#include "kernelcache.h"

Classes
struct	RebaseCtx

struct	BufCtx

Typedefs
typedef bool(*	OnRebaseFunc) (ut64 offset, ut64 decorated_addr, void *user_data)

Functions
static ut64	rebase_offset_to_paddr (RzXNUKernelCacheObj obj, struct section_t sections, ut64 offset)

static ut64	iterate_rebase_list (RzBuffer cache_buf, ut64 multiplier, ut64 start_offset, OnRebaseFunc func, void user_data)

static bool	on_rebase_pointer (ut64 offset, ut64 decorated_addr, void *user)

RZ_API bool	rz_xnu_kernelcache_buf_is_kernelcache (RzBuffer *b)

static void	rebase_info_populate (RzXNUKernelCacheRebaseInfo info, RzXNUKernelCacheObj obj)

static void	rebase_buffer (RzXNUKernelCacheObj obj, ut64 off, ut8 buf, ut64 count)

RZ_API bool	rz_xnu_kernelcache_parse_pointer (RzXNUKernelCacheParsedPointer ptr, ut64 decorated_addr, RzXNUKernelCacheObj obj)

static bool	buf_init (RzBuffer b, const void user)

static bool	buf_fini (RzBuffer *b)

static bool	buf_resize (RzBuffer *b, ut64 newsize)

static st64	buf_read (RzBuffer b, ut8 buf, ut64 len)

static st64	buf_write (RzBuffer b, const ut8 buf, ut64 len)

static ut64	buf_get_size (RzBuffer *b)

static st64	buf_seek (RzBuffer *b, st64 addr, int whence)

static ut8 *	buf_get_whole_buf (RzBuffer b, ut64 sz)

RZ_API RzBuffer *	rz_xnu_kernelcache_new_rebasing_buf (RzXNUKernelCacheObj *obj)

RZ_API bool	rz_xnu_kernelcache_needs_rebasing (RzXNUKernelCacheObj *obj)

Variables
static const RzBufferMethods	buf_methods

Typedef Documentation

◆ OnRebaseFunc

typedef bool(* OnRebaseFunc) (ut64 offset, ut64 decorated_addr, void *user_data)

Definition at line 8 of file kernelcache.c.

Function Documentation

◆ buf_fini()

static bool buf_fini ( RzBuffer * b )

static

Definition at line 255 of file kernelcache.c.

                                   {
     BufCtx *ctx = b->priv;
     free(ctx);
     return true;
 }

References b, and free().

◆ buf_get_size()

static ut64 buf_get_size ( RzBuffer * b )

static

Definition at line 287 of file kernelcache.c.

                                       {
     BufCtx *ctx = b->priv;
     return rz_buf_size(ctx->obj->cache_buf);
 }

References b, and rz_buf_size().

◆ buf_get_whole_buf()

static ut8* buf_get_whole_buf	(	RzBuffer *	b,
		ut64 *	sz
	)

static

Definition at line 297 of file kernelcache.c.

                                                      {
     BufCtx *ctx = b->priv;
     return (ut8 *)rz_buf_data(ctx->obj->cache_buf, sz);
 }

References b, and rz_buf_data().

◆ buf_init()

static bool buf_init	(	RzBuffer *	b,
		const void *	user
	)

static

Definition at line 245 of file kernelcache.c.

                                                     {
     BufCtx *ctx = RZ_NEW0(BufCtx);
     if (!ctx) {
         return false;
     }
     ctx->obj = (void *)user;
     b->priv = ctx;
     return true;
 }

References b, and RZ_NEW0.

◆ buf_read()

static st64 buf_read	(	RzBuffer *	b,
		ut8 *	buf,
		ut64	len
	)

static

Definition at line 266 of file kernelcache.c.

                                                       {
     BufCtx *ctx = b->priv;
     st64 r = rz_buf_read_at(ctx->obj->cache_buf, ctx->off, buf, len);
     if (r <= 0 || !len) {
         return r;
     }
     RzXNUKernelCacheObj *cache = ctx->obj;
     if (cache->mach0->chained_starts) {
         MACH0_(rebase_buffer)
         (ctx->obj->mach0, ctx->off, buf, RZ_MIN(r, len));
     } else if (cache->rebase_info) {
         rebase_buffer(cache, ctx->off, buf, RZ_MIN(r, len));
     }
     return r;
 }

References b, len, MACH0_, r, rebase_buffer(), rz_xnu_kernelcache_obj_t::rebase_info, rz_buf_read_at(), RZ_MIN, and st64.

