rz-bindgen/doxygen/kernelcache_8c_source.html

 // SPDX-FileCopyrightText: 2021 Florian Märkl <info@florianmaerkl.de>

 // SPDX-FileCopyrightText: 2019-2020 Francesco Tamagni <mrmacete@protonmail.ch>

 // SPDX-FileCopyrightText: 2019 pancake <pancake@nopcode.org>

 // SPDX-License-Identifier: LGPL-3.0-only


 #include "kernelcache.h"


 typedef bool (*OnRebaseFunc)(ut64 offset, ut64 decorated_addr, void *user_data);

 static ut64 rebase_offset_to_paddr(RzXNUKernelCacheObj *obj, struct section_t *sections, ut64 offset);

 static ut64 iterate_rebase_list(RzBuffer *cache_buf, ut64 multiplier, ut64 start_offset, OnRebaseFunc func, void *user_data);

 static bool on_rebase_pointer(ut64 offset, ut64 decorated_addr, void *user);


 RZ_API bool rz_xnu_kernelcache_buf_is_kernelcache(RzBuffer *b) {

     ut64 length = rz_buf_size(b);

     if (length < sizeof(struct MACH0_(mach_header))) {

         return false;

     }

     ut32 cputype;

     if (!rz_buf_read_le32_at(b, 4, &cputype)) {

         return false;

     }

     if (cputype != CPU_TYPE_ARM64) {

         return false;

     }

     ut32 filetype;

     if (!rz_buf_read_le32_at(b, 12, &filetype)) {

         return false;

     }

     if (filetype == MH_FILESET) {

         return true;

     }

     ut32 flags;

     if (!rz_buf_read_le32_at(b, 24, &flags)) {

         return false;

     }

     if (!(flags & MH_PIE)) {

         return false;

     }

     ut32 ncmds;

     if (!rz_buf_read_le32_at(b, 16, &ncmds)) {

         return false;

     }

     bool has_unixthread = false;

     bool has_negative_vaddr = false;

     bool has_kext = false;


     ut32 cursor = sizeof(struct MACH0_(mach_header));

     for (size_t i = 0; i < ncmds && cursor < length; i++) {


         ut32 cmdtype;

         if (!rz_buf_read_le32_at(b, cursor, &cmdtype)) {

             return false;

         }


         ut32 cmdsize;

         if (!rz_buf_read_le32_at(b, cursor + 4, &cmdsize)) {

             return false;

         }


         switch (cmdtype) {

         case LC_KEXT:

             has_kext = true;

             break;

         case LC_UNIXTHREAD:

             has_unixthread = true;

             break;

         case LC_LOAD_DYLIB:

         case LC_LOAD_WEAK_DYLIB:

         case LC_LAZY_LOAD_DYLIB:

             return false;

         case LC_SEGMENT_64: {

             if (has_negative_vaddr) {

                 break;

             }

             ut64 tmp;

             if (!rz_buf_read_le64_at(b, cursor + 24, &tmp)) {

                 return false;

             }


             st64 vmaddr = convert_to_two_complement_64(tmp);

             if (vmaddr < 0) {

                 has_negative_vaddr = true;

             }

         } break;

         }


         cursor += cmdsize;

     }


     return has_kext || (has_unixthread && has_negative_vaddr);

 }


 static ut64 iterate_rebase_list(RzBuffer *cache_buf, ut64 multiplier, ut64 start_offset, OnRebaseFunc func, void *user_data) {

     ut8 bytes[8];

     ut64 cursor = start_offset;


     while (true) {

         if (rz_buf_read_at(cache_buf, cursor, bytes, 8) < 8) {

             return UT64_MAX;

         }


         ut64 decorated_addr = rz_read_le64(bytes);


         if (func) {

             bool carry_on = func(cursor, decorated_addr, user_data);

             if (!carry_on) {

                 break;

             }

         }


         ut64 delta = ((decorated_addr >> 51) & 0x7ff) * multiplier;

         if (delta == 0) {

             break;

