search

bazad / memctl

An iOS kernel introspection tool.
https://bazad.github.io/2017/09/live-kernel-introspection-ios/
MIT License
236 stars 29 forks source link

Can't find functions #12

Open Ultra03 opened 5 years ago

Ultra03 commented 5 years ago

So upon executing certain commands (I'm on an iPhone 6 on iOS 12.1.1), such as fpr, fc, or even just reading, memctl prints this out:

warning: could not find _bzero_phys
warning: could not find _pthread_kext_register
warning: could not find __FREE
Assertion failed: (kr == KEXT_SUCCESS), function ksim_set_pc, file src/libmemctl/arm64/ksim.c, line 307.
deinitialized
Abort trap: 6

I'm not really sure what's wrong here. Any ideas?

bazad commented 5 years ago

My guess is that this a bug related to the new (as of iOS 12) merged kernelcache format, which is causing libmemctl to unexpectedly fail to find the kext Mach-O corresponding to a given address.

Unfortunately I don't have a device I can test on. Are you able to get a backtrace on the crash to see who called ksim_set_pc? My guess is it should be coming from kernel_find_kauth_cred_setsvuidgid.

Ultra03 commented 5 years ago

Yeah, looks like kernel_find_kauth_cred_setsvuidgid is the most likely/only suspect, as (looking at the warnings) all of the other methods that call ksim_set_pc would've returned before getting to that point.

I couldn't be sure why though, as I'm not super well-versed in stuff at this level. I'm actually planning on using memctl as a tool while learning more about XNU.