A Mac OS X port of Phrack’s CheckIDT util by kad, or another way to retrieve sysent address

This is a OS X port of kad’s checkidt utility featured at Phrack #59. It requires /dev/kmem to be active since task_for_pid on kernel task is prohibited since Snow Leopard.
I have added an option to calculate the sysent address via the IDT. The code is not very fail proof because it uses the opcode hex values. Disassembly is probably a better option. This is just a PoC written some time ago so there are some ugly things inside.
The concept to retrieve sysent is the following:

get idt -> get location of interrupt 0x80 -> get address of LO_UNIX_SCALL -> get address of unix_syscall -> get location of sysent

Some of the information that the original code retrieves in Linux is meaningless in OS X. Maybe one of these days I will do a major cleanup. If you do it first feel free to send it. The 64bits code state is unknown and untested – my machines do not run 64bits kernels :-/.


SHA256(checkidtv1.2.c.gz)= fe663c83c81c0db11e661f3bf2596a323dcc1df342941067c804eda94a5086c3

Leave a Reply

Your email address will not be published. Required fields are marked *