◆ buf_resize()

static bool buf_resize	(	RzBuffer *	b,
		ut64	newsize
	)

static

Definition at line 261 of file kernelcache.c.

                                                   {
     BufCtx *ctx = b->priv;
     return rz_buf_resize(ctx->obj->cache_buf, newsize);
 }

References b, and rz_buf_resize().

◆ buf_seek()

static st64 buf_seek	(	RzBuffer *	b,
		st64	addr,
		int	whence
	)

static

Definition at line 292 of file kernelcache.c.

                                                          {
     BufCtx *ctx = b->priv;
     return ctx->off = rz_seek_offset(ctx->off, rz_buf_size(b), addr, whence);
 }

References addr, b, rz_buf_size(), and rz_seek_offset().

◆ buf_write()

static st64 buf_write	(	RzBuffer *	b,
		const ut8 *	buf,
		ut64	len
	)

static

Definition at line 282 of file kernelcache.c.

                                                              {
     BufCtx *ctx = b->priv;
     return rz_buf_write_at(ctx->obj->cache_buf, ctx->off, buf, len);
 }

References b, len, and rz_buf_write_at().

◆ iterate_rebase_list()

static ut64 iterate_rebase_list	(	RzBuffer *	cache_buf,
		ut64	multiplier,
		ut64	start_offset,
		OnRebaseFunc	func,
		void *	user_data
	)

static

Definition at line 93 of file kernelcache.c.

                                                                                                                              {
     ut8 bytes[8];
     ut64 cursor = start_offset;
  
     while (true) {
         if (rz_buf_read_at(cache_buf, cursor, bytes, 8) < 8) {
             return UT64_MAX;
         }
  
         ut64 decorated_addr = rz_read_le64(bytes);
  
         if (func) {
             bool carry_on = func(cursor, decorated_addr, user_data);
             if (!carry_on) {
                 break;
             }
         }
  
         ut64 delta = ((decorated_addr >> 51) & 0x7ff) * multiplier;
         if (delta == 0) {
             break;
         }
         cursor += delta;
     }
  
     return cursor;
 }

References bytes, delta, rz_buf_read_at(), rz_read_le64(), ut64(), and UT64_MAX.

Referenced by rebase_buffer(), and rebase_info_populate().

◆ on_rebase_pointer()

static bool on_rebase_pointer	(	ut64	offset,
		ut64	decorated_addr,
		void *	user
	)

static

Definition at line 197 of file kernelcache.c.

                                                                             {
     RebaseCtx *ctx = user;
     if (offset < ctx->off) {
         return true;
     }
     if (offset >= ctx->eob) {
         return false;
     }
     ut64 in_buf = offset - ctx->off;
     if (in_buf >= ctx->count || (in_buf + 8) > ctx->count) {
         return false;
     }
  
     RzXNUKernelCacheParsedPointer ptr;
     rz_xnu_kernelcache_parse_pointer(&ptr, decorated_addr, ctx->obj);
  
     rz_write_le64(&ctx->buf[in_buf], ptr.address);
  
     return true;
 }

References rz_xnu_kernelcache_parsed_pointer_t::address, in_buf, off, rz_write_le64(), rz_xnu_kernelcache_parse_pointer(), and ut64().

Referenced by rebase_buffer().

◆ rebase_buffer()

static void rebase_buffer	(	RzXNUKernelCacheObj *	obj,
		ut64	off,
		ut8 *	buf,
		ut64	count
	)

static

Definition at line 169 of file kernelcache.c.

                                                                                     {
     if (obj->rebasing_buffer) {
         return;
     }
     obj->rebasing_buffer = true;
  
     rebase_info_populate(obj->rebase_info, obj);
  
     ut64 eob = off + count;
     int i = 0;
     RebaseCtx ctx;
     ctx.off = off;
     ctx.eob = eob;
     ctx.buf = buf;
     ctx.count = count;
     ctx.obj = obj;
  
     for (; i < obj->rebase_info->n_ranges; i++) {
         ut64 start = obj->rebase_info->ranges[i].offset;
         ut64 end = start + obj->rebase_info->ranges[i].size;
         if (end >= off && start <= eob) {
             iterate_rebase_list(obj->cache_buf, obj->rebase_info->multiplier, start, on_rebase_pointer, &ctx);
         }
     }
  
     obj->rebasing_buffer = false;
 }

References rz_xnu_kernelcache_obj_t::cache_buf, count, test_evm::end, i, iterate_rebase_list(), rz_xnu_kernelcache_rebase_info_t::multiplier, rz_xnu_kernelcache_rebase_info_t::n_ranges, off, rz_xnu_kernelcache_file_range_t::offset, on_rebase_pointer(), rz_xnu_kernelcache_rebase_info_t::ranges, rz_xnu_kernelcache_obj_t::rebase_info, rebase_info_populate(), rz_xnu_kernelcache_obj_t::rebasing_buffer, rz_xnu_kernelcache_file_range_t::size, start, and ut64().

