Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Mac OS Kernel Debugging
Pro tips:
- Get the precise KDK for your target system:
sw_vers | grep BuildVersion
- Use a VMVirtual Machine or a thunderbolt-to-ethernet adapter. USB-to-ethernet adapters do not work.
- Look for the README.html included with the KDK, usually, /Library/Developer/KDKs/*/README.html
- Use ifconfig to find the interface you'll be attaching to
- Setup a static ARPAddress Resolution Protocol entry on the target system:
arp -s 1.2.3.4 XX:XX:XX:XX:XX:XX
- Set your boot-args like this:
nvram boot-args="debug=0x146 kdp_match_name=en0 kext-dev-mode=1 pmuflags=1 slide=0 -v"
- Reboot, the target
- Press left-cmd + right-cmd + power to trigger an NMI
- It should say Debugger Not Configured, Hanging...
- On the debug host:
# xcrun