         }

         cursor += delta;

     }


     return cursor;

 }


 static void rebase_info_populate(RzXNUKernelCacheRebaseInfo *info, RzXNUKernelCacheObj *obj) {

     struct section_t *sections = NULL;

     int i = 0;


     if (obj->rebase_info_populated) {

         return;

     }

     obj->rebase_info_populated = true;


     for (; i < info->n_ranges; i++) {

         if (info->ranges[i].size != UT64_MAX) {

             goto cleanup;

         } else if (sections == NULL) {

             if (!(sections = MACH0_(get_sections)(obj->mach0))) {

                 return;

             }

         }

         info->ranges[i].offset = rebase_offset_to_paddr(obj, sections, info->ranges[i].offset);

         ut64 end = iterate_rebase_list(obj->cache_buf, info->multiplier, info->ranges[i].offset, NULL, NULL);

         if (end != UT64_MAX) {

             info->ranges[i].size = end - info->ranges[i].offset + 8;

         } else {

             info->ranges[i].size = 0;

         }

     }


 cleanup:

     RZ_FREE(sections);

 }


 static ut64 rebase_offset_to_paddr(RzXNUKernelCacheObj *obj, struct section_t *sections, ut64 offset) {

     ut64 vaddr = obj->rebase_info->kernel_base + offset;

     int i = 0;

     for (; !sections[i].last; i++) {

         if (sections[i].addr <= vaddr && vaddr < (sections[i].addr + sections[i].vsize)) {

             return sections[i].offset + (vaddr - sections[i].addr);

         }

     }

     return offset;

 }


 typedef struct {

     ut64 off, eob;

     ut8 *buf;

     int count;

     RzXNUKernelCacheObj *obj;

 } RebaseCtx;


 static void rebase_buffer(RzXNUKernelCacheObj *obj, ut64 off, ut8 *buf, ut64 count) {

     if (obj->rebasing_buffer) {

         return;

     }

     obj->rebasing_buffer = true;


     rebase_info_populate(obj->rebase_info, obj);


     ut64 eob = off + count;

     int i = 0;

     RebaseCtx ctx;

     ctx.off = off;

     ctx.eob = eob;

     ctx.buf = buf;

     ctx.count = count;

     ctx.obj = obj;


     for (; i < obj->rebase_info->n_ranges; i++) {

         ut64 start = obj->rebase_info->ranges[i].offset;

         ut64 end = start + obj->rebase_info->ranges[i].size;

         if (end >= off && start <= eob) {

             iterate_rebase_list(obj->cache_buf, obj->rebase_info->multiplier, start, on_rebase_pointer, &ctx);

         }

     }


     obj->rebasing_buffer = false;

 }


 static bool on_rebase_pointer(ut64 offset, ut64 decorated_addr, void *user) {

     RebaseCtx *ctx = user;

     if (offset < ctx->off) {

         return true;

     }

     if (offset >= ctx->eob) {

         return false;

     }

     ut64 in_buf = offset - ctx->off;

     if (in_buf >= ctx->count || (in_buf + 8) > ctx->count) {

         return false;

     }


     RzXNUKernelCacheParsedPointer ptr;

     rz_xnu_kernelcache_parse_pointer(&ptr, decorated_addr, ctx->obj);


     rz_write_le64(&ctx->buf[in_buf], ptr.address);


     return true;

 }


 RZ_API bool rz_xnu_kernelcache_parse_pointer(RzXNUKernelCacheParsedPointer *ptr, ut64 decorated_addr, RzXNUKernelCacheObj *obj) {

     /*

      * Logic taken from:

      * https://github.com/Synacktiv/kernelcache-laundering/blob/master/ios12_kernel_cache_helper.py

      */


     if ((decorated_addr & 0x4000000000000000LL) == 0 && obj->rebase_info) {

         if (decorated_addr & 0x8000000000000000LL) {

             ptr->address = obj->rebase_info->kernel_base + (decorated_addr & 0xFFFFFFFFLL);

