如何从Kext访问未导出的符号? [英] How to access unexported symbol from Kext?
问题描述
我试图在运行11.4 Beta(20F5046g)Big Sur的M1机器上加载kext模块,并在kext模块加载时遇到一些关于绑定的错误消息.
I tried to load kext module on M1 machine running 11.4 Beta (20F5046g) Big Sur and encounter some error messages on binding at kext module loading.
首先,要访问从苹果的kext模块com.apple.kpi.unsupported导出的内核函数,我使用了以下extern声明.
First, to access the kernel functions exported from apple's kext module, com.apple.kpi.unsupported, I used the below extern declaration.
extern int cpu_number(void);
此外,我在info.plist中添加了com.apple.kpi.unsupported
Also, I added the com.apple.kpi.unsupported on the info.plist
<key>OSBundleLibraries</key>
<dict>
<key>com.apple.kpi.libkern</key>
<string>20.5</string>
<key>com.apple.kpi.unsupported</key>
<string>20.5.0</string>
</dict>
编译不会引发任何错误,但是当我尝试加载模块时,它将在消息下方显示.
The compilation doesn't raise any errors, but when I try to load the module, it prints below message.
Error Domain=KMErrorDomain Code=31 "Error occurred while building a collection:
1: One or more binaries has an error which prevented linking. See other errors.
2: Could not use 'kext' because: Failed to bind '_cpu_number' in 'kext' (at offset 0x0 in __DATA_CONST, __got) as could not find a kext which exports this symbol
kext specific:
1: Failed to bind '_cpu_number' in 'kext' (at offset 0x0 in __DATA_CONST, __got) as could not find a kext which exports this symbol
" UserInfo={NSLocalizedDescription=Error occurred while building a collection:
1: One or more binaries has an error which prevented linking. See other errors.
2: Could not use 'kext' because: Failed to bind '_cpu_number' in 'kext' (at offset 0x0 in __DATA_CONST, __got) as could not find a kext which exports this symbol
kext specific:
1: Failed to bind '_cpu_number' in 'kext' (at offset 0x0 in __DATA_CONST, __got) as could not find a kext which exports this symbol
我可以访问内核符号列表中指定但未从Apple的kext模块导出的内核符号吗?
我还想访问名为 SecureDTInitEntryIterator 的内核函数.我发现该符号列在/System/Library/Kernels/kernel中的内核符号上.但是,$ kextfind -defines-symbol _SecureDTIterateEntries不会返回任何相应的kext模块名称.
Can I access the kernel symbol specified in the kernel symbol list but not exported from apple's kext module?
I also would like to access kernel function called SecureDTInitEntryIterator. I found that this symbol is listed on the kernel symbol located in the /System/Library/Kernels/kernel. However, $kextfind -defines-symbol _SecureDTIterateEntries doesn't return any corresponding kext module names.
作为IOS新手,我想这个符号不会从任何苹果的kexy模块中导出.有什么办法可以从我的kext模块访问此功能吗?我想我可以使用函数原型将类型符号位于内核空间内的地址进行类型转换,但是我正在寻找一种系统的方法(如果存在).
As an IOS newbie, I guess that this symbol is not exported from any apple's kexy module. Is there any way to access this function from my kext module? I think I can just type cast the address where the symbol is located within the kernel space with the function prototype, but I am looking for a systematic approach if there exists.
推荐答案
我刚刚检查了一下,关键的细节似乎是您正在尝试在arm64/aarch64上访问此功能.事实证明,它以不受支持"的格式导出.适用于x86_64的KPI,但不适用于arm64:
I have just checked, and the crucial detail appears to be that you are trying to access this function on arm64/aarch64. As it turns out, it's exported in the "unsupported" KPI for x86_64, but not on arm64:
没有直接的方法可以访问未导出的符号.如果您知道正在运行的内核的确切版本中符号的偏移量,则应该能够通过从已知函数地址偏移量来计算地址.至少,这在x86-64上有效.由于PAC(指针身份验证),arm64可能需要额外的精力.
There's no straightforward way of accessing unexported symbols. If you know the offset of a symbol in the exact version of the running kernel, you should be able to compute the address by offsetting from a known function address; at least, this worked on x86-64. arm64 may require extra effort due to PAC (pointer authentication).
由于这会绕开Apple的政策,因此我不建议在运输产品中使用这种技术.
As this circumvents Apple's policies, I don't recommend using this type of technique in a shipping product.
这篇关于如何从Kext访问未导出的符号?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
