Page 1 of 1

Sierra documentation and debug kernel

PostPosted: Wed Jul 20, 2016 10:44 am
by Dipti
Hi,

I want to get the a pointer to syscall table in the memory. The working code with ElCaptain is failing to work Sierra. And I am kind of stuck as for Sierra neither debug kernel version is available yet nor any documentation. Can you please give me some suggestions to proceed with this?

Also, I am looking for whats new in Sierra from End user as well as Developer point of view. Is there any official Apple Page that has this information available?

Any suggestion would be of great help.

Thank you
Regards,
Dipti

Re: Sierra documentation and debug kernel

PostPosted: Wed Jul 20, 2016 10:58 am
by morpheus
Joker does exactly that, works on Sierra kernels, and is updated to show all the syscall table. Though it designed to work on dumps, it is open source and can easily be adapted to work on memory.

As for Apple documentation, I've no idea. I don't really follow it, or the lack of it.

Re: Sierra documentation and debug kernel

PostPosted: Thu Jul 21, 2016 7:05 am
by Dipti
Thanks for your reply. But I see the Joker available for download has not update for Sierra and it is as per OS X 10.11.

After going through the Joker code, if I understand correctly, below is the code which calculates the pointer to syscall table in the memory.

struct section_64 *segDC = MachOGetSection((unsigned char *) "__DATA.__const");
int offset = (is64 ? segDC->offset : segDC->offset);
int i = 0 ;
char *pos = mmapped + offset;

int adv = 8;

for (i = 0; i < segDC->size ; i+=adv)
{

if (memcmp(&pos[i], SIG_SYSCALL_3, 8) == 0)
{
// if (memcmp (&pos[i] + 0x18, SIG_SYSCALL_3,8) == 0) printf("DOUBLE BINGO\n");
sysent = pos +i - 0x10 - (3 * 0x18 );

sysentAddr = segDC->addr + i - 0x10 - (3 * 0x18 );
// Can double check since same sig is also at + 0x18 from here..
// Bingo!
break;
}
}


I had done similar in my sample code which works perfectly on 10.11. But it failed to find __const section in DATA segment on sierra. The output of "otool -l" on sierra shows that it does not have __const section in DATA segment.

Have you done any modifications to this code of Joker to make it work on Sierra to get sysent address? It would be helpful if you can give some guidelines. Thanks.

Re: Sierra documentation and debug kernel

PostPosted: Thu Jul 21, 2016 9:11 am
by Dipti
ok. I got it resolved. Sierra has introduced a new segment named __CONST.

Your Jtool was really useful in this research :). Thanks.