Sierra documentation and debug kernel

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Sierra documentation and debug kernel

Postby Dipti » Wed Jul 20, 2016 10:44 am

Hi,

I want to get the a pointer to syscall table in the memory. The working code with ElCaptain is failing to work Sierra. And I am kind of stuck as for Sierra neither debug kernel version is available yet nor any documentation. Can you please give me some suggestions to proceed with this?

Also, I am looking for whats new in Sierra from End user as well as Developer point of view. Is there any official Apple Page that has this information available?

Any suggestion would be of great help.

Thank you
Regards,
Dipti
Dipti
 
Posts: 16
Joined: Wed Jul 20, 2016 10:32 am

Re: Sierra documentation and debug kernel

Postby morpheus » Wed Jul 20, 2016 10:58 am

Joker does exactly that, works on Sierra kernels, and is updated to show all the syscall table. Though it designed to work on dumps, it is open source and can easily be adapted to work on memory.

As for Apple documentation, I've no idea. I don't really follow it, or the lack of it.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Sierra documentation and debug kernel

Postby Dipti » Thu Jul 21, 2016 7:05 am

Thanks for your reply. But I see the Joker available for download has not update for Sierra and it is as per OS X 10.11.

After going through the Joker code, if I understand correctly, below is the code which calculates the pointer to syscall table in the memory.

struct section_64 *segDC = MachOGetSection((unsigned char *) "__DATA.__const");
int offset = (is64 ? segDC->offset : segDC->offset);
int i = 0 ;
char *pos = mmapped + offset;

int adv = 8;

for (i = 0; i < segDC->size ; i+=adv)
{

if (memcmp(&pos[i], SIG_SYSCALL_3, 8) == 0)
{
// if (memcmp (&pos[i] + 0x18, SIG_SYSCALL_3,8) == 0) printf("DOUBLE BINGO\n");
sysent = pos +i - 0x10 - (3 * 0x18 );

sysentAddr = segDC->addr + i - 0x10 - (3 * 0x18 );
// Can double check since same sig is also at + 0x18 from here..
// Bingo!
break;
}
}


I had done similar in my sample code which works perfectly on 10.11. But it failed to find __const section in DATA segment on sierra. The output of "otool -l" on sierra shows that it does not have __const section in DATA segment.

Have you done any modifications to this code of Joker to make it work on Sierra to get sysent address? It would be helpful if you can give some guidelines. Thanks.
Dipti
 
Posts: 16
Joined: Wed Jul 20, 2016 10:32 am

Re: Sierra documentation and debug kernel

Postby Dipti » Thu Jul 21, 2016 9:11 am

ok. I got it resolved. Sierra has introduced a new segment named __CONST.

Your Jtool was really useful in this research :). Thanks.
Dipti
 
Posts: 16
Joined: Wed Jul 20, 2016 10:32 am


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 4 guests