gdbinit / Kextstat_aslr
Programming Languages
_____ _____
| __ | ______ __ __ __ | |_ ______ ____ _____
| |/ / || | \ / _| |_ | \ || ___|| | | | | \ || ___| / \|_ _|| \ |
-.`-. | | |
||_\ |||//_\ || ||_\ |||||||_
|| |_____|
Kextstat ASLR
A small util to list OS X kernel extensions with true addresses. System kextstat util doesn't return info with kernel ASLR slide.
(c) fG!, 2012, 2013, 2014 - [email protected] - http://reverse.put.as
Uses processor_set_tasks() vulnerability or /dev/kmem to read kernel memory.
If processor_set_tasks() vuln not available you need to enable /dev/kmem. Edit /Library/Preferences/SystemConfiguration/com.apple.Boot.plist add kmem=1 parameter, and reboot!
This version can work with all Mountain Lion/Mavericks versions out of the box. It should work with any future OS X versions if OSArray class doesn't change.
The license is GPLv3 due to diStorm licensing terms.
Enjoy, fG!
Change log:
v0.1 - Initial version v0.2 - Retrieve kaslr slide via kas_info() syscall. Thanks to posixninja for the tip :-) v0.3 - Cleanups v1.0 - Use diStorm to find sLoadedKexts so everything is dynamic The only dependency is on OSArray class, since we are using fixed offsets v1.1 - Try to use processor_set_tasks() vulnerability to read kernel memory before trying to use /dev/kmem