Kezdőlap Felfedezés Súgó
Bejelentkezés
NitoTV
/
merdian
Figyelés 3
Kedvenc 0
Másolás 0
Fájlok Problémák 0 Beolvasztási kérések 1 Wiki
Fa: 1
Branch-ok Tag-ek
merdian
/
Meridian
/
amfid
/
helpers
/
kmem.c

kmem.c 4.6 KB
Állandó hivatkozás Előzmények Nyers

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179 
  1. #import "../kern_utils.h"
    2. 

  2. #import "kmem.h"
    3. 

  3. 

  4. #define MAX_CHUNK_SIZE 0xFFF
    5. 

  5. 

  6. void remote_read_overwrite(mach_port_t task_port,
    7. 

  7.                            uint64_t remote_address,
    8. 

  8.                            uint64_t local_address,
    9. 

  9.                            uint64_t length) {
    10. 

  10.     kern_return_t err;
    11. 

  11.     
    12. 

  12.     mach_vm_size_t outsize = 0;
    13. 

  13.     err = mach_vm_read_overwrite(task_port, (mach_vm_address_t)remote_address, (mach_vm_size_t)length, (mach_vm_address_t)local_address, &outsize);
    14. 

  14.     if (err != KERN_SUCCESS){
    15. 

  15.         return;
    16. 

  16.     }
    17. 

  17.     
    18. 

  18.     if (outsize != length){
    19. 

  19.         return;
    20. 

  20.     }
    21. 

  21. }
    22. 

  22. 

  23. void remote_write(mach_port_t remote_task_port,
    24. 

  24.                   uint64_t remote_address,
    25. 

  25.                   uint64_t local_address,
    26. 

  26.                   uint64_t length) {
    27. 

  27.     kern_return_t err = mach_vm_write(remote_task_port,
    28. 

  28.                                       (mach_vm_address_t)remote_address,
    29. 

  29.                                       (vm_offset_t)local_address,
    30. 

  30.                                       (mach_msg_type_number_t)length);
    31. 

  31.     if (err != KERN_SUCCESS) {
    32. 

  32.         return;
    33. 

  33.     }
    34. 

  34. }
    35. 

  35. 

  36. uint64_t binary_load_address() {
    37. 

  37.     kern_return_t err;
    38. 

  38.     mach_msg_type_number_t region_count = VM_REGION_BASIC_INFO_COUNT_64;
    39. 

  39.     memory_object_name_t object_name = MACH_PORT_NULL;
    40. 

  40.     mach_vm_size_t target_first_size = 0x1000;
    41. 

  41.     mach_vm_address_t target_first_addr = 0x0;
    42. 

  42.     struct vm_region_basic_info_64 region = {0};
    43. 

  43.     err = mach_vm_region(mach_task_self(), &target_first_addr, &target_first_size, VM_REGION_BASIC_INFO_64, (vm_region_info_t)&region, &region_count, &object_name);
    44. 

  44.     
    45. 

  45.     if (err != KERN_SUCCESS) {
    46. 

  46.         return -1;
    47. 

  47.     }
    48. 

  48.     
    49. 

  49.     return target_first_addr;
    50. 

  50. }
    51. 

  51. 

  52. size_t kread(uint64_t where, void *p, size_t size) {
    53. 

  53. 	int rv;
    54. 

  54. 	size_t offset = 0;
    55. 

  55. 	while (offset < size) {
    56. 

  56. 		mach_vm_size_t sz, chunk = MAX_CHUNK_SIZE;
    57. 

  57. 		if (chunk > size - offset) {
    58. 

  58. 			chunk = size - offset;
    59. 

  59. 		}
    60. 

  60. 		rv = mach_vm_read_overwrite(tfp0, where + offset, chunk, (mach_vm_address_t)p + offset, &sz);
    61. 

  61. 		if (rv || sz == 0) {
    62. 

  62. 			fprintf(stderr, "[e] error reading kernel @%p\n", (void *)(offset + where));
    63. 

  63. 			break;
    64. 

  64. 		}
    65. 

  65. 		offset += sz;
    66. 

  66. 	}
    67. 

  67. 	return offset;
    68. 

  68. }
    69. 

  69. 

  70. size_t kwrite(uint64_t where, const void *p, size_t size) {
    71. 

  71. 	int rv;
    72. 

  72. 	size_t offset = 0;
    73. 

  73. 	while (offset < size) {
    74. 

  74. 		size_t chunk = MAX_CHUNK_SIZE;
    75. 

  75. 		if (chunk > size - offset) {
    76. 

  76. 			chunk = size - offset;
    77. 

  77. 		}
    78. 

  78. 		rv = mach_vm_write(tfp0, where + offset, (mach_vm_offset_t)p + offset, chunk);
    79. 

  79. 		if (rv) {
    80. 

  80. 			fprintf(stderr, "[e] error writing kernel @%p\n", (void *)(offset + where));
    81. 

  81. 			break;
    82. 

  82. 		}
    83. 

