def calculate(self):
common.set_plugin_members(self)
(kernel_symbol_addresses, kmods) = common.get_kernel_addrs(self)
gnotify_addr = common.get_cpp_sym("gNotifications", self.addr_space.profile)
gnotify_ptr = obj.Object("Pointer", offset = gnotify_addr, vm = self.addr_space)
gnotifications = gnotify_ptr.dereference_as("OSDictionary")
ents = obj.Object('Array', offset = gnotifications.dictionary, vm = self.addr_space, targetType = 'dictEntry', count = gnotifications.count)
# walk the current set of notifications
for ent in ents:
if ent == None:
continue
key = ent.key.dereference_as("OSString")
# get the value
valset = ent.value.dereference_as("OSOrderedSet")
notifiers_ptrs = obj.Object('Array', offset = valset.array, vm = self.addr_space, targetType = 'Pointer', count = valset.count)
for ptr in notifiers_ptrs:
notifier = ptr.dereference_as("_IOServiceNotifier")
if notifier == None:
continue
matches = self.get_matching(notifier)
# this is the function that handles whatever the notification is for
# this should be only in the kernel or in one of the known IOKit drivers for the specific kernel
handler = notifier.handler
good = common.is_known_address(handler, kernel_symbol_addresses, kmods)
yield (good, key, notifier, matches)
def calculate(self):
common.set_plugin_members(self)
saddr = common.get_cpp_sym("sLoadedKexts", self.addr_space.profile)
p = obj.Object("Pointer", offset=saddr, vm=self.addr_space)
kOSArr = obj.Object(self._struct_or_class("OSArray"),
offset=p,
vm=self.addr_space)
if kOSArr == None:
debug.error(
"The OSArray_class type was not found in the profile. Please file a bug if you are running aginst Mac >= 10.7"
)
kext_arr = obj.Object(theType="Array",
targetType="Pointer",
offset=kOSArr.array,
count=kOSArr.capacity,
vm=self.addr_space)
for (i, kext) in enumerate(kext_arr):
kext = kext.dereference_as(self._struct_or_class("OSKext"))
if kext and kext.is_valid():
yield kext
def calculate(self):
common.set_plugin_members(self)
kaddr_info = common.get_handler_name_addrs(self)
dict_ptr_addr = common.get_cpp_sym("sAllClassesDict",
self.addr_space.profile)
dict_addr = obj.Object("unsigned long",
offset=dict_ptr_addr,
vm=self.addr_space)
fdict = obj.Object(self._struct_or_class("OSDictionary"),
offset=dict_addr.v(),
vm=self.addr_space)
ents = obj.Object('Array',
offset=fdict.dictionary,
vm=self.addr_space,
targetType=self._struct_or_class("dictEntry"),
count=fdict.count)
for ent in ents:
if ent == None or not ent.is_valid():
continue
class_name = str(
ent.key.dereference_as(self._struct_or_class("OSString")))
osmeta = obj.Object(self._struct_or_class("OSMetaClass"),
offset=ent.value.v(),
vm=self.addr_space)
cname = str(
osmeta.className.dereference_as(
self._struct_or_class("OSString")))
offset = 0
if hasattr(osmeta, "metaClass"):
arr_start = osmeta.metaClass.v()
else:
arr_start = obj.Object("Pointer",
offset=osmeta.obj_offset,
vm=self.addr_space)
vptr = obj.Object("unsigned long",
offset=arr_start,
vm=self.addr_space)
while vptr != 0:
(module,
handler_sym) = common.get_handler_name(kaddr_info, vptr)
yield (cname, vptr, module, handler_sym)
offset = offset + vptr.size()
vptr = obj.Object("unsigned long",
offset=arr_start + offset,
vm=self.addr_space)
def calculate(self):
common.set_plugin_members(self)
(kernel_symbol_addresses, kmods) = common.get_kernel_addrs(self)
gnotify_addr = common.get_cpp_sym("gNotifications",
self.addr_space.profile)
p = obj.Object("Pointer", offset=gnotify_addr, vm=self.addr_space)
gnotifications = p.dereference_as(
self._struct_or_class("OSDictionary"))
ents = obj.Object('Array',
offset=gnotifications.dictionary,
vm=self.addr_space,
targetType=self._struct_or_class("dictEntry"),
count=gnotifications.count)
