iokit-dumper-arm64 is the static iOS AArch64 version for iokit-dumper.
It uses a dumped 64-bit kernelcache to rebuild the IOKit classes hierarchy for a specific image in the kernelcache, and generate a DOT graph for it. You can see some example generated graphs below, in the Examples section.
Firstly, to generate DOT graphs you will need dot installed. Do:
brew install graphviz
And test with:
dot -v
Now, the arguments accepted by iokit-dumper-arm64:
-f: It specifies the kernelcache path to work with.-o: It specifies the output path. The output file name is auto-generated. If not specified, default path used will be/tmp.-n: it specifies the image to dump name. If not specified, all images will be dumped. Pass the stringkernelto dump the kernel hierarchy. Pass a KEXT bundle name (Ex.com.apple.iokit.IOHIDFamily) to dump that KEXT hierarchy.-c: Auto convert. If specified, it automatically runs a dot command at the end of the dumping process to generate a PDF file containing the graph.
Example usage to dump kernel hierarchy to Desktop:
./iokit-dumper-arm64 -f /path/to/kernelcache.dump -n kernel -o /Users/$USER/Desktop/ -c
libdump is a kind-of AArch64 emulator. It is quite sloppy and relies on capstone. It has been written specifically for this project, but it could become a totally separated project in the future.
I have added some basic support for unencrypted kernelcaches, but it has not been tested on enough cases to say it's perfect. Also the code needs a major refactor and cleanup, so keep in mind that stuff may happen.
If you feel like contrinuting, do not hesitate doing so! Just submit a pull request. I would really appreciate some help.
Future updates are planned, and improvements are coming.
- i0n1c (https://twitter.com/i0n1c) - for providing DOT source files from his tool (https://github.com/stefanesser/ios-kerneldocs). Was very useful to improve the DOT file generation code and for double checking my algorithm was working correctly.
- jlevin (https://twitter.com/Morpheus______) - for providing useful tools such as joker, which helped me out a lot with this project.
Here are some generated graphs as an example:
A list of to-do for updates.
- Code cleanup
- Fix KEXT identification algorithm (it is buggy in some cases)
- Unencrypted kernelcaches support
- Add graph customization and details