Revisiting 0xae in binary option OS X Kernel Rootkits ::. Everything else is too old and outdated. 8000839818 D _nsysent The location of sysent can be found by disassembling the kernel and using one of the three functions that reference it: – unix_syscall – unix_syscall64 – unix_syscall_return For 10.
2 the sysent pointer will be located at 0xFFFFFF80008000D0 and the table located at 0xFFFFFF8000855840. Landon’s formula does not apply here. 8000846ed8 D _nsysent And sysent located at 0xFFFFFF8000842A40. This confirms Apple moving around the pointer between different releases.
Notice that all previous values are from kernel at disk so no kernel ASLR slide is included. The slide value will be disclosed whenever it is being used in the examples. Another technique is described in The Mac Hacker’s Handbook , released in 2009 and targeting Leopard. 64 bits syscalls via the SYSCALL interface. 32 bits systems – it is used for 32 bits syscalls via SYSENTER.
These are just a few possibilities to retrieve a valid address inside the running kernel and then find the start address of the kernel Mach-O header and sysent location. This alternative is easier and does not allocate new memory at the target. Do not forget to restore the original memory permissions. After so many words you are probably asking why not use copyout to copy from kernel to userland? Chapter 7 of and Chapter 13 of thoroughly describe the execution process in case you are interested in every detail.