  83. 		offset += chunk;
    84. 

  84. 	}
    85. 

  85. 	return offset;
    86. 

  86. }
    87. 

  87. 

  88. uint64_t kalloc(vm_size_t size){
    89. 

  89. 	mach_vm_address_t address = 0;
    90. 

  90. 	mach_vm_allocate(tfp0, (mach_vm_address_t *)&address, size, VM_FLAGS_ANYWHERE);
    91. 

  91. 	return address;
    92. 

  92. }
    93. 

  93. 

  94. void kfree(mach_vm_address_t address, vm_size_t size){
    95. 

  95.   mach_vm_deallocate(tfp0, address, size);
    96. 

  96. }
    97. 

  97. 

  98. uint16_t rk16(uint64_t kaddr) {
    99. 

  99.     uint16_t val = 0;
    100. 

  100.     kread(kaddr, &val, sizeof(val));
    101. 

  101.     return val;
    102. 

  102. }
    103. 

  103. 

  104. uint32_t rk32(uint64_t kaddr) {
    105. 

  105.   uint32_t val = 0;
    106. 

  106.   kread(kaddr, &val, sizeof(val));
    107. 

  107.   return val;
    108. 

  108. }
    109. 

  109. 

  110. uint64_t rk64(uint64_t kaddr) {
    111. 

  111.   uint64_t val = 0;
    112. 

  112.   kread(kaddr, &val, sizeof(val));
    113. 

  113.   return val;
    114. 

  114. }
    115. 

  115. 

  116. void wk16(uint64_t kaddr, uint16_t val) {
    117. 

  117.     kwrite(kaddr, &val, sizeof(val));
    118. 

  118. }
    119. 

  119. 

  120. void wk32(uint64_t kaddr, uint32_t val) {
    121. 

  121.   kwrite(kaddr, &val, sizeof(val));
    122. 

  122. }
    123. 

  123. 

  124. void wk64(uint64_t kaddr, uint64_t val) {
    125. 

  125.   kwrite(kaddr, &val, sizeof(val));
    126. 

  126. }
    127. 

  127. 

  128. // thx Siguza
    129. 

  129. typedef struct {
    130. 

  130.   uint64_t prev;
    131. 

  131.   uint64_t next;
    132. 

  132.   uint64_t start;
    133. 

  133.   uint64_t end;
    134. 

  134. } kmap_hdr_t;
    135. 

  135. 

  136. uint64_t zm_fix_addr(uint64_t addr) {
    137. 

  137.   static kmap_hdr_t zm_hdr = {0, 0, 0, 0};
    138. 

  138.   if (zm_hdr.start == 0) {
    139. 

  139.     // xxx rk64(0) ?!
    140. 

  140.     uint64_t zone_map = rk64(offset_zonemap);
    141. 

  141.       fprintf(stderr, "zone_map: %llx \n", zone_map);
    142. 

  142.     // hdr is at offset 0x10, mutexes at start
    143. 

  143.     size_t r = kread(zone_map + 0x10, &zm_hdr, sizeof(zm_hdr));
    144. 

  144.     fprintf(stderr, "zm_range: 0x%llx - 0x%llx (read 0x%zx, exp 0x%zx)\n", zm_hdr.start, zm_hdr.end, r, sizeof(zm_hdr));
    145. 

  145. 

  146.     if (r != sizeof(zm_hdr) || zm_hdr.start == 0 || zm_hdr.end == 0) {
    147. 

  147.       fprintf(stderr, "kread of zone_map failed!\n");
    148. 

  148.       exit(1);
    149. 

  149.     }
    150. 

  150. 

  151.     if (zm_hdr.end - zm_hdr.start > 0x100000000) {
    152. 

  152.         fprintf(stderr, "zone_map is too big, sorry.\n");
    153. 

  153.         exit(1);
    154. 

  154.     }
    155. 

  155.   }
    156. 

  156. 

  157.   uint64_t zm_tmp = (zm_hdr.start & 0xffffffff00000000) | ((addr) & 0xffffffff);
    158. 

  158. 

  159.   return zm_tmp < zm_hdr.start ? zm_tmp + 0x100000000 : zm_tmp;
    160. 

  160. }
    161. 

  161. 

  162. int kstrcmp(uint64_t kstr, const char* str) {
    163. 

  163. 	// XXX be safer, dont just assume you wont cause any
    164. 

  164. 	// page faults by this
    165. 

  165. 	size_t len = strlen(str) + 1;
    166. 

  166. 	char *local = (char *)malloc(len + 1);
    167. 

  167. 	local[len] = '\0';
    168. 

  168. 

  169. 	int ret = 1;
    170. 

  170.     
    171. 

  171. 	if (kread(kstr, local, len) == len) {
    172. 

  172. 		ret = strcmp(local, str);
    173. 

  173. 	}
    174. 

  174.     
    175. 

  175. 	free(local);
    176. 

  176. 

  177. 	return ret;
    178. 

  178. }
    179. 

  179.