def kernelcache_process():
"""Process the kernelcache in IDA for the first time.
This function performs all the standard processing available in this module:
* Renames segments in IDA according to the names from the __PRELINK_INFO dictionary.
* Locates virtual method tables, converts them to offsets, and adds vtable symbols.
* Locates OSMetaClass instances for top-level classes and adds OSMetaClass symbols.
* Converts __got sections into offsets and automatically renames them.
* Converts __stubs sections into stub functions and automatically renames them.
* Symbolicates virtual method tables based on the method names in superclasses.
"""
import idc
def autoanalyze():
print 'Waiting for IDA autoanalysis...'
idc.Wait()
autoanalyze()
# NOTE: Renaming the segments in IDA via segment.initialize_segments() is necessary for some of
# the other functions, which rely on the more detailed segment names.
segment.initialize_segments()
offset.initialize_data_offsets()
autoanalyze()
vtable.initialize_vtables()
autoanalyze()
vtable.initialize_vtable_symbols()
autoanalyze()
metaclass.initialize_metaclass_symbols()
offset.initialize_offset_symbols()
autoanalyze()
stub.initialize_stub_symbols()
autoanalyze()
vtable.initialize_vtable_method_symbols()
print 'Done'
def kernelcache_process(untag_pointers=True):
"""Process the kernelcache in IDA for the first time.
This function performs all the standard processing available in this module:
* Convert iOS 12's new static tagged pointers into normal kernel pointers.
* Parse the kernel's `__PRELINK_INFO.__info` section into a dictionary.
* Renames segments in IDA according to the names from the __PRELINK_INFO dictionary (split
kext format kernelcaches only).
* Converts pointers in data segments into offsets.
* Locates virtual method tables, converts them to offsets, and adds vtable symbols.
* Locates OSMetaClass instances for top-level classes and adds OSMetaClass symbols.
* Symbolicates offsets in `__got` sections and stub functions in `__stubs` sections.
* Symbolicates methods in vtables based on the method names in superclasses.
* Creates IDA structs representing the C++ classes in the kernel.
"""
import ida_kernwin
iometa = ida_kernwin.ask_str("/tmp/kernel.txt", 0,
"iometa result file location")
jtool2 = ida_kernwin.ask_str("/tmp/kernel_jtool2.txt", 0,
"jtool2 analyze file location")
joker.analyze(iometa, jtool2)
import idaapi
import idc
autoanalyze()
if (kernel.kernelcache_format == kernel.KC_12_MERGED and untag_pointers
and idaapi.IDA_SDK_VERSION < 720):
print 'Processing tagged kernelcache pointers'
tagged_pointers.untag_pointers()
autoanalyze()
segment.initialize_segments()
print 'Initializing data offsets'
offset.initialize_data_offsets()
autoanalyze()
print 'Initializing vtables'
vtable.initialize_vtables()
autoanalyze()
vtable.initialize_vtable_symbols()
autoanalyze()
metaclass.initialize_metaclass_symbols()
if kernel.kernelcache_format == kernel.KC_11_NORMAL:
print 'Creating offset and stub symbols'
offset.initialize_offset_symbols()
autoanalyze()
stub.initialize_stub_symbols()
autoanalyze()
print 'Propagating vtable method symbols'
vtable.initialize_vtable_method_symbols()
print 'Initializing class structs'
class_struct.initialize_vtable_structs()
class_struct.initialize_class_structs()
autoanalyze()
print 'Done'