Compute iOS XNU offset from kernel cache
2 days ago
- #XNU offsets
- #reverse engineering
- #kernel exploitation
- The article presents a methodology for extracting kernel struct offsets from stripped kernelcaches, starting with kernel read/write primitives and locating the Mach-O signature.
- Key steps include using the XNU source as a reference, identifying anchor points like global variables (e.g., allproc, kernproc) via ARM64 instructions such as adrp/ldr, and leveraging accessor functions (e.g., proc_pid) to reveal field offsets.
- Iterator and constructor functions (e.g., proc_iterate, socreate_internal) help uncover struct layouts, while syscall implementations (e.g., chdir) provide insights into field offsets and inline vs. pointer structures.
- Zone ID validation (e.g., zone_id_require_ro_panic) identifies protected structures (e.g., proc_ro), and pointer chain analysis enables traversal between kernel objects without direct accessors.
- Hash tables (e.g., from _proc_find) and ARM64 instruction analysis aid in recovering complex data structures, with practical tips emphasizing function clusters and field size determination from assembly.