Can anyone tell me why this code doesn't work? (Kernel Extensions)

I've been messing around with intercepting system calls. Finding examples of kernel extension code that intercepts syscalls is not easy, especially on Mountain Lion. The few that I've found use a hardcoded memory address for the _nsysent variable and use that to track down sysent. From there you can replace the pointer to whatever syscall you please. The location of _nsysent can be found by running "nm -g /mach_kernel | grep _nsysent".

The value at *_nsysent should be decimal 440 (the number of system calls in Mountain Lion). I've verified that that number is stored in /mach_kernel at that address.

Using the "pt_deny_attach" kernel extension as an example (here) I defined the following items at the start of my program:

Code:

#define _NSYSENT_OSX_10_8_0_  0xffffff8000839818
static int *_nsysent = (int *)_NSYSENT_OSX_10_8_0_;

When I put the following code inside my kernel extensions "start" procedure:

Code:

printf("Found nsysent at %p\n", _nsysent);

And I put "com.apple.kpi.libkern" in the extensions plist file as an OSBundledLibrary.

Everything loads fine and I see the 0xffffff8000839818 value listed in my system logs. But when I change it to:

Code:

printf("Found nsysent at %p (count %d)\n", _nsysent, *_nsysent);

The kernel crashes hard.

As I try to access the value at _nsysent the kernel crashes. Can anyone tell me what I'm doing wrong? Could this be due to ASLR? I figured even if ASLR moved the location of _nsysent there should still be some number at that memory address that would be returned.

 

I've been involved in the computer security field for several decades now, but your condescension is appreciated. If you're referring to the Blackhat briefings or similar talks about MacOS rootkits, those techniques do not currently work on Mountain Lion with the current linker.

I'll never understand what it is about Internet message boards that causes people to make baseless allegations against people they're never met.