macOS Kext: Replace kernel functions

[Codeaholic]

Hi,

I've 'fixed' a bug in a XNU function. Now I'm looking for a way to apply this fix with a kernel module/kext. I can't be bothered to compile after every Apple update a new kernel with my fix. So I want to write a kext which replaces the old function with my function. I've done this for many times on Solaris and Linux but I'm a newbie in the XNU world.

I guess all what I need is a way (example code that works would be helpful!) to access the kernel symbol address table. With the address of the old function I should be able to patch a Jump into the function that points to my new function. Very evil, I know.

Does somebody did something like this? Please let me know, if you have any idea.

 

[Madd the Sane]

If you've found a bug in the kernel, file a bug report at bugreport.apple.com, as well as post the patch on Apple's kernel mailing list.

 

[Codeaholic]

If you've found a bug in the kernel, file a bug report at bugreport.apple.com, as well as post the patch on Apple's kernel mailing list.

Yes, but first I want to check my fix with a kext. I guess it would be a nice exercise as well.

Does somebody has an idea?

 

[Codeaholic]

After lots of googling, I've found one paper which has some interesting approaches: http://defcon.org/images/defcon-17/dc-17-presentations/defcon-17-bosse_eriksson-kernel_patching_on_osx.pdf

It's mainly written for patching syscalls but that's ok. It should also work for functions.

Anyway, any other information regarding this topic would be nice.