Tools

Here it is, a merge between the x86 and ARM versions of gdbinit. The only inconvenience is that you need to manually change the target, using the 32bits and 64bits commands for x86/x86_64 architectures, and arm for ARM. That’s a small price to pay for. This version features a lot of cosmetic fixes (indentation mostly) but also some fixes to the ARM related code, and a new command – dumpmacho. This command will dump the Mach-O header to a file....

I love to read about the Human brain and yesterday I was feeling weird about this thing. As far as I know, everyone (publicly) was trying to search sysent in one way or another after Apple removed the sysent symbols but not bruteforcing it. It seems no one bothered to question the original method (Landon Fuller?) and just kept using it. Are there any historical reasons for this? I can’t remember any....

This is a OS X port of kad’s checkidt utility featured at Phrack #59. It requires /dev/kmem to be active since task_for_pid on kernel task is prohibited since Snow Leopard. I have added an option to calculate the sysent address via the IDT. The code is not very fail proof because it uses the opcode hex values. Disassembly is probably a better option. This is just a PoC written some time ago so there are some ugly things inside....

Here is a small update to gdbinit with a new command, skip. This command will skip over the current instruction, without executing it. Usually I do it manually by set $pc=newvalue but this involves copy & paste and mouse movements and gets boring after a while. It’s great to skip over calls while you are trying some stuff and analysing some program behavior. By default it will not execute the command at the new address....

A small update to gdbinit. Many thanks to snare and Plouj for their reports 😃. Here is the changelog: Version 7.4.3 (04/11/2011) – Modified “hexdump” command to support a variable number of lines (optional parameter). – Removed restrictions on type of addresses used in the “dd” command. – Modified the assemble command to support 64bits – You will need to recompile nasm since the version shipped with OS X doesn’t supports 64bits (www....