如何从 Kext 访问未导出的符号? [英] How to access unexported symbol from Kext?
问题描述
我尝试在运行 11.4 Beta (20F5046g) Big Sur 的 M1 机器上加载 kext 模块,但在加载 kext 模块时遇到一些绑定错误消息.
I tried to load kext module on M1 machine running 11.4 Beta (20F5046g) Big Sur and encounter some error messages on binding at kext module loading.
首先,为了访问从苹果的 kext 模块 com.apple.kpi.unsupported 导出的内核函数,我使用了下面的 extern 声明.
First, to access the kernel functions exported from apple's kext module, com.apple.kpi.unsupported, I used the below extern declaration.
extern int cpu_number(void);
另外,我在 info.plist 上添加了 com.apple.kpi.unsupported
Also, I added the com.apple.kpi.unsupported on the info.plist
<key>OSBundleLibraries</key>
<dict>
<key>com.apple.kpi.libkern</key>
<string>20.5</string>
<key>com.apple.kpi.unsupported</key>
<string>20.5.0</string>
</dict>
编译不会引发任何错误,但是当我尝试加载模块时,它会打印以下消息.
The compilation doesn't raise any errors, but when I try to load the module, it prints below message.
Error Domain=KMErrorDomain Code=31 "Error occurred while building a collection:
1: One or more binaries has an error which prevented linking. See other errors.
2: Could not use 'kext' because: Failed to bind '_cpu_number' in 'kext' (at offset 0x0 in __DATA_CONST, __got) as could not find a kext which exports this symbol
kext specific:
1: Failed to bind '_cpu_number' in 'kext' (at offset 0x0 in __DATA_CONST, __got) as could not find a kext which exports this symbol
" UserInfo={NSLocalizedDescription=Error occurred while building a collection:
1: One or more binaries has an error which prevented linking. See other errors.
2: Could not use 'kext' because: Failed to bind '_cpu_number' in 'kext' (at offset 0x0 in __DATA_CONST, __got) as could not find a kext which exports this symbol
kext specific:
1: Failed to bind '_cpu_number' in 'kext' (at offset 0x0 in __DATA_CONST, __got) as could not find a kext which exports this symbol
我可以访问内核符号列表中指定的内核符号但不是从苹果的kext模块导出的吗?
我还想访问名为 SecureDTInitEntryIterator 的内核函数.我发现这个符号列在位于/System/Library/Kernels/kernel 的内核符号上.但是, $kextfind -defines-symbol _SecureDTIterateEntries 不会返回任何相应的 kext 模块名称.
Can I access the kernel symbol specified in the kernel symbol list but not exported from apple's kext module?
I also would like to access kernel function called SecureDTInitEntryIterator. I found that this symbol is listed on the kernel symbol located in the /System/Library/Kernels/kernel. However, $kextfind -defines-symbol _SecureDTIterateEntries doesn't return any corresponding kext module names.
作为IOS新手,我猜这个符号不是从任何苹果的kexy模块中导出的.有什么办法可以从我的 kext 模块访问这个功能吗?我想我可以使用函数原型将符号在内核空间内的地址进行类型转换,但我正在寻找一种系统的方法(如果存在).
As an IOS newbie, I guess that this symbol is not exported from any apple's kexy module. Is there any way to access this function from my kext module? I think I can just type cast the address where the symbol is located within the kernel space with the function prototype, but I am looking for a systematic approach if there exists.
推荐答案
我刚刚检查过,关键的细节似乎是您正在尝试在 arm64/aarch64 上访问此功能.事实证明,它是在不受支持的"目录中导出的.x86_64 的 KPI,但不是 arm64:
I have just checked, and the crucial detail appears to be that you are trying to access this function on arm64/aarch64. As it turns out, it's exported in the "unsupported" KPI for x86_64, but not on arm64:
没有直接的方法来访问未导出的符号.如果您知道正在运行的内核的确切版本中符号的偏移量,您应该能够通过从已知函数地址偏移来计算地址;至少,这适用于 x86-64.由于 PAC(指针身份验证),arm64 可能需要额外的努力.
There's no straightforward way of accessing unexported symbols. If you know the offset of a symbol in the exact version of the running kernel, you should be able to compute the address by offsetting from a known function address; at least, this worked on x86-64. arm64 may require extra effort due to PAC (pointer authentication).
由于这违反了 Apple 的政策,我不建议在运输产品中使用这种技术.
As this circumvents Apple's policies, I don't recommend using this type of technique in a shipping product.
这篇关于如何从 Kext 访问未导出的符号?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
