Our lovely GDB has been declared dead with Xcode 5 release. The new king in town is LLDB, and that also applies to kernel debugging. Change is good, even if we Humans don’t like it, but… there’s still no gdbinit for LLDB and I just love it. Even more important (for kernel debugging), LLDB still has no support (afaik) for VMware GDB stub. This means it’s not possible to do kernel debugging in Mavericks VMs other than KDP....
New version available at the github repo, compatible with Mavericks and with a Cocoa app to control its features. Mavericks sysent table is modified so previous versions weren’t compatible with it. I updated the sysent table definitions. It’s not the best method to assure future compatibility in case Apple decides to change the structure again. A better way is to find the symbols for the syscalls and replace them directly in the sysent table....
One thing that really bothered me for a long time while debugging is the need to calculate the libraries loaded addresses versus the addresses at disk if you want to follow and comment library code in IDA. While the ASLR slide can also be disabled when starting processes (or even attaching by disabling it first in the Mach-O header) sometimes I want to attach to ASLR enabled processes and once again I need to compute values without the slide to follow in IDA....
One of the changes introduced by Mountain Lion was the removal of the old procmod convention for applications that want to access the task port of a process (aka for reversers, debuggers). Before this change, any binary that was procmod suid group set could access the task port of other processes (running as the same user). Taskgated configuration in Mountain Lion was changed and removed this possibility. Only signed binaries that contain an embedded Info....
Suffering from post-conference boredom I decided to redo Onyx The Black Cat kernel extension to kickstart again my brain and get back to serious work. There were also some people asking for an updated version so here it is! This reworked version uses kernel control interface to enable/disable its features. It is much better than sysctl used before. It is also compatible with Snow Leopard, Lion, and Mountain Lion, and, hopefully, it should run without any problems in future versions....