Referenced by buf_read().

◆ rebase_info_populate()

static void rebase_info_populate	(	RzXNUKernelCacheRebaseInfo *	info,
		RzXNUKernelCacheObj *	obj
	)

static

Definition at line 121 of file kernelcache.c.

                                                                                              {
     struct section_t *sections = NULL;
     int i = 0;
  
     if (obj->rebase_info_populated) {
         return;
     }
     obj->rebase_info_populated = true;
  
     for (; i < info->n_ranges; i++) {
         if (info->ranges[i].size != UT64_MAX) {
             goto cleanup;
         } else if (sections == NULL) {
             if (!(sections = MACH0_(get_sections)(obj->mach0))) {
                 return;
             }
         }
         info->ranges[i].offset = rebase_offset_to_paddr(obj, sections, info->ranges[i].offset);
         ut64 end = iterate_rebase_list(obj->cache_buf, info->multiplier, info->ranges[i].offset, NULL, NULL);
         if (end != UT64_MAX) {
             info->ranges[i].size = end - info->ranges[i].offset + 8;
         } else {
             info->ranges[i].size = 0;
         }
     }
  
 cleanup:
     RZ_FREE(sections);
 }

References rz_xnu_kernelcache_obj_t::cache_buf, cleanup(), test_evm::end, get_sections(), i, info(), iterate_rebase_list(), MACH0_, NULL, rz_xnu_kernelcache_obj_t::rebase_info_populated, rebase_offset_to_paddr(), RZ_FREE, sections(), ut64(), and UT64_MAX.

Referenced by rebase_buffer().

◆ rebase_offset_to_paddr()

static ut64 rebase_offset_to_paddr	(	RzXNUKernelCacheObj *	obj,
		struct section_t *	sections,
		ut64	offset
	)

static

Definition at line 151 of file kernelcache.c.

                                                                                                       {
     ut64 vaddr = obj->rebase_info->kernel_base + offset;
     int i = 0;
     for (; !sections[i].last; i++) {
         if (sections[i].addr <= vaddr && vaddr < (sections[i].addr + sections[i].vsize)) {
             return sections[i].offset + (vaddr - sections[i].addr);
         }
     }
     return offset;
 }

References addr, i, rz_xnu_kernelcache_rebase_info_t::kernel_base, rz_xnu_kernelcache_obj_t::rebase_info, sections(), ut64(), and section_t::vsize.

Referenced by rebase_info_populate().

◆ rz_xnu_kernelcache_buf_is_kernelcache()

RZ_API bool rz_xnu_kernelcache_buf_is_kernelcache ( RzBuffer * b )

Definition at line 13 of file kernelcache.c.

                                                                {
     ut64 length = rz_buf_size(b);
     if (length < sizeof(struct MACH0_(mach_header))) {
         return false;
     }
     ut32 cputype;
     if (!rz_buf_read_le32_at(b, 4, &cputype)) {
         return false;
     }
     if (cputype != CPU_TYPE_ARM64) {
         return false;
     }
     ut32 filetype;
     if (!rz_buf_read_le32_at(b, 12, &filetype)) {
         return false;
     }
     if (filetype == MH_FILESET) {
         return true;
     }
     ut32 flags;
     if (!rz_buf_read_le32_at(b, 24, &flags)) {
         return false;
     }
     if (!(flags & MH_PIE)) {
         return false;
     }
     ut32 ncmds;
     if (!rz_buf_read_le32_at(b, 16, &ncmds)) {
         return false;
     }
     bool has_unixthread = false;
     bool has_negative_vaddr = false;
     bool has_kext = false;
  
     ut32 cursor = sizeof(struct MACH0_(mach_header));
     for (size_t i = 0; i < ncmds && cursor < length; i++) {
  
         ut32 cmdtype;
         if (!rz_buf_read_le32_at(b, cursor, &cmdtype)) {
             return false;
         }
  
         ut32 cmdsize;
         if (!rz_buf_read_le32_at(b, cursor + 4, &cmdsize)) {
             return false;
         }
  
