Re: IOKit KEXT Questions
Re: IOKit KEXT Questions
- Subject: Re: IOKit KEXT Questions
- From: Matt Burnett <email@hidden>
- Date: Wed, 15 Aug 2007 19:40:07 -0500
You didnt answer my question, and you jumped to conclusions. I all
ready have functioning code to arbitrarily hook kernel functions. I
didn't ask for help on how to do this, i just asked if there are any
IOKit classes that implement features similar to mprotect/vm_protect,
and why IOKit based KEXTs have issues resolving symbols in the
kernel. Not answering these questions wont prevent me from
accomplishing my task.
- I can still use mprotect/vm_protect
- For the symbols issue, i can at the very worst use some script
hackery to resolve the symbols in user space and transfer their
addresses to my KEXT. I know there are tables in the kernel where i
could resolve the symbols manually as well.
I would like to remind you that hurling insults at me such as
"unscrupulous" (definition: having or showing no moral principles;
not honest or fair) does nothing other than provoke me to release a
SDK to the public which would allow people to hook kernel functions.
On Aug 15, 2007, at 6:24 PM, Terry Lambert wrote:
On Aug 15, 2007, at 3:21 PM, Matt Burnett wrote:
I have 2 questions regarding IOKit KEXTs.
- How does IOMemoryDescriptor deal with memory protection
(mprotect/vm_protect)? Is there a class available to check/change
the protection of certain pages in memory or should i use mprotect/
vm_protect?
- Why do IOKit KEXTs have issues resolving kernel symbols, and
what can i do to work around it. For example if i create a KEXT in
C, i can lookup the address of any symbol which is in /mach.sym,
however I get unresolved symbol errors if i do the same in a IOKit
KEXT.
Example HelloIOKit.cpp Code:
...
extern "C" int execve(void *, void *, int *);
...
IOLog("Found execve at %p\n",execve);
...
Example kextload output:
kextload: extension HelloIOKit.kext appears to be valid
kld(): Undefined symbols:
_execve
...
We hide system calls so someone unscrupulous does not overwrite
their entry points with jump instructions to their own code,
perhaps thinking that we do not change locking or other
implementations details in software updates.
If you need to trap and/or prevent this type of operation for
legitimate reasons, use kauth instead.
-- Terry
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden