LouisBrunner/kernel_slide.d

## kernel_slide.d
// Run using `dtrace -s ./kernel_slide.d -c ls`
// README:
//  1. You might need to run it twice to get your kernel version and the proc_ucred offset within kauth_cred_proc_ref.
//  2. Then fill up KauthCredProcRef and ProcUcredOffsetInKauthCredProcRef and run it again.
//  3. ???
//  4. Profit!

#pragma D option quiet

// Use nm -A /System/Library/Kernels/kernel.release.YOUR_VERSION
// You can find your version using the stacktrace of this very command
// Then add the address of `kauth_cred_proc_ref`
inline int KauthCredProcRef = 0xfffffe00077c573c;

// You can get this from the same stacktrace as the kernel version.
// Probably macOS version specific, sorry.
inline int ProcUcredOffsetInKauthCredProcRef = 0x44;

fbt:mach_kernel:kauth_cred_proc_ref:entry
{
  self->read = 1;
}

fbt:mach_kernel:proc_ucred:entry
/self->read/
{
  printf("Slide: 0x%x\n", caller - KauthCredProcRef - ProcUcredOffsetInKauthCredProcRef);
  stack();
  exit(0);
}
	// Run using `dtrace -s ./kernel_slide.d -c ls`
	// README:
	// 1. You might need to run it twice to get your kernel version and the proc_ucred offset within kauth_cred_proc_ref.
	// 2. Then fill up KauthCredProcRef and ProcUcredOffsetInKauthCredProcRef and run it again.
	// 3. ???
	// 4. Profit!

	#pragma D option quiet

	// Use nm -A /System/Library/Kernels/kernel.release.YOUR_VERSION
	// You can find your version using the stacktrace of this very command
	// Then add the address of `kauth_cred_proc_ref`
	inline int KauthCredProcRef = 0xfffffe00077c573c;

	// You can get this from the same stacktrace as the kernel version.
	// Probably macOS version specific, sorry.
	inline int ProcUcredOffsetInKauthCredProcRef = 0x44;

	fbt:mach_kernel:kauth_cred_proc_ref:entry
	{
	self->read = 1;
	}

	fbt:mach_kernel:proc_ucred:entry
	/self->read/
	{
	printf("Slide: 0x%x\n", caller - KauthCredProcRef - ProcUcredOffsetInKauthCredProcRef);
	stack();
	exit(0);
	}