[@ninjaprawn] Question regarding offsets

[ghost]

Seeing that the xnu kernel uses PIC to randomize data and code locations, how are we meant to find and use the offsets (for kernel instructions) in this if they are in a different location every time?

[stek29]

Just put in unslid address, it would add leaked kaslr slide to it. https://github.com/ninjaprawn/async_awake-fun/blob/2576281e82f3f71699c726f112bf4335924182ed/async_wake_ios/symbols.c#L144

However, this project does not use device-specific offsets at all -- they're only used by "poc kernel debugger" by ian.

[ghost]

Ohhhhh ok thx! Could this type of method be used with other processes that use PIC?

[stek29]

What do you mean by PIC? ASLR? Leaking ASLR shift is important step of exploitation, there are many methods of doing it :)

[ghost]

program independent code (i think thats what its called)

[stek29]

Ah, position independent code. PIC is just a requirement to make ASLR possible.

[ghost]

Ohhh thx

[ghost]

Hey just a quick question about this, why is it subtracting 0xFFFFFFF007004000?

[ninjaprawn]

The TEXT header starts at 0xFFFFFFF007004000 for all 64bit kernels. Since ALSR is applied to the kernel (aka KASLR), we need to find the slide to do things like call functions.