#
# ida_kernelcache/kernel.py
# Brandon Azad
#
# The kernel module holds functions and global variables pertaining to the kernel as a whole. No
# prior initialization via ida_kernelcache is necessary.
#
import idc
import idautils
import idaapi
import ida_utilities as idau
import kplist
_log = idau.make_log(0, __name__)
def find_kernel_base():
"""Find the kernel base."""
return idaapi.get_fileregion_ea(0)
base = find_kernel_base()
"""The kernel base address (the address of the main kernel Mach-O header)."""
def _find_prelink_info_segments():
"""Find all candidate __PRELINK_INFO segments (or sections).
We try to identify any IDA segments with __PRELINK_INFO in the name so that this function will
work both before and after automatic rename. A more reliable method would be parsing the
Mach-O.
"""
segments = []
# Gather a list of all the possible segments.
for seg in idautils.Segments():
name = idc.SegName(seg)
if '__PRELINK_INFO' in name or name == '__info':
segments.append(seg)
if len(segments) < 1:
_log(0, 'Could not find any __PRELINK_INFO segment candidates')
elif len(segments) > 1:
_log(1, 'Multiple segment names contain __PRELINK_INFO: {}',
[idc.SegName(seg) for seg in segments])
return segments
def parse_prelink_info():
"""Find and parse the kernel __PRELINK_INFO dictionary."""
segments = _find_prelink_info_segments()
for segment in segments:
prelink_info_string = idc.GetString(segment)
prelink_info = kplist.kplist_parse(prelink_info_string)
if prelink_info:
return prelink_info
_log(0, 'Could not find __PRELINK_INFO')
return None
prelink_info = parse_prelink_info()
"""The kernel __PRELINK_INFO dictionary."""
KC_11_NORMAL = '11-normal'
KC_12_MERGED = '12-merged'
def _get_kernelcache_format():
if '_PrelinkLinkKASLROffsets' in prelink_info:
return KC_11_NORMAL
return KC_12_MERGED
kernelcache_format = _get_kernelcache_format()
