I had this one working for a long time but I hadn’t released it because I was trying to hijack fork and vfork calls. My objective was to introduce an int3 so I could attach the debugger to a selected process. At that time I suspected that VLOK was forking and I couldn’t debug the new process since follow on fork gdb function isn’t implemented in OS X (so this looks like a good idea for a protection ;-)). My idea was to inject an int3 or pause the new process so I could attach another gdb to it. Those attempts failed and one of these days I need to get back to the problem and think better about it (if you have a solution for how to do it in the kernel module feel free to contribute!!!).
The method to grab sysent address changed again in Snow Leopard and for now there is an hardcoded address. The method is to find nsysent address (nm /mach_kernel | grep nsysent) and then subtract 0x2850 from it. Matthie Suiche described a method in the paper ADVANCED MAC OS X PHYSICAL MEMORY ANALYSIS.
“Under Mac OS X Snow Leopard (10.6), we have to proceed with a different methodology. First, we have to retrieve the value of nsysent variable, then we multiply its value with the size of sysent structure, and then we subtract this value to nsysent offset to obtain the offset of sysent table.”
I would prefer a more elegant solution to this 🙂
The structures had to change and more stuff had to be ripped off from xnu kernel headers. They are still incomplete but what is there is enough for current purposes.
Here it is: