GoKawiilForeword
Opa334 recently shared a kernel read and write primitive which is similar to the one used in DarkSword malware. I found that it was a perfect occasion for me to try to make it run on one of my testing devices and actually get my hands dirty with kernel exploration. We always hear about kernel exploitation, but rarely get to walk through what it looks like in practice.
Once you have read and write primitives to the kernel, the first step is to read backward until you find the magic number aka the Mach-O binary signature:
uint64_t magic = early_kread64(kernel_base); if (magic == 0x100000cfeedfacf ) { printf ( "[DEBUG] Found Mach-O magic at 0x%llx!
" , kernel_base);
Then you can compute the kernel slide and you are good to go.
I won't detail this, but feel free to check the blog post of MATTEYEUX on DarkSword.
Now the next difficulty is to find the offsets between this magic value and the kernel objects in memory. It is exactly what this post is about.
Introduction
Kernelcaches extracted from IPSW files come without symbols: just raw ARM64 code. Yet, the internal layout of every kernel data structure is recoverable if you know where to look.
... continue reading