kern_return_t grey_fox_start(kmod_info_t * ki, void *d) { LOG_INFO("Rawr, hi kernel!"); mach_vm_address_t kernel_base = 0; if ((_sysent = find_sysent(&kernel_base)) == NULL) { return KERN_FAILURE; } hook_all_syscalls(_sysent); plug_kauth_listener(); return KERN_SUCCESS; }
/* * THE FUN STARTS HERE */ kern_return_t onyx_the_black_cat_start (kmod_info_t * ki, void * d) { printf( " _____ \n" "| |___ _ _ _ _ \n" "| | | | | |_'_| \n" "|_____|_|_|_ |_,_| \n" " |___| \n" " The Black Cat v%s\n", VERSION); // install the kernel control so we can enable/disable features install_kern_control(); // locate sysent table if (find_sysent() != KERN_SUCCESS) { return KERN_FAILURE; } if (init_kernel_info(&g_kernel_info) != KERN_SUCCESS) { return KERN_FAILURE; } // ALL DONE return KERN_SUCCESS; }
int main(int argc, char ** argv) { header(); // we need to run this as root if (getuid() != 0) { printf("[ERROR] Please run me as root!\n"); exit(1); } int8_t kernel_type = get_kernel_type(); if (kernel_type == -1) { printf("[ERROR] Unable to retrieve kernel type!\n"); exit(1); } if((fd_kmem = open("/dev/kmem",O_RDWR)) == -1) { fprintf(stderr,"[ERROR] Error while opening /dev/kmem. Is /dev/kmem enabled?\n"); fprintf(stderr,"Add parameter kmem=1 to /Library/Preferences/SystemConfiguration/com.apple.Boot.plist\n"); exit(1); } // retrieve int80 address idt_t idt_address = get_addr_idt(kernel_type); uint64_t int80_address = calculate_int80address(idt_address, kernel_type); uint64_t kernel_base = find_kernel_base(int80_address, kernel_type); if (kernel_base == 0) { fprintf(stderr, "[ERROR] Could not find kernel base address!\n"); exit(1); } uint64_t data_address = 0; uint64_t data_size = 0; process_header(kernel_base, &data_address, &data_size); uint8_t *read = malloc((size_t)data_size); if (read == NULL) { printf("[ERROR] Memory allocation failed!\n"); exit(1); } // read kernel memory and find sysent readkmem(fd_kmem, read, data_address, (size_t)data_size); uint64_t sysent_address = find_sysent(read, data_address, data_size); if (sysent_address) { printf("[OK] Found sysent address at %p\n",(void*)sysent_address); } else { printf("[ERROR] Could not found sysent address!\n"); } free(read); return 0; }