Skip to content

cocoahuke/ioskextdump_32

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
src
 
 
test
 
 
.travis.yml
 
 
LICENSE
 
 
Makefile
 
 
README.md
 
 
ioskextdump_32 64bit version of iOS: 64bit version of iOS10: Dump Kext info For Mac: This is the arm 32bit version of ioskextdump For kernel which dump from memory How to use

README.md

ioskextdump_32

Dump Kext information from 32bit iOS kernel cache. Applicable to the kernel which dump from memory. The disassembly framework used is Capstone

Contact build license paypal

64bit version of iOS:

64bit(aarch64): ioskextdump

64bit version of iOS10:

64bit(arm): ioskextdump_ios10

Dump Kext info For Mac:

64bit(x86_64): mackextdump

This is the arm 32bit version of ioskextdump

For kernel which dump from memory

Use iosdumpkernelfix to correct the Mach-O header before analyze it, Otherwise The analysis results are not complete list of Kexts

How to use

Download

git clone https://github.com/cocoahuke/ioskextdump_32.git && cd ioskextdump_32

Compile and install to /usr/local/bin/

make
make install

Usage

Usage: ioskextdump_32 [-e] [-p <access directory path>] <kernelcache>

-e Specify the export mode
-p Specifiy a folder path that contains the data file or export data file to there


Example to use I left a sample iOS9.2 kernelcache in the test directory, try to run this command

ioskextdump_32 -e -p test test/iPhone5_9.2_kernel.arm

You will see all Inheritance relationship is empty and allClass_relation.plist saved success should be at end of program print

Inheritance relationship:

Then try same command removes -e

ioskextdump_32 -p test test/iPhone5_9.2_kernel.arm

ioskextdump_32 will print contain lists of inheritance and override functions:

15.0x80772000 - 0x80799000 com.apple.iokit.IOHIDFamily

total 20 modInit in com.apple.iokit.IOHIDFamily

******** 0:com.apple.iokit.IOHIDFamily *******
(0x80774464)->OSMetaClass:OSMetaClass call 4 args list
r0:0x8078f144
r1:IOHIDLibUserClient
r2:0x80412904
r3:0xc0
vtable start from addr 0x8078a2ec
Inheritance relationship:

0 func:0x80772b51  scalar_i:0x0  struct_i:0x0  scalar_o:0x2  struct_o:0x0
1 func:0x80772b71  scalar_i:0x1  struct_i:0x0  scalar_o:0x0  struct_o:0x0
2 func:0x80772b79  scalar_i:0x0  struct_i:0x0  scalar_o:0x0  struct_o:0x0
...

Cannot detect override methods in this program, I was added in [ioskextdump](https://github.com/cocoahuke/ioskextdump program, 32bit device get outdatedness more and more :), anyway 32bit devices are get older and outdatedness :)

Any question just Email me

About

Dump Kext information from 32bit iOS kernel cache. Applicable to the kernel which dump from memory

Topics

ios kernel analysis static kext dump iokit

Resources

Readme

License

MIT license

Stars

7 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages