I've been messing around with intercepting system calls. Finding examples of kernel extension code that intercepts syscalls is not easy, especially on Mountain Lion. The few that I've found use a hardcoded memory address for the _nsysent variable and use that to track down sysent. From there you can replace the pointer to whatever syscall you please. The location of _nsysent can be found by running "nm -g /mach_kernel | grep _nsysent".
The value at *_nsysent should be decimal 440 (the number of system calls in Mountain Lion). I've verified that that number is stored in /mach_kernel at that address.
Using the "pt_deny_attach" kernel extension as an example (here) I defined the following items at the start of my program:
When I put the following code inside my kernel extensions "start" procedure:
And I put "com.apple.kpi.libkern" in the extensions plist file as an OSBundledLibrary.
Everything loads fine and I see the 0xffffff8000839818 value listed in my system logs. But when I change it to:
The kernel crashes hard.
As I try to access the value at _nsysent the kernel crashes. Can anyone tell me what I'm doing wrong? Could this be due to ASLR? I figured even if ASLR moved the location of _nsysent there should still be some number at that memory address that would be returned.
The value at *_nsysent should be decimal 440 (the number of system calls in Mountain Lion). I've verified that that number is stored in /mach_kernel at that address.
Using the "pt_deny_attach" kernel extension as an example (here) I defined the following items at the start of my program:
Code:
#define _NSYSENT_OSX_10_8_0_ 0xffffff8000839818
static int *_nsysent = (int *)_NSYSENT_OSX_10_8_0_;
When I put the following code inside my kernel extensions "start" procedure:
Code:
printf("Found nsysent at %p\n", _nsysent);
And I put "com.apple.kpi.libkern" in the extensions plist file as an OSBundledLibrary.
Everything loads fine and I see the 0xffffff8000839818 value listed in my system logs. But when I change it to:
Code:
printf("Found nsysent at %p (count %d)\n", _nsysent, *_nsysent);
The kernel crashes hard.
As I try to access the value at _nsysent the kernel crashes. Can anyone tell me what I'm doing wrong? Could this be due to ASLR? I figured even if ASLR moved the location of _nsysent there should still be some number at that memory address that would be returned.