This is a OS X port of kad’s checkidt utility featured at Phrack #59. It requires /dev/kmem to be active since task_for_pid on kernel task is prohibited since Snow Leopard.
I have added an option to calculate the sysent address via the IDT. The code is not very fail proof because it uses the opcode hex values. Disassembly is probably a better option. This is just a PoC written some time ago so there are some ugly things inside.
The concept to retrieve sysent is the following:
get idt -> get location of interrupt 0x80 -> get address of LO_UNIX_SCALL -> get address of unix_syscall -> get location of sysent
Some of the information that the original code retrieves in Linux is meaningless in OS X. Maybe one of these days I will do a major cleanup. If you do it first feel free to send it. The 64 bit code state is unknown and untested – my machines do not run 64 bit kernels.
Enjoy,
fG!
checkidtv1.2.c.gz
SHA256(checkidtv1.2.c.gz)= fe663c83c81c0db11e661f3bf2596a323dcc1df342941067c804eda94a5086c3