-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathkext.py
More file actions
50 lines (36 loc) · 1.77 KB
/
kext.py
File metadata and controls
50 lines (36 loc) · 1.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
import lldb
from kernel import Kernel
from macho import *
class Kext:
def __init__(self, target, process, kernel, base, size, name):
self.target = target
self.process = process
self.kernel = kernel
self.base = base;
self.name = name;
self.segments = {}
self.ProcessMachO()
def ProcessMachO(self):
size = 0
current_addr = self.base
mh = mh = mach_header_64.from_buffer_copy(Kernel.Read(self.process, current_addr, ctypes.sizeof(mach_header_64)))
current_addr += ctypes.sizeof(mach_header_64)
for i in range(mh.ncmds):
cmd = load_command.from_buffer_copy(Kernel.Read(self.process, current_addr, ctypes.sizeof(load_command)))
if cmd.cmd == LC_SEGMENT_64:
segment_command = segment_command_64.from_buffer_copy(Kernel.Read(self.process, current_addr, ctypes.sizeof(segment_command_64)))
vmaddr = segment_command.vmaddr
vmsize = segment_command.vmsize
fileoff = segment_command.fileoff
filesize = segment_command.filesize
sects = []
sect_addr = current_addr + ctypes.sizeof(segment_command_64)
for i in range(segment_command.nsects):
sect = section_64.from_buffer_copy(Kernel.Read(self.process, sect_addr, ctypes.sizeof(section_64)))
sects.append(sect)
print('%s 0x%x 0x%x' % (sect.sectname.decode("utf-8"), sect.addr, sect.addr + sect.size))
sect_addr += ctypes.sizeof(section_64)
segname = segment_command.segname.decode("utf-8")
self.segments[segname] = (segment_command, sects)
current_addr += cmd.cmdsize
return size