Obtaining a task port in a kext

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Obtaining a task port in a kext

Postby TheDarkKnight » Wed Dec 16, 2015 11:12 am

In a kernel extension, it's possible to get access to a process's mach task via the void* task in the process structure.
Assuming we can cast this to a task_t, to do anything useful I assume we need a task port. It appears that the functions which are available in standard UNIX reside only within Apple's private kernel frameworks.

So, is acquiring a task port possible from within a kernel extension and if so, how?
Thanks ;O)
TheDarkKnight
 
Posts: 26
Joined: Wed Dec 16, 2015 10:30 am

Re: Obtaining a task port in a kext

Postby morpheus » Wed Dec 16, 2015 6:03 pm

So, first of all, if the question is "is it possible to do ______ from a kext" the answer is a resounding "Yes".If you have code executing in kernel space, the OS is your oyster. Yes, Apple will prevent you from using certain KPIs claiming they are "unsupported" or "private" or even just not export them, but that won't discourage anyone who's serious about it. It's just a matter of how creative (or convoluted) you might need to get in order to obtain the kernel funcs you call.

Specifically per your question, the common trick is to have your kext run as an accomplice for a user mode process. The user mode process submits a PID (via some /dev, or some IOKit UserClient or property you may choose to export), the kext looks up its proc_t , and then coverts it to a task port . You can see how that's done in http://newosxbook.com/src.jl?tree=xnu&f ... sk_to_port . It calls ipc_port_make_send (http://newosxbook.com/src.jl?tree=xnu&f ... _make_send). You might want to call that directly because the wrapper actually consumes your task. When you get the send right, copy it to the requestor's task IPC space, and you own it.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Obtaining a task port in a kext

Postby TheDarkKnight » Mon Jan 04, 2016 3:02 pm

Happy New Year and thank you for the reassurance of what's possible here.

It's exactly the area I've been looking into, using the open sources, but hitting lots of dead ends in trying to link to various members of the task structure. I expect that copying the structures into the kext code is the only (creative) method here to get the required definitions, or is there an easier way that's less fragile if the structures were to change in future OS updates?
TheDarkKnight
 
Posts: 26
Joined: Wed Dec 16, 2015 10:30 am

Re: Obtaining a task port in a kext

Postby morpheus » Thu Jan 07, 2016 9:45 pm

Unfortunately, not; For one, AAPL doesn't acknowledge these structs and some APIs even exist. For two, they can rapidly mutate. You kext could check the kern version to avoid crashing unknown kernel versions, though.If you have a specific example in mind, I could probably give you a pointer or two.

Happy New Year to you, too!
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Obtaining a task port in a kext

Postby TheDarkKnight » Tue Jan 12, 2016 11:13 am

I see that an alternative technique to copying the required source structures is to load the kernel binary into memory and resolve them that way, as described in section 3.4 of this article: http://www.phrack.org/papers/revisiting-mac-os-x-kernel-rootkits.html

Assuming that function definitions do not change, is this not a much better technique than including structures from the kernel code, as a function declaration is less likely to change between OS X updates than the function body?
TheDarkKnight
 
Posts: 26
Joined: Wed Dec 16, 2015 10:30 am

Re: Obtaining a task port in a kext

Postby morpheus » Wed Jan 13, 2016 10:31 am

Function declarations are always a better way, but you can't be certain these don't change, either. I would stick with dynamically figuring out the kernel version (easy) and then adapting structures accordingly. Another sanity check could be to bit mask values you get, for example, pointers, to see they are indeed kernel addresses (slid or not, whatever). Resolving won't work reliably in iOS as Apple is stripping more and more.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 1 guest