         } else {

             ptr->address = ((decorated_addr << 13) & 0xFF00000000000000LL) | (decorated_addr & 0x7ffffffffffLL);

             if (decorated_addr & 0x40000000000LL) {

                 ptr->address |= 0xfffc0000000000LL;

             }

         }

     } else {

         ptr->address = decorated_addr;

     }


     return true;

 }


 typedef struct {

     RzXNUKernelCacheObj *obj;

     ut64 off;

 } BufCtx;


 static bool buf_init(RzBuffer *b, const void *user) {

     BufCtx *ctx = RZ_NEW0(BufCtx);

     if (!ctx) {

         return false;

     }

     ctx->obj = (void *)user;

     b->priv = ctx;

     return true;

 }


 static bool buf_fini(RzBuffer *b) {

     BufCtx *ctx = b->priv;

     free(ctx);

     return true;

 }


 static bool buf_resize(RzBuffer *b, ut64 newsize) {

     BufCtx *ctx = b->priv;

     return rz_buf_resize(ctx->obj->cache_buf, newsize);

 }


 static st64 buf_read(RzBuffer *b, ut8 *buf, ut64 len) {

     BufCtx *ctx = b->priv;

     st64 r = rz_buf_read_at(ctx->obj->cache_buf, ctx->off, buf, len);

     if (r <= 0 || !len) {

         return r;

     }

     RzXNUKernelCacheObj *cache = ctx->obj;

     if (cache->mach0->chained_starts) {

         MACH0_(rebase_buffer)

         (ctx->obj->mach0, ctx->off, buf, RZ_MIN(r, len));

     } else if (cache->rebase_info) {

         rebase_buffer(cache, ctx->off, buf, RZ_MIN(r, len));

     }

     return r;

 }


 static st64 buf_write(RzBuffer *b, const ut8 *buf, ut64 len) {

     BufCtx *ctx = b->priv;

     return rz_buf_write_at(ctx->obj->cache_buf, ctx->off, buf, len);

 }


 static ut64 buf_get_size(RzBuffer *b) {

     BufCtx *ctx = b->priv;

     return rz_buf_size(ctx->obj->cache_buf);

 }


 static st64 buf_seek(RzBuffer *b, st64 addr, int whence) {

     BufCtx *ctx = b->priv;

     return ctx->off = rz_seek_offset(ctx->off, rz_buf_size(b), addr, whence);

 }


 static ut8 *buf_get_whole_buf(RzBuffer *b, ut64 *sz) {

     BufCtx *ctx = b->priv;

     return (ut8 *)rz_buf_data(ctx->obj->cache_buf, sz);

 }


 static const RzBufferMethods buf_methods = {

     .init = buf_init,

     .fini = buf_fini,

     .read = buf_read,

     .write = buf_write,

     .get_size = buf_get_size,

     .resize = buf_resize,

     .seek = buf_seek,

     .get_whole_buf = buf_get_whole_buf

 };


 RZ_API RzBuffer *rz_xnu_kernelcache_new_rebasing_buf(RzXNUKernelCacheObj *obj) {

     return rz_buf_new_with_methods(&buf_methods, obj);

 }


 RZ_API bool rz_xnu_kernelcache_needs_rebasing(RzXNUKernelCacheObj *obj) {

     return obj->rebase_info || obj->mach0->chained_starts;

 }

len
size_t len
Definition: 6502dis.c:15

i
lzma_index ** i
Definition: index.h:629

bytes
static ut8 bytes[32]
Definition: asm_arc.c:23

info
RzBinInfo * info(RzBinFile *bf)
Definition: bin_ne.c:86

sections
RzList * sections(RzBinFile *bf)
Definition: bin_ne.c:110

in_buf
static io_buf in_buf
Input and output buffers.
Definition: coder.c:39

RZ_API
#define RZ_API
Definition: core_plugin_example.c:36

NULL
#define NULL
Definition: cris-opc.c:27

r
#define r
Definition: crypto_rc6.c:12

count
static static sync static getppid static getegid const char static filename char static len const char char static bufsiz static mask static vfork const void static prot static getpgrp const char static swapflags static arg static fd static protocol static who struct sockaddr static addrlen static backlog struct timeval struct timezone static tz const struct iovec static count static mode const void const struct sockaddr static tolen const char static pathname void count
Definition: sflib.h:98

