1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
#include <sys/snapshot.h>
#include <dlfcn.h>
#include <sys/stat.h>
#include <sys/mount.h>
#include <copyfile.h>
#include <spawn.h>
#include <sys/utsname.h>
#include <unistd.h>
#include <libgen.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <dirent.h>
#include <sys/sysctl.h>
#include <mach-o/dyld.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <CoreFoundation/CoreFoundation.h>
#include <mach/mach.h>
#include "patchfinder64.h"
#include <kmem.h>
#include "CSCommon.h"
static mach_port_t tfp0=MACH_PORT_NULL;
size_t kread(uint64_t where, void *p, size_t size);
size_t kwrite(uint64_t where, const void *p, size_t size);
void set_tfp0(mach_port_t port) {
tfp0 = port;
}
void wk32(uint64_t kaddr, uint32_t val) {
kwrite(kaddr, &val, sizeof(uint32_t));
}
void wk64(uint64_t kaddr, uint64_t val) {
kwrite(kaddr, &val, sizeof(uint64_t));
}
uint32_t rk32(uint64_t kaddr) {
uint32_t val = 0;
if (kread(kaddr, &val, sizeof(val)) != sizeof(val)) {
return 0;
}
return val;
}
uint64_t rk64(uint64_t kaddr) {
uint64_t val = 0;
if (kread(kaddr, &val, sizeof(val)) != sizeof(val)) {
return 0;
}
return val;
}
uint64_t kmem_alloc(uint64_t size) {
if (tfp0 == MACH_PORT_NULL) {
printf("attempt to allocate kernel memory before any kernel memory write primitives available\n");
sleep(3);
return 0;
}
kern_return_t err;
mach_vm_address_t addr = 0;
mach_vm_size_t ksize = round_page_kernel(size);
err = mach_vm_allocate(tfp0, &addr, ksize, VM_FLAGS_ANYWHERE);
if (err != KERN_SUCCESS) {
printf("unable to allocate kernel memory via tfp0: %s %x\n", mach_error_string(err), err);
sleep(3);
return 0;
}
return addr;
}
size_t kread(uint64_t where, void *p, size_t size)
{
int rv;
size_t offset = 0;
while (offset < size) {
mach_vm_size_t sz, chunk = 2048;
if (chunk > size - offset) {
chunk = size - offset;
}
rv = mach_vm_read_overwrite(tfp0, where + offset, chunk, (mach_vm_address_t)p + offset, &sz);
if (rv || sz == 0) {
fprintf(stderr, "[e] error reading kernel @%p\n", (void *)(offset + where));
break;
}
offset += sz;
}
return offset;
}
size_t kwrite(uint64_t where, const void *p, size_t size)
{
int rv;
size_t offset = 0;
if (tfp0 == MACH_PORT_NULL) {
printf("attempt to write to kernel memory before any kernel memory write primitives available\n");
sleep(3);
return offset;
}
while (offset < size) {
size_t chunk = 2048;
if (chunk > size - offset) {
chunk = size - offset;
}
rv = mach_vm_write(tfp0, where + offset, (mach_vm_offset_t)p + offset, (mach_msg_type_number_t)chunk);
if (rv) {
fprintf(stderr, "[e] error writing kernel @%p\n", (void *)(offset + where));
break;
}
offset += chunk;
}
return offset;
}
|
