Kezdőlap Felfedezés Súgó
Bejelentkezés
NitoTV
/
merdian
Figyelés 3
Kedvenc 0
Másolás 0
Fájlok Problémák 0 Beolvasztási kérések 1 Wiki
Branch: master
Branch-ok Tag-ek
merdian
/
Meridian
/
meridianTV
/
kpp
/
kppkernel.m

kppkernel.m 4.5 KB
Állandó hivatkozás Előzmények Nyers

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177 
  1. //
    2. 

  2. //  kernel.m
    3. 

  3. //  g0blin
    4. 

  4. //
    5. 

  5. //  Created by Ben on 16/12/2017.
    6. 

  6. //
    7. 

  7. 

  8. #include "kppkernel.h"
    9. 

  9. #include "kppcommon.h"
    10. 

  10. #include <mach/mach.h>
    11. 

  11. 

  12. static task_t tfp0;
    13. 

  13. 

  14. void kpp_init_kernel(task_t task_for_port0) {
    15. 

  15.     tfp0 = task_for_port0;
    16. 

  16. }
    17. 

  17. 

  18. size_t tfp0_kpp_kread(uint64_t where, void *p, size_t size)
    19. 

  19. {
    20. 

  20.     int rv;
    21. 

  21.     size_t offset = 0;
    22. 

  22.     while (offset < size) {
    23. 

  23.         mach_vm_size_t sz, chunk = 2048;
    24. 

  24.         if (chunk > size - offset) {
    25. 

  25.             chunk = size - offset;
    26. 

  26.         }
    27. 

  27.         rv = mach_vm_read_overwrite(tfp0, where + offset, chunk, (mach_vm_address_t)p + offset, &sz);
    28. 

  28.         
    29. 

  29.         if (rv || sz == 0) {
    30. 

  30.             break;
    31. 

  31.         }
    32. 

  32.         
    33. 

  33.         offset += sz;
    34. 

  34.     }
    35. 

  35.     return offset;
    36. 

  36. }
    37. 

  37. 

  38. uint64_t kpp_rk64(uint64_t kaddr) {
    39. 

  39.     uint64_t lower = kpp_rk32(kaddr);
    40. 

  40.     uint64_t higher = kpp_rk32(kaddr + 4);
    41. 

  41.     return ((higher << 32) | lower);
    42. 

  42. }
    43. 

  43. 

  44. uint32_t kpp_rk32(uint64_t kaddr) {
    45. 

  45.     kern_return_t err;
    46. 

  46.     uint32_t val = 0;
    47. 

  47.     mach_vm_size_t outsize = 0;
    48. 

  48.     
    49. 

  49.     // mach (for kern r/w primitives)
    50. 

  50.     kern_return_t mach_vm_write(vm_map_t target_task,
    51. 

  51.                                 mach_vm_address_t address,
    52. 

  52.                                 vm_offset_t data,
    53. 

  53.                                 mach_msg_type_number_t dataCnt);
    54. 

  54. 

  55.     err = mach_vm_read_overwrite(tfp0,
    56. 

  56.                                  (mach_vm_address_t)kaddr,
    57. 

  57.                                  (mach_vm_size_t)sizeof(uint32_t),
    58. 

  58.                                  (mach_vm_address_t)&val,
    59. 

  59.                                  &outsize);
    60. 

  60.     
    61. 

  61.     if (err != KERN_SUCCESS) {
    62. 

  62.         // printf("tfp0 read failed %s addr: 0x%llx err:%x port:%x\n", mach_error_string(err), kaddr, err, tfp0);
    63. 

  63.         // sleep(3);
    64. 

  64.         return 0;
    65. 

  65.     }
    66. 

  66.     
    67. 

  67.     if (outsize != sizeof(uint32_t)) {
    68. 

  68.         // printf("tfp0 read was short (expected %lx, got %llx\n", sizeof(uint32_t), outsize);
    69. 

  69.         // sleep(3);
    70. 

  70.         return 0;
    71. 

  71.     }
    72. 

  72.     
    73. 

  73.     return val;
    74. 

  74. }
    75. 

  75. 

  76. void kpp_wk64(uint64_t kaddr, uint64_t val) {
    77. 

  77.     uint32_t lower = (uint32_t)(val & 0xffffffff);
    78. 

  78.     uint32_t higher = (uint32_t)(val >> 32);
    79. 

  79.     kpp_wk32(kaddr, lower);
    80. 

  80.     kpp_wk32(kaddr + 4, higher);
    81. 

  81. }
    82. 

