- Notifications
You must be signed in to change notification settings - Fork12
Dump Kext information from Macos. Support batch analysis. The disassembly framework used is Capstone
License
cocoahuke/mackextdump
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Dump Kext information from Macos. Support batch analysis. The disassembly framework used isCapstone
32bit(arm):ioskextdump_32
64bit(aarch64):ioskextdump
64bit(arm):ioskextdump_ios10
Download
git clone https://github.com/cocoahuke/machkextdump.git&&cd machkextdump
Compile and install to /usr/local/bin/
makemake install
Usage
Usage: mackextdump [-s <specify a single exxc file of kext to analysis>] <Extensions folder>-s example:
mackextdump -s /System/Library/Extensions/IOHIDFamily.kext/Contents/MacOS/IOHIDFamilyor batch analysis kexts copy that from/System/Library/Extensions
mackextdump /System/Library/ExtensionsSave the batch analysis output as file, so you got a file that include all kext class, methods name and vtable address, do some searching in this file may give some help to you
mostly rdx are 0xffffffffffffffff, because its super class didn't defined in a same binary file, it reference from outside
All addresses from output are file offset, not virtual memory address
Tested on Macos 10.12.1
Example to use
...******** 43:com.apple.AMDRadeonAccelerator *********/Users/huke/Desktop/mackext_copy/10_12_1_kext/AMDRadeonX3000.kext/Contents/MacOS/AMDRadeonX3000**(0x3c6d8)->OSMetaClass:OSMetaClass call 4 args listrdi:0x567488rsi:AMDR8xxGLContextrdx:0xffffffffffffffffrcx:0x1d58vtable_start: 0x236b00vtable functions:AMDR8xxGLContext_EAMDR8xxGLContext_AMDR8xxGLContext_getMetaClassAMDR8xxGLContext_getTargetAndMethodForIndexIOAccelContext2_getOwningTaskIOAccelContext2_getGPUTaskIOAccelContext2_getOwningTaskPid...