# walk the current set of notifications
for ent in ents:
if ent == None or not ent.is_valid():
continue
key = str(ent.key.dereference_as(
self._struct_or_class("OSString")))
# get the value
valset = ent.value.dereference_as(
self._struct_or_class("OSOrderedSet"))
notifiers_ptrs = obj.Object('Array',
offset=valset.array,
vm=self.addr_space,
targetType='Pointer',
count=valset.count)
for ptr in notifiers_ptrs:
notifier = ptr.dereference_as(
self._struct_or_class("_IOServiceNotifier"))
if notifier == None:
continue
matches = self.get_matching(notifier)
# this is the function that handles whatever the notification is for
# this should be only in the kernel or in one of the known IOKit
# drivers for the specific kernel
handler = notifier.handler.v()
ch = notifier.compatHandler.v()
if ch:
handler = ch
(good, module) = common.is_known_address_name(
handler, kernel_symbol_addresses, kmods)
yield (good, module, key, notifier, matches, handler)
def calculate(self):
common.set_plugin_members(self)
global kaddr_info
kaddr_info = common.get_handler_name_addrs(self)
regroot_addr = common.get_cpp_sym("gRegistryRoot", self.addr_space.profile)
p = obj.Object("Pointer", offset = regroot_addr, vm = self.addr_space)
for key, handler, module, handler_sym in self.walk_reg_entry(p):
yield key, handler, module, handler_sym
def calculate(self):
common.set_plugin_members(self)
global kaddr_info
kaddr_info = common.get_handler_name_addrs(self)
regroot_addr = common.get_cpp_sym("gRegistryRoot",
self.addr_space.profile)
p = obj.Object("Pointer", offset=regroot_addr, vm=self.addr_space)
for key, handler, module, handler_sym in self.walk_reg_entry(p):
yield key, handler, module, handler_sym
def calculate(self):
common.set_plugin_members(self)
saddr = common.get_cpp_sym("sLoadedKexts", self.addr_space.profile)
p = obj.Object("Pointer", offset = saddr, vm = self.addr_space)
kOSArr = obj.Object(self._struct_or_class("OSArray"), offset = p, vm = self.addr_space)
if kOSArr == None:
debug.error("The OSArray_class type was not found in the profile. Please file a bug if you are running aginst Mac >= 10.7")
kext_arr = obj.Object(theType = "Array", targetType = "Pointer", offset = kOSArr.array, count = kOSArr.capacity, vm = self.addr_space)
for (i, kext) in enumerate(kext_arr):
kext = kext.dereference_as(self._struct_or_class("OSKext"))
if kext and kext.is_valid():
yield kext
def calculate(self):
common.set_plugin_members(self)
kaddr_info = common.get_handler_name_addrs(self)
dict_ptr_addr = common.get_cpp_sym("sAllClassesDict", self.addr_space.profile)
dict_addr = obj.Object("unsigned long", offset = dict_ptr_addr, vm = self.addr_space)
fdict = obj.Object(self._struct_or_class("OSDictionary"), offset = dict_addr.v(), vm = self.addr_space)
ents = obj.Object('Array', offset = fdict.dictionary,
vm = self.addr_space,
targetType = self._struct_or_class("dictEntry"),
count = fdict.count)
for ent in ents:
if ent == None or not ent.is_valid():
continue
class_name = str(ent.key.dereference_as(self._struct_or_class("OSString")))
osmeta = obj.Object(self._struct_or_class("OSMetaClass"), offset = ent.value.v(), vm = self.addr_space)
cname = str(osmeta.className.dereference_as(self._struct_or_class("OSString")))
offset = 0
if hasattr(osmeta, "metaClass"):
arr_start = osmeta.metaClass.v()
else:
arr_start = obj.Object("Pointer", offset = osmeta.obj_offset, vm = self.addr_space)
vptr = obj.Object("unsigned long", offset = arr_start, vm = self.addr_space)
while vptr != 0:
(module, handler_sym) = common.get_handler_name(kaddr_info, vptr)
yield (cname, vptr, module, handler_sym)
offset = offset + vptr.size()
vptr = obj.Object("unsigned long", offset = arr_start + offset, vm = self.addr_space)
