A Mac OS X port of Phrack’s CheckIDT util by kad, or another way to retrieve sys...
source link: https://reverse.put.as/2012/01/10/a-mac-os-x-port-of-phracks-checkidt-util-by-kad-or-another-way-to-retrieve-sysent-address/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
A Mac OS X port of Phrack’s CheckIDT util by kad, or another way to retrieve sysent address
This is a OS X port of kad’s checkidt utility featured at Phrack #59. It requires /dev/kmem to be active since task_for_pid on kernel task is prohibited since Snow Leopard.
I have added an option to calculate the sysent address via the IDT. The code is not very fail proof because it uses the opcode hex values. Disassembly is probably a better option. This is just a PoC written some time ago so there are some ugly things inside.
The concept to retrieve sysent is the following:
get idt -> get location of interrupt 0x80 -> get address of LO_UNIX_SCALL -> get address of unix_syscall -> get location of sysent
Some of the information that the original code retrieves in Linux is meaningless in OS X. Maybe one of these days I will do a major cleanup. If you do it first feel free to send it. The 64 bit code state is unknown and untested – my machines do not run 64 bit kernels.
Enjoy,
fG!
checkidtv1.2.c.gz
SHA256(checkidtv1.2.c.gz)= fe663c83c81c0db11e661f3bf2596a323dcc1df342941067c804eda94a5086c3
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK