Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Export Kernel Slide/Base #457

Closed
pwmoore opened this issue Nov 18, 2019 · 7 comments
Closed

Feature Request: Export Kernel Slide/Base #457

pwmoore opened this issue Nov 18, 2019 · 7 comments
Labels
component-stage3 Patches and stuff status-fixed Fixed in latest release
Milestone
0.9.6

Comments

@pwmoore
Copy link

pwmoore commented Nov 18, 2019

It's entirely possible this is already implemented and I've missed it, but if not it would be nice if the kernel slide were exported (whether via task_info, or even just a file dropped on disk). I've played around with some heap scanning shenanigans (i.e. @Siguza's tools) and they don't seem to be happy on 13.2.2. I'm sure I can eventually figure out some way of finding the slide that way, but it would be awesome if we could just get the slide without having to do any scanning or probing kernel memory.

Alternately, I may just be being dumb and it's already there or I'm doing something wrong, in which case I apologize in advance. :)
@arx8x
Copy link

arx8x commented Nov 20, 2019

The patch was supposed to be added after tfp0 was fixed on iOS 13. It's planned, afaik. Scanning vm regions works only until iOS 12.4.3.

@Siguza Siguza added component-stage3 Patches and stuff status-accepted Will be worked on labels Nov 20, 2019
@Siguza
Copy link
Member

Siguza commented Nov 20, 2019

This is planned, the issue is just that our patches are applies before the kernel is booted, at which time the common interface(s) to export the kernel slide don't exist yet. But we'll think of something.

@pwmoore
Copy link
Author

pwmoore commented Nov 20, 2019
edited
Loading

Gotcha, thanks. I can imagine that's a tricky task. Just spitballing, I wonder if there's a useless sysctl that could be patched with the slide that we could retrieve, or maybe via boot arg or something. In the meantime I'll poke around and see if I can figure out a good way of retrieving it dynamically.

As always I appreciate the work you guys are doing on this.

@Siguza
Copy link
Member

Siguza commented Nov 20, 2019

Well task_info has kinda become the standard interface. Just exporting the slide somewhere wouldn't be the issue, we could just patch an unused mach trap.

@NewDwarf NewDwarf mentioned this issue Nov 21, 2019
Closed
@bazad
Copy link

bazad commented Nov 21, 2019

For what it's worth, a workaround in the meantime (which I'm using in KTRW) is to use an unsafe heap scan: https://gist.github.com/bazad/4636445f27df2086ca395790e9aca279

@pwmoore
Copy link
Author

pwmoore commented Nov 21, 2019

@bazad I actually wound up doing exactly that, although my code is much... uglier than yours. :) It seems to be pretty reliable, so it should meet my needs for now. Appreciate the heads up!

@sbingner sbingner added the status-unreleased Fixed internally, pending public release label Nov 25, 2019
@sbingner sbingner added this to the 0.9.6 milestone Nov 25, 2019
@sbingner
Copy link
Member

Exporting to tfp0 dyld info is working and should be in next release - also https://github.com/sbingner/jbctl has the tool I use to test it, may have some code helpful to anybody trying to pull more than kernel slide/base out of it.

@nullpixel nullpixel added status-fixed Fixed in latest release and removed status-unreleased Fixed internally, pending public release labels Dec 1, 2019
@Siguza Siguza removed the status-accepted Will be worked on label Aug 9, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component-stage3 Patches and stuff status-fixed Fixed in latest release
Projects
None yet
Milestone
0.9.6
Development

No branches or pull requests
6 participants
@sbingner @pwmoore @Siguza @bazad @nullpixel @arx8x