+------------------+
|These push their | +-----------------------+
|respective syscall| |This overwrites the |
|dispatch functions| |saved dispatch function|
|onto the stack | |with hndl_alltraps |
yrp604
/ xnu-syscall-life-amd64.md
Last active
October 2, 2023 15:59
The life of an XNU unix syscall on amd64
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Created to make RE-ing XPC a bit easier (in a shitty way) | |
| # yes, somethings are hard-coded but I've done it because I don't want to spend more time on this | |
| # created by Abraham Masri @cheesecakeufo | |
| import re | |
| import idaapi | |
| import idautils | |
| paths = ["/usr/include/xpc/xpc.h", | |
| "/usr/include/xpc/activity.h", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <sys/stat.h> | |
| #include <unistd.h> | |
| #include <mach/mach.h> | |
| #include <mach/mach_vm.h> | |
| #include <dlfcn.h> | |
| #include <objc/runtime.h> | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| If you have a list of edge hashes produced by AFL (e.g. from something like this): | |
| ./afl-showmap -o foo.edges -t 500 -q -e -- ./program arg1 | |
| Re-run the program using gdb to trace the sequence of block IDs: | |
| ./collect_coverage.sh trace.txt ./program arg1 | |
| Print edges in the trace: |