This is a OS X port of kad’s checkidt utility featured at Phrack #59. It requires /dev/kmem to be active since task_for_pid on kernel task is prohibited since Snow Leopard.
I have added an option to calculate the sysent address via the IDT. The code is not very fail proof because it uses the opcode hex values. Disassembly is probably a better option. This is just a PoC written some time ago so there are some ugly things inside.
The concept to retrieve sysent is the following:
get idt -> get location of interrupt 0x80 -> get address of LO_UNIX_SCALL -> get address of unix_syscall -> get location of sysent
Some of the information that the original code retrieves in Linux is meaningless in OS X. Maybe one of these days I will do a major cleanup. If you do it first feel free to send it. The 64bits code state is unknown and untested – my machines do not run 64bits kernels :-/.