         switch (cmdtype) {
         case LC_KEXT:
             has_kext = true;
             break;
         case LC_UNIXTHREAD:
             has_unixthread = true;
             break;
         case LC_LOAD_DYLIB:
         case LC_LOAD_WEAK_DYLIB:
         case LC_LAZY_LOAD_DYLIB:
             return false;
         case LC_SEGMENT_64: {
             if (has_negative_vaddr) {
                 break;
             }
             ut64 tmp;
             if (!rz_buf_read_le64_at(b, cursor + 24, &tmp)) {
                 return false;
             }
  
             st64 vmaddr = convert_to_two_complement_64(tmp);
             if (vmaddr < 0) {
                 has_negative_vaddr = true;
             }
         } break;
         }
  
         cursor += cmdsize;
     }
  
     return has_kext || (has_unixthread && has_negative_vaddr);
 }

References b, CPU_TYPE_ARM64, flags, i, LC_KEXT, LC_LAZY_LOAD_DYLIB, LC_LOAD_DYLIB, LC_LOAD_WEAK_DYLIB, LC_SEGMENT_64, LC_UNIXTHREAD, length, MACH0_, MH_FILESET, MH_PIE, rz_buf_read_le32_at, rz_buf_read_le64_at, rz_buf_size(), st64, autogen_x86imm::tmp, and ut64().

Referenced by check_buffer().

◆ rz_xnu_kernelcache_needs_rebasing()

RZ_API bool rz_xnu_kernelcache_needs_rebasing ( RzXNUKernelCacheObj * obj )

Definition at line 317 of file kernelcache.c.

                                                                         {
     return obj->rebase_info || obj->mach0->chained_starts;
 }

References rz_xnu_kernelcache_obj_t::rebase_info.

◆ rz_xnu_kernelcache_new_rebasing_buf()

RZ_API RzBuffer* rz_xnu_kernelcache_new_rebasing_buf ( RzXNUKernelCacheObj * obj )

Definition at line 313 of file kernelcache.c.

                                                                                {
     return rz_buf_new_with_methods(&buf_methods, obj);
 }

References buf_methods, and rz_buf_new_with_methods().

◆ rz_xnu_kernelcache_parse_pointer()

RZ_API bool rz_xnu_kernelcache_parse_pointer	(	RzXNUKernelCacheParsedPointer *	ptr,
		ut64	decorated_addr,
		RzXNUKernelCacheObj *	obj
	)

Definition at line 218 of file kernelcache.c.

                                                                                                                                 {
     /*
      * Logic taken from:
      * https://github.com/Synacktiv/kernelcache-laundering/blob/master/ios12_kernel_cache_helper.py
      */
  
     if ((decorated_addr & 0x4000000000000000LL) == 0 && obj->rebase_info) {
         if (decorated_addr & 0x8000000000000000LL) {
             ptr->address = obj->rebase_info->kernel_base + (decorated_addr & 0xFFFFFFFFLL);
         } else {
             ptr->address = ((decorated_addr << 13) & 0xFF00000000000000LL) | (decorated_addr & 0x7ffffffffffLL);
             if (decorated_addr & 0x40000000000LL) {
                 ptr->address |= 0xfffc0000000000LL;
             }
         }
     } else {
         ptr->address = decorated_addr;
     }
  
     return true;
 }

References rz_xnu_kernelcache_parsed_pointer_t::address, rz_xnu_kernelcache_rebase_info_t::kernel_base, and rz_xnu_kernelcache_obj_t::rebase_info.

Referenced by on_rebase_pointer(), and p_ptr().

Variable Documentation

◆ buf_methods

const RzBufferMethods buf_methods

static

Initial value:

= {
    .init = buf_init,
    .fini = buf_fini,
    .read = buf_read,
    .write = buf_write,
    .get_size = buf_get_size,
    .resize = buf_resize,
    .seek = buf_seek,
    .get_whole_buf = buf_get_whole_buf
}

Definition at line 302 of file kernelcache.c.

Referenced by rz_xnu_kernelcache_new_rebasing_buf().

Classes

Typedefs

Functions

Variables

Typedef Documentation

◆ OnRebaseFunc

Function Documentation

◆ buf_fini()

◆ buf_get_size()

◆ buf_get_whole_buf()

◆ buf_init()

◆ buf_read()

◆ buf_resize()

◆ buf_seek()

◆ buf_write()

◆ iterate_rebase_list()

◆ on_rebase_pointer()

◆ rebase_buffer()

◆ rebase_info_populate()

◆ rebase_offset_to_paddr()

◆ rz_xnu_kernelcache_buf_is_kernelcache()

◆ rz_xnu_kernelcache_needs_rebasing()

◆ rz_xnu_kernelcache_new_rebasing_buf()

◆ rz_xnu_kernelcache_parse_pointer()

Variable Documentation

◆ buf_methods