start
static static sync static getppid static getegid const char static filename char static len const char char static bufsiz static mask static vfork const void static prot static getpgrp const char static swapflags static arg static fd static protocol static who struct sockaddr static addrlen static backlog struct timeval struct timezone static tz const struct iovec static count static mode const void const struct sockaddr static tolen const char static pathname void static offset struct stat static buf void long static basep static whence static length const void static len static semflg const void static shmflg const struct timespec struct timespec static rem const char static group const void start
Definition: sflib.h:133

length
static static sync static getppid static getegid const char static filename char static len const char char static bufsiz static mask static vfork const void static prot static getpgrp const char static swapflags static arg static fd static protocol static who struct sockaddr static addrlen static backlog struct timeval struct timezone static tz const struct iovec static count static mode const void const struct sockaddr static tolen const char static pathname void static offset struct stat static buf void long static basep static whence static length const void static len static semflg const void static shmflg const struct timespec struct timespec static rem const char static group const void length
Definition: sflib.h:133

ut32
uint32_t ut32
Definition: demangler_util.h:31

cleanup
void cleanup(void)
Definition: enough.c:244

free
RZ_API void Ht_() free(HtName_(Ht) *ht)
Definition: ht_inc.c:130

offset
voidpf uLong offset
Definition: ioapi.h:144

buf
voidpf void * buf
Definition: ioapi.h:138

buf_get_whole_buf
static ut8 * buf_get_whole_buf(RzBuffer *b, ut64 *sz)
Definition: kernelcache.c:297

rebase_offset_to_paddr
static ut64 rebase_offset_to_paddr(RzXNUKernelCacheObj *obj, struct section_t *sections, ut64 offset)
Definition: kernelcache.c:151

buf_get_size
static ut64 buf_get_size(RzBuffer *b)
Definition: kernelcache.c:287

rebase_buffer
static void rebase_buffer(RzXNUKernelCacheObj *obj, ut64 off, ut8 *buf, ut64 count)
Definition: kernelcache.c:169

rebase_info_populate
static void rebase_info_populate(RzXNUKernelCacheRebaseInfo *info, RzXNUKernelCacheObj *obj)
Definition: kernelcache.c:121

buf_seek
static st64 buf_seek(RzBuffer *b, st64 addr, int whence)
Definition: kernelcache.c:292

buf_write
static st64 buf_write(RzBuffer *b, const ut8 *buf, ut64 len)
Definition: kernelcache.c:282

rz_xnu_kernelcache_new_rebasing_buf
RZ_API RzBuffer * rz_xnu_kernelcache_new_rebasing_buf(RzXNUKernelCacheObj *obj)
Definition: kernelcache.c:313

buf_read
static st64 buf_read(RzBuffer *b, ut8 *buf, ut64 len)
Definition: kernelcache.c:266

rz_xnu_kernelcache_needs_rebasing
RZ_API bool rz_xnu_kernelcache_needs_rebasing(RzXNUKernelCacheObj *obj)
Definition: kernelcache.c:317

buf_fini
static bool buf_fini(RzBuffer *b)
Definition: kernelcache.c:255

rz_xnu_kernelcache_parse_pointer
RZ_API bool rz_xnu_kernelcache_parse_pointer(RzXNUKernelCacheParsedPointer *ptr, ut64 decorated_addr, RzXNUKernelCacheObj *obj)
Definition: kernelcache.c:218

buf_methods
static const RzBufferMethods buf_methods
Definition: kernelcache.c:302

on_rebase_pointer
static bool on_rebase_pointer(ut64 offset, ut64 decorated_addr, void *user)
Definition: kernelcache.c:197

iterate_rebase_list
static ut64 iterate_rebase_list(RzBuffer *cache_buf, ut64 multiplier, ut64 start_offset, OnRebaseFunc func, void *user_data)
Definition: kernelcache.c:93

buf_resize
static bool buf_resize(RzBuffer *b, ut64 newsize)
Definition: kernelcache.c:261

buf_init
static bool buf_init(RzBuffer *b, const void *user)
Definition: kernelcache.c:245

