++ the mangled names will assume meaning and give you prototype declarations, too. e.g. the above:

Code: Select all
00000000000007cc        callq   OSMetaClass::OSMetaClass(char const*, OSMetaClass const*, unsigned int)

A lot of your other questions were discussed by a nice presentation ... Xiaobo.pdf

which covers the rest.
Site Admin
Posts: 716
Joined: Thu Apr 11, 2013 6:24 pm

Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 4 guests