Dump Kext information from 32bit iOS kernel cache. Applicable to the kernel which dump from memory. The disassembly framework used is Capstone
64bit(aarch64): ioskextdump
64bit(arm): ioskextdump_ios10
64bit(x86_64): mackextdump
This is the arm 32bit version of ioskextdump
Use iosdumpkernelfix to correct the Mach-O header before analyze it, Otherwise The analysis results are not complete list of Kexts
Download
git clone https://github.com/cocoahuke/ioskextdump_32.git && cd ioskextdump_32Compile and install to /usr/local/bin/
make
make installUsage
Usage: ioskextdump_32 [-e] [-p <access directory path>] <kernelcache>
-e Specify the export mode
-p Specifiy a folder path that contains the data file or export data file to there
Example to use
I left a sample iOS9.2 kernelcache in the test directory, try to run this command
ioskextdump_32 -e -p test test/iPhone5_9.2_kernel.arm
You will see all Inheritance relationship is empty and allClass_relation.plist saved success should be at end of program print
Inheritance relationship:
Then try same command removes -e
ioskextdump_32 -p test test/iPhone5_9.2_kernel.arm
ioskextdump_32 will print contain lists of inheritance and override functions:
15.0x80772000 - 0x80799000 com.apple.iokit.IOHIDFamily
total 20 modInit in com.apple.iokit.IOHIDFamily
******** 0:com.apple.iokit.IOHIDFamily *******
(0x80774464)->OSMetaClass:OSMetaClass call 4 args list
r0:0x8078f144
r1:IOHIDLibUserClient
r2:0x80412904
r3:0xc0
vtable start from addr 0x8078a2ec
Inheritance relationship:
0 func:0x80772b51 scalar_i:0x0 struct_i:0x0 scalar_o:0x2 struct_o:0x0
1 func:0x80772b71 scalar_i:0x1 struct_i:0x0 scalar_o:0x0 struct_o:0x0
2 func:0x80772b79 scalar_i:0x0 struct_i:0x0 scalar_o:0x0 struct_o:0x0
...
Cannot detect override methods in this program, I was added in [ioskextdump](https://github.com/cocoahuke/ioskextdump program, 32bit device get outdatedness more and more :), anyway 32bit devices are get older and outdatedness :)
Any question just Email me