OnRebaseFunc
bool(* OnRebaseFunc)(ut64 offset, ut64 decorated_addr, void *user_data)
Definition: kernelcache.c:8

rz_xnu_kernelcache_buf_is_kernelcache
RZ_API bool rz_xnu_kernelcache_buf_is_kernelcache(RzBuffer *b)
Definition: kernelcache.c:13

kernelcache.h

ut8
uint8_t ut8
Definition: lh5801.h:11

get_sections
struct section_t *MACH0_() get_sections(struct MACH0_(obj_t) *bin)
Definition: mach0.c:2411

LC_KEXT
@ LC_KEXT
Definition: mach0_defines.h:177

LC_LOAD_WEAK_DYLIB
@ LC_LOAD_WEAK_DYLIB
Definition: mach0_defines.h:147

LC_UNIXTHREAD
@ LC_UNIXTHREAD
Definition: mach0_defines.h:128

LC_LOAD_DYLIB
@ LC_LOAD_DYLIB
Definition: mach0_defines.h:135

LC_LAZY_LOAD_DYLIB
@ LC_LAZY_LOAD_DYLIB
Definition: mach0_defines.h:155

LC_SEGMENT_64
@ LC_SEGMENT_64
Definition: mach0_defines.h:148

MH_FILESET
@ MH_FILESET
Definition: mach0_defines.h:83

MH_PIE
@ MH_PIE
Definition: mach0_defines.h:110

CPU_TYPE_ARM64
@ CPU_TYPE_ARM64
Definition: mach0_defines.h:1089

MACH0_
#define MACH0_(name)
Definition: mach0_specs.h:20

autogen_x86imm.tmp
tmp
Definition: autogen_x86imm.py:12

test_evm.end
end
Definition: test_evm.py:20

off
int off
Definition: pal.c:13

rz_buf_new_with_methods
RZ_API RZ_OWN RzBuffer * rz_buf_new_with_methods(RZ_NONNULL const RzBufferMethods *methods, void *init_user)
Creates a new buffer with a specific back end.
Definition: buf.c:525

rz_buf_resize
RZ_API bool rz_buf_resize(RZ_NONNULL RzBuffer *b, ut64 newsize)
Resize the buffer size.
Definition: buf.c:890

rz_seek_offset
static ut64 rz_seek_offset(ut64 cur, ut64 length, st64 addr, int whence)
change cur according to addr and whence (RZ_BUF_SET/RZ_BUF_CUR/RZ_BUF_END)
Definition: rz_buf.h:67

rz_buf_write_at
RZ_API st64 rz_buf_write_at(RZ_NONNULL RzBuffer *b, ut64 addr, RZ_NONNULL const ut8 *buf, ut64 len)
Write len bytes of the buffer at the specified address.
Definition: buf.c:1197

rz_buf_read_at
RZ_API st64 rz_buf_read_at(RZ_NONNULL RzBuffer *b, ut64 addr, RZ_NONNULL RZ_OUT ut8 *buf, ut64 len)
Read len bytes of the buffer at the specified address.
Definition: buf.c:1136

rz_buf_read_le32_at
#define rz_buf_read_le32_at(b, addr, result)
Definition: rz_buf.h:271

rz_buf_data
RZ_DEPRECATE RZ_API RZ_BORROW ut8 * rz_buf_data(RZ_NONNULL RzBuffer *b, RZ_NONNULL RZ_OUT ut64 *size)
Return a borrowed array of bytes representing the buffer data.
Definition: buf.c:1287

rz_buf_size
RZ_API ut64 rz_buf_size(RZ_NONNULL RzBuffer *b)
Return the size of the buffer.
Definition: buf.c:1225

rz_buf_read_le64_at
#define rz_buf_read_le64_at(b, addr, result)
Definition: rz_buf.h:272

rz_read_le64
static ut64 rz_read_le64(const void *src)
Definition: rz_endian.h:266

rz_write_le64
static void rz_write_le64(void *dest, ut64 val)
Definition: rz_endian.h:277