  82. 

  83. void kpp_wk32(uint64_t kaddr, uint32_t val) {
    84. 

  84.     if (tfp0 == MACH_PORT_NULL) {
    85. 

  85.         // printf("attempt to write to kernel memory before any kernel memory write primitives available\n");
    86. 

  86.         // sleep(3);
    87. 

  87.         return;
    88. 

  88.     }
    89. 

  89.     
    90. 

  90.     kern_return_t err;
    91. 

  91.     err = mach_vm_write(tfp0,
    92. 

  92.                         (mach_vm_address_t)kaddr,
    93. 

  93.                         (vm_offset_t)&val,
    94. 

  94.                         (mach_msg_type_number_t)sizeof(uint32_t));
    95. 

  95.     
    96. 

  96.     if (err != KERN_SUCCESS) {
    97. 

  97.         // printf("tfp0 write failed: %s %x\n", mach_error_string(err), err);
    98. 

  98.         return;
    99. 

  99.     }
    100. 

  100. }
    101. 

  101. 

  102. 

  103. size_t
    104. 

  104. kpp_kread(uint64_t where, void *p, size_t size)
    105. 

  105. {
    106. 

  106.     
    107. 

  107.     if(tfp0 == MACH_PORT_NULL) {
    108. 

  108.         printf("[ERROR]: tfp0's port is null!\n");
    109. 

  109.     }
    110. 

  110.     
    111. 

  111.     int rv;
    112. 

  112.     size_t offset = 0;
    113. 

  113.     while (offset < size) {
    114. 

  114.         mach_vm_size_t sz, chunk = 2048;
    115. 

  115.         if (chunk > size - offset) {
    116. 

  116.             chunk = size - offset;
    117. 

  117.         }
    118. 

  118.         rv = mach_vm_read_overwrite(tfp0, where + offset, chunk, (mach_vm_address_t)p + offset, &sz);
    119. 

  119.         
    120. 

  120.         if (rv || sz == 0) {
    121. 

  121.             printf("[ERROR]: error reading buffer at @%p\n", (void *)(offset + where));
    122. 

  122.             break;
    123. 

  123.         }
    124. 

  124.         offset += sz;
    125. 

  125.     }
    126. 

  126.     return offset;
    127. 

  127. }
    128. 

  128. 

  129. uint64_t
    130. 

  130. kread_uint64(uint64_t where)
    131. 

  131. {
    132. 

  132.     uint64_t value = 0;
    133. 

  133.     size_t sz = kpp_kread(where, &value, sizeof(value));
    134. 

  134.     return (sz == sizeof(value)) ? value : 0;
    135. 

  135. }
    136. 

  136. 

  137. uint32_t
    138. 

  138. kread_uint32(uint64_t where)
    139. 

  139. {
    140. 

  140.     uint32_t value = 0;
    141. 

  141.     size_t sz = kpp_kread(where, &value, sizeof(value));
    142. 

  142.     return (sz == sizeof(value)) ? value : 0;
    143. 

  143. }
    144. 

  144. 

  145. 

  146. size_t kpp_kwrite(uint64_t where, const void *p, size_t size) {
    147. 

  147.     int rv;
    148. 

  148.     size_t offset = 0;
    149. 

  149.     while (offset < size) {
    150. 

  150.         size_t chunk = 2048;
    151. 

  151.         if (chunk > size - offset) {
    152. 

  152.             chunk = size - offset;
    153. 

  153.         }
    154. 

  154.         rv = mach_vm_write(tfp0,
    155. 

  155.                            where + offset,
    156. 

  156.                            (mach_vm_offset_t)p + offset,
    157. 

  157.                            (mach_msg_type_number_t)chunk);
    158. 

  158.         
    159. 

  159.         if (rv) {
    160. 

  160.             printf("[kernel] error copying buffer into region: @%p \n", (void *)(offset + where));
    161. 

  161.                    break;
    162. 

  162.         }
    163. 

  163.         
    164. 

  164.         offset +=chunk;
    165. 

  165.     }
    166. 

  166.     
    167. 

  167.     return offset;
    168. 

  168. }
    169. 

  169. 

  170. size_t kwrite_uint64(uint64_t where, uint64_t value) {
    171. 

  171.     return kpp_kwrite(where, &value, sizeof(value));
    172. 

  172. }
    173. 

  173. 

  174. size_t kwrite_uint32(uint64_t where, uint32_t value) {
    175. 

  175.     return kpp_kwrite(where, &value, sizeof(value));
    176. 

  176. }
    177. 

  177.