环境
主机:10.14.5
虚机:10.12.3
系统下载地址:https://support.apple.com/downloads/macos
下载对应版本的KDK
kdk下载地址
在主机和虚机中安装KDK
虚机关闭sip
- 查看SIP状态
在终端中输入csrutil status,就可以看到是enabled还是disabled。 - 关闭SIP
1 重启MAC,按住cmd+R直到屏幕上出现苹果的标志和进度条,看到如下界面表示进入了Recovery模式;
2 在屏幕最上方的工具栏找到实用工具(左数第3个),打开终端,输入:csrutil disable;
开启时传入的是0x77 关闭传入的是0x10
3 关掉终端,重启mac;
4 重启以后可以在终端中查看状态确认。
- 开启SIP
与关闭的步骤类似,只是在S2中输入csrutil enable即可。
拷贝kernel.development
sh-3.2# cp /Library/Developer/KDKs/KDK_10.12.3_16D32.kdk/System/Library/Kernels/kernel.development /System/Library/Kernels
sh-3.2#
sh-3.2# sudo nvram boot-args="debug=0x141 kext-dev-mode=1 kcsuffix=development pmuflags=1 -v"
sh-3.2# uname -v
Darwin Kernel Version 16.4.0: Thu Dec 22 22:53:21 PST 2016; root:xnu-3789.41.3~3/RELEASE_X86_64
sh-3.2# sudo kextcache -invalidate /
kextcache -invalidate /
kextcache -arch x86_64 -local-root -all-loaded -kernel /System/Library/Kernels/kernel -prelinked-kernel /System/Library/PrelinkedKernels/prelinkedkernel -volume-root / /System/Library/Extensions /Library/Extensions
KernelCache ID: 09FF2CA49C380D60383EC01FD001C3E8
symlink("/System/Library/PrelinkedKernels/prelinkedkernel", "/System/Library/Caches/com.apple.kext.caches/Startup/kernelcache") failed 17 (File exists) <createPrelinkedKernel 2795>
kextcache -arch x86_64 -local-root -all-loaded -kernel /System/Library/Kernels/kernel.development -prelinked-kernel /System/Library/PrelinkedKernels/prelinkedkernel.development -volume-root / /System/Library/Extensions /Library/Extensions
KernelCache ID: 86AB7FC438F8BD5ADC5096DF54409B02
sh-3.2# sudo reboot
主机开始调试
➜ macos lldb /Library/Developer/KDKs/KDK_10.14.5_18F131a.kdk/System/Library/Kernels/kernel.development
(lldb) target create "/Library/Developer/KDKs/KDK_10.14.5_18F131a.kdk/System/Library/Kernels/kernel.development"
warning: 'kernel' contains a debug script. To run this script in this debug session:
command script import "/Library/Developer/KDKs/KDK_10.14.5_18F131a.kdk/System/Library/Kernels/kernel.development.dSYM/Contents/Resources/Python/kernel.py"
To run all discovered debug scripts in this session:
settings set target.load-script-from-symbol-file true
Current executable set to '/Library/Developer/KDKs/KDK_10.14.5_18F131a.kdk/System/Library/Kernels/kernel.development' (x86_64).
(lldb) kdp-remote 192.168.248.139
Version: Darwin Kernel Version 16.4.0: Thu Dec 22 22:53:20 PST 2016; root:xnu-3789.41.3~3/DEVELOPMENT_X86_64; UUID=C85EC12C-F162-3F81-8FB0-53048AF39F02; stext=0xffffff8019400000
Kernel UUID: C85EC12C-F162-3F81-8FB0-53048AF39F02
Load Address: 0xffffff8019400000
WARNING: Unable to locate kernel binary on the debugger system.
Process 1 stopped
* thread #1, stop reason = signal SIGSTOP
frame #0: 0xffffff8019608d07
这里可以看到虚拟机的xun的内核版本号xnu-3789.41.3
虚拟机的状态
加入源码调试
在这里下载虚拟机对应xnu-3789.41.3版本的xun的源码
lldb调试命令:https://lldb.llvm.org/use/map.html
下载要调试的版本的 XNU 源码。调试时,LLDB 会去 /Library/Caches/com.apple.xbs/Sources/xnu/xnu-…目录寻找内核源码,所以可以把下载的源码放这个目录,也可以建一个符号链接指向源码目录。还有个方法是 设置 LLDB 的target.source-map变量:
settings set target.source-map /Library/Caches/com.apple.xbs/Sources/xnu/xnu-3789.41.3 ~/Desktop/macos/xnu-3789.41.3
我尝试了这两种但是下断点没下到源码的位置没断下来
breakpoint set --name hfs_vnop_setxattr
thread backtrace
那就换种调试自己编译程序的内核拓展的源码
编译一个含有后门的内核拓展程序
参考:
osx内核调试大揭秘:https://www.anquanke.com/post/id/86972
https://www.jianshu.com/p/fe78d2036192
https://www.freebuf.com/articles/system/90049.html
反反调试内核:
http://www.alonemonkey.com/2017/11/20/get-start-antidebug-kext/
6149
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
