xerub/kbase.c

## kbase.c
/*
 *  Copyright (c) 2015, 2016 xerub
 */

#ifdef __LP64__
#define KDELTA 0x4000 /* XXX 7.x-8.x: 0x2000 */
#else
#define KDELTA 0x1000
#endif

static vm_address_t
get_kernel_base(task_t *kernel_task)
{
    kern_return_t rv;
    vm_region_submap_info_data_64_t info;
    vm_size_t size;
    mach_msg_type_number_t info_count = VM_REGION_SUBMAP_INFO_COUNT_64;
    unsigned int depth = 0;
    vm_address_t addr = 0x81200000; /* arm64: addr = 0xffffff8000000000 */

#ifdef HOST_KERNEL_PORT
    *kernel_task = 0;
    rv = host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, HOST_KERNEL_PORT, kernel_task);
    if (rv != KERN_SUCCESS || *kernel_task == 0)
#endif
    rv = task_for_pid(mach_task_self(), 0, kernel_task);
    if (rv != KERN_SUCCESS) {
        return -1;
    }

    while ((rv = vm_region_recurse_64(*kernel_task, &addr, &size, &depth, (vm_region_info_t)&info, &info_count)) == KERN_SUCCESS) {
        if (size > 1024 * 1024 * 1024) {
#ifdef __LP64__
            vm_address_t where = 16 * 0x200000;
#else
            vm_address_t where = 1 * 0x200000;
#endif
            for (where += addr; where >= addr; where -= 0x200000) {
                vm_size_t sz;
                uint8_t head[2048];
                sz = sizeof(head);
                rv = vm_read_overwrite(*kernel_task, where + KDELTA, sizeof(head), (vm_address_t)head, &sz);
                if (rv == 0 && sz == sizeof(head) && (*(uint32_t *)head & ~1) == 0xfeedface
                    && boyermoore_horspool_memmem(head, sizeof(head), (const uint8_t *)"__KLD", 5)) {
                    return where + KDELTA;
                }
#ifdef __LP64__
                sz = sizeof(head);
                rv = vm_read_overwrite(*kernel_task, where + KDELTA / 2, sizeof(head), (vm_address_t)head, &sz);
                if (rv == 0 && sz == sizeof(head) && (*(uint32_t *)head & ~1) == 0xfeedface
                    && boyermoore_horspool_memmem(head, sizeof(head), (const uint8_t *)"__KLD", 5)) {
                    return where + KDELTA / 2;
                }
#endif
            }
            break;
        }
        addr += size;
    }

    return -1;
}
	/*
	* Copyright (c) 2015, 2016 xerub
	*/

	#ifdef __LP64__
	#define KDELTA 0x4000 /* XXX 7.x-8.x: 0x2000 */
	#else
	#define KDELTA 0x1000
	#endif

	static vm_address_t
	get_kernel_base(task_t *kernel_task)
	{
	kern_return_t rv;
	vm_region_submap_info_data_64_t info;
	vm_size_t size;
	mach_msg_type_number_t info_count = VM_REGION_SUBMAP_INFO_COUNT_64;
	unsigned int depth = 0;
	vm_address_t addr = 0x81200000; /* arm64: addr = 0xffffff8000000000 */

	#ifdef HOST_KERNEL_PORT
	*kernel_task = 0;
	rv = host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, HOST_KERNEL_PORT, kernel_task);
	if (rv != KERN_SUCCESS \|\| *kernel_task == 0)
	#endif
	rv = task_for_pid(mach_task_self(), 0, kernel_task);
	if (rv != KERN_SUCCESS) {
	return -1;
	}

	while ((rv = vm_region_recurse_64(*kernel_task, &addr, &size, &depth, (vm_region_info_t)&info, &info_count)) == KERN_SUCCESS) {
	if (size > 1024 * 1024 * 1024) {
	#ifdef __LP64__
	vm_address_t where = 16 * 0x200000;
	#else
	vm_address_t where = 1 * 0x200000;
	#endif
	for (where += addr; where >= addr; where -= 0x200000) {
	vm_size_t sz;
	uint8_t head[2048];
	sz = sizeof(head);
	rv = vm_read_overwrite(*kernel_task, where + KDELTA, sizeof(head), (vm_address_t)head, &sz);
	if (rv == 0 && sz == sizeof(head) && ((uint32_t )head & ~1) == 0xfeedface
	&& boyermoore_horspool_memmem(head, sizeof(head), (const uint8_t *)"__KLD", 5)) {
	return where + KDELTA;
	}
	#ifdef __LP64__
	sz = sizeof(head);
	rv = vm_read_overwrite(*kernel_task, where + KDELTA / 2, sizeof(head), (vm_address_t)head, &sz);
	if (rv == 0 && sz == sizeof(head) && ((uint32_t )head & ~1) == 0xfeedface
	&& boyermoore_horspool_memmem(head, sizeof(head), (const uint8_t *)"__KLD", 5)) {
	return where + KDELTA / 2;
	}
	#endif
	}
	break;
	}
	addr += size;
	}

	return -1;
	}