More Coming soon.
Note on compiling for iOS: I use the following shell script and call it "gcc-iphone":
#XCODE_DEVELOPER_USR_PATH=/Developer # don't really need this..
gcc -arch armv7 # or -arch arm64
-framework IOKit -framework CoreFoundation \
-F /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/$SDK/System/Library/Frameworks \
-I /Developer/Platforms/iPhoneOS.platform/DeviceSupport/Latest/Symbols/usr/include \
-L /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/$SDK/usr/lib/system $*
It is straightforward to change the SDK version (you could put that in a variable). This makes it easier to compile from the command line or a Makefile, rather than mucking around with XCode projects..
- PBZX extractor and OTA update extractor for iOS OTA updates (q.v. this article).
- New (06/15/14) New version of lsock: demonstrating the use of Apple's ntstat (com.apple.network.statistics) to get per-process socket usage and bandwidth statistics. Grab the tar file here.
- inject: A simple (but darn useful) dylib injector for OS X x86_64 And now (6/1/15) with ARM64 . PoC code - Not meant to be stable, so people don't accuse me of spreading malware techniques. If you need an industrial grade version, drop me a line
- bat: A simple battery statistics reader, using IOKit's IOPowerSource. Compiles neatly on iOS and OS X. Used in my Process Explorer
- jurpleConsole: Reconstructed source of Apple's "purple console" utility, allowing you to activate syslog_relay on your device (jailbroken or not) via lockdownd, and view the log on your Mac - as you would via xcode.
- Listing 3-Filemon: Filemon: Demonstrating FSEvents on OS X and iOS
- Listing 4-5: DYLD interpose: demonstrating Linux's mtrace()-like functionality, using function interposing on malloc()
- Listing 6-Bonus: imagine: An img3 file format dumper, with a focus on device tree files. Mentioned in book (outputs 6-6, 6-7)
- Listing 8-joker: Joker: The iOS kernelcache information tool: Used in the book in Chapter 8 and Chapter 18 (as kextcache), this tool is available for download as a tar ball, along with source code. The tool will display the kernel's syscall table, Mach Traps, and kexts to stdout. Latest feature (Apr 2015) - iOS 8.x support and kext extraction! I keep on improving this tool, so check back often!
- Listing 12-1: vmmap(1) for iOS - including a fix for iOS 6. This all-too-valuable code (derived from GDB's "info regions") not only displays the use of the Mach VM APIs, but provides the breakdown of a process' VM space. Modified to include list of Mach-O images using DYLD APIs.
- Listing 17-1: lsock: netstat(1) clone offering real-time socket activity. Will also compile on iOS
- Listing 17-15 (expanded): Sample UTUN (User-mode tunnel). Will also compile on iOS
- Listing 17-25: BPF: Sample BPF filter. Will also compile on iOS
- Listing 18-1: Jkextstat: Improved kextstat(8) which will also compile on iOS
- Listing 19-3: Iterating over the I/O Registry
- Listing 19-4: As 19-3, with properties