RZ_NEW0
#define RZ_NEW0(x)
Definition: rz_types.h:284

RZ_FREE
#define RZ_FREE(x)
Definition: rz_types.h:369

RZ_MIN
#define RZ_MIN(x, y)
Definition: rz_types_base.h:140

st64
#define st64
Definition: rz_types_base.h:10

UT64_MAX
#define UT64_MAX
Definition: rz_types_base.h:86

flags
static struct sockaddr static addrlen static backlog const void static flags void flags
Definition: sfsocketcall.h:123

b
#define b(i)
Definition: sha256.c:42

BufCtx
Definition: dyldcache_rebase.c:176

BufCtx::obj
RzXNUKernelCacheObj * obj
Definition: kernelcache.c:241

RebaseCtx
Definition: kernelcache.c:162

RebaseCtx::buf
ut8 * buf
Definition: kernelcache.c:164

RebaseCtx::eob
ut64 eob
Definition: kernelcache.c:163

RebaseCtx::obj
RzXNUKernelCacheObj * obj
Definition: kernelcache.c:166

RebaseCtx::count
int count
Definition: kernelcache.c:165

ctx
Definition: zip_algorithm_bzip2.c:40

mach_header
Definition: mach0_defines.h:591

rz_buf_t
Definition: rz_buf.h:43

rz_buffer_methods_t
Definition: rz_buf.h:31

rz_buffer_methods_t::init
RzBufferInit init
Definition: rz_buf.h:32

rz_xnu_kernelcache_file_range_t::offset
ut64 offset
Definition: kernelcache.h:15

rz_xnu_kernelcache_file_range_t::size
ut64 size
Definition: kernelcache.h:16

rz_xnu_kernelcache_obj_t
Definition: kernelcache.h:30

rz_xnu_kernelcache_obj_t::rebase_info
RzXNUKernelCacheRebaseInfo * rebase_info
Definition: kernelcache.h:38

rz_xnu_kernelcache_obj_t::cache_buf
RzBuffer * cache_buf
Definition: kernelcache.h:31

rz_xnu_kernelcache_obj_t::rebasing_buffer
bool rebasing_buffer
Definition: kernelcache.h:41

rz_xnu_kernelcache_obj_t::rebase_info_populated
bool rebase_info_populated
Definition: kernelcache.h:40

rz_xnu_kernelcache_parsed_pointer_t
Definition: kernelcache.h:26

rz_xnu_kernelcache_parsed_pointer_t::address
ut64 address
Definition: kernelcache.h:27

rz_xnu_kernelcache_rebase_info_t
Definition: kernelcache.h:19

rz_xnu_kernelcache_rebase_info_t::multiplier
ut64 multiplier
Definition: kernelcache.h:22

rz_xnu_kernelcache_rebase_info_t::ranges
RzXNUKernelCacheFileRange * ranges
Definition: kernelcache.h:20

rz_xnu_kernelcache_rebase_info_t::kernel_base
ut64 kernel_base
Definition: kernelcache.h:23

rz_xnu_kernelcache_rebase_info_t::n_ranges
ut64 n_ranges
Definition: kernelcache.h:21

section_t
Definition: mach0.h:42

section_t::vsize
ut64 vsize
Definition: mach0.h:46

bool
#define bool
Definition: sysdefs.h:146

delta
static st64 delta
Definition: vmenus.c:2425

ut64
ut64(WINAPI *w32_GetEnabledXStateFeatures)()

addr
static int addr
Definition: z80asm.c:58

filetype
filetype
Definition: z80asm.h:78