赞
踩
主机:10.14.5
虚机:10.12.3
系统下载地址:https://support.apple.com/downloads/macos
kdk下载地址
在主机和虚机中安装KDK
1 重启MAC,按住cmd+R直到屏幕上出现苹果的标志和进度条,看到如下界面表示进入了Recovery模式;
2 在屏幕最上方的工具栏找到实用工具(左数第3个),打开终端,输入:csrutil disable;
开启时传入的是0x77 关闭传入的是0x10
3 关掉终端,重启mac;
4 重启以后可以在终端中查看状态确认。
拷贝kernel.development
sh-3.2# cp /Library/Developer/KDKs/KDK_10.12.3_16D32.kdk/System/Library/Kernels/kernel.development /System/Library/Kernels
sh-3.2#
sh-3.2# sudo nvram boot-args="debug=0x141 kext-dev-mode=1 kcsuffix=development pmuflags=1 -v"
sh-3.2# uname -v
Darwin Kernel Version 16.4.0: Thu Dec 22 22:53:21 PST 2016; root:xnu-3789.41.3~3/RELEASE_X86_64
sh-3.2# sudo kextcache -invalidate /
kextcache -invalidate /
kextcache -arch x86_64 -local-root -all-loaded -kernel /System/Library/Kernels/kernel -prelinked-kernel /System/Library/PrelinkedKernels/prelinkedkernel -volume-root / /System/Library/Extensions /Library/Extensions
KernelCache ID: 09FF2CA49C380D60383EC01FD001C3E8
symlink("/System/Library/PrelinkedKernels/prelinkedkernel", "/System/Library/Caches/com.apple.kext.caches/Startup/kernelcache") failed 17 (File exists) <createPrelinkedKernel 2795>
kextcache -arch x86_64 -local-root -all-loaded -kernel /System/Library/Kernels/kernel.development -prelinked-kernel /System/Library/PrelinkedKernels/prelinkedkernel.development -volume-root / /System/Library/Extensions /Library/Extensions
KernelCache ID: 86AB7FC438F8BD5ADC5096DF54409B02
sh-3.2# sudo reboot
➜ macos lldb /Library/Developer/KDKs/KDK_10.14.5_18F131a.kdk/System/Library/Kernels/kernel.development (lldb) target create "/Library/Developer/KDKs/KDK_10.14.5_18F131a.kdk/System/Library/Kernels/kernel.development" warning: 'kernel' contains a debug script. To run this script in this debug session: command script import "/Library/Developer/KDKs/KDK_10.14.5_18F131a.kdk/System/Library/Kernels/kernel.development.dSYM/Contents/Resources/Python/kernel.py" To run all discovered debug scripts in this session: settings set target.load-script-from-symbol-file true Current executable set to '/Library/Developer/KDKs/KDK_10.14.5_18F131a.kdk/System/Library/Kernels/kernel.development' (x86_64). (lldb) kdp-remote 192.168.248.139 Version: Darwin Kernel Version 16.4.0: Thu Dec 22 22:53:20 PST 2016; root:xnu-3789.41.3~3/DEVELOPMENT_X86_64; UUID=C85EC12C-F162-3F81-8FB0-53048AF39F02; stext=0xffffff8019400000 Kernel UUID: C85EC12C-F162-3F81-8FB0-53048AF39F02 Load Address: 0xffffff8019400000 WARNING: Unable to locate kernel binary on the debugger system. Process 1 stopped * thread #1, stop reason = signal SIGSTOP frame #0: 0xffffff8019608d07
这里可以看到虚拟机的xun的内核版本号xnu-3789.41.3
在这里下载虚拟机对应xnu-3789.41.3版本的xun的源码
lldb调试命令:https://lldb.llvm.org/use/map.html
下载要调试的版本的 XNU 源码。调试时,LLDB 会去 /Library/Caches/com.apple.xbs/Sources/xnu/xnu-…目录寻找内核源码,所以可以把下载的源码放这个目录,也可以建一个符号链接指向源码目录。还有个方法是 设置 LLDB 的target.source-map变量:
settings set target.source-map /Library/Caches/com.apple.xbs/Sources/xnu/xnu-3789.41.3 ~/Desktop/macos/xnu-3789.41.3
我尝试了这两种但是下断点没下到源码的位置没断下来
breakpoint set --name hfs_vnop_setxattr
thread backtrace
那就换种调试自己编译程序的内核拓展的源码
参考:
osx内核调试大揭秘:https://www.anquanke.com/post/id/86972
https://www.jianshu.com/p/fe78d2036192
https://www.freebuf.com/articles/system/90049.html
反反调试内核:
http://www.alonemonkey.com/2017/11/20/get-start-antidebug-kext/
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。