jndok/iokit-dumper-arm64 jndok/iokit-dumper-arm64

  • Stars
    star
    108
  • Rank 314,240 (Top 7 %)
  • Language
    C
  • Created almost 8 years ago
  • Updated almost 8 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
jndok/iokit-dumper-arm64
github

jndok

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

tool for statically reconstructing the IOKit classes hierarchy from iOS kernelcache dumps

iokit-dumper-arm64 + libdump

iokit-dumper-arm64 is the static iOS AArch64 version for iokit-dumper.
It uses a dumped 64-bit kernelcache to rebuild the IOKit classes hierarchy for a specific image in the kernelcache, and generate a DOT graph for it. You can see some example generated graphs below, in the Examples section.

How to use

Firstly, to generate DOT graphs you will need dot installed. Do:

brew install graphviz

And test with:

dot -v

Now, the arguments accepted by iokit-dumper-arm64:

  • -f: It specifies the kernelcache path to work with.
  • -o: It specifies the output path. The output file name is auto-generated. If not specified, default path used will be /tmp.
  • -n: it specifies the image to dump name. If not specified, all images will be dumped. Pass the string kernel to dump the kernel hierarchy. Pass a KEXT bundle name (Ex. com.apple.iokit.IOHIDFamily) to dump that KEXT hierarchy.
  • -c: Auto convert. If specified, it automatically runs a dot command at the end of the dumping process to generate a PDF file containing the graph.

Example usage to dump kernel hierarchy to Desktop:

./iokit-dumper-arm64 -f /path/to/kernelcache.dump -n kernel -o /Users/$USER/Desktop/ -c

libdump

libdump is a kind-of AArch64 emulator. It is quite sloppy and relies on capstone. It has been written specifically for this project, but it could become a totally separated project in the future.

Notes

I have added some basic support for unencrypted kernelcaches, but it has not been tested on enough cases to say it's perfect. Also the code needs a major refactor and cleanup, so keep in mind that stuff may happen.

If you feel like contrinuting, do not hesitate doing so! Just submit a pull request. I would really appreciate some help.

Future updates are planned, and improvements are coming.

Thanks

Examples

Here are some generated graphs as an example:

IOAudio2Family

com.apple.iokit.IOAudio2Family

IOHIDFamily

com.apple.iokit.IOHIDFamily

IOAcceleratorFamily2

com.apple.iokit.IOAcceleratorFamily2

TODO

A list of to-do for updates.

  • Code cleanup
  • Fix KEXT identification algorithm (it is buggy in some cases)
  • Unencrypted kernelcaches support
  • Add graph customization and details

More Repositories

1

stfusip

System Integrity Protection (SIP) bypass for OSX 10.11.1 - 10.11.2 - 10.11.3
C
145
star
2

harpoon

Lightweight runtime hooking library for OS X.
C
120
star
3

PegasusX

OS X 10.11.6 LPE PoC for CVE-2016-4655 / CVE-2016-4656
C
95
star
4

iokit-dumper

OS X tool for dumping IOKit hierarchies in DOT format.
C
46
star
5

ropnroll

An OSX exploitation helper library.
C
34
star
6

OF32

A simple tool to find offsets needed in 32bit jailbreaks. Feel free to contribute.
C
30
star
7

anchor

Yet another dynamic routine hooking library for OS X. Uses Mach exception handlers.
C
9
star
8

tpwn-bis

simple poc for cve-2015-5932 / cve-2015-5847 / cve-2015-5864
Objective-C
4
star
9

trident

Mach-O hooking lib
C
4
star
10

ZenCracker

Open-source hash cracker.
Python
3
star
11

tools

Various tools for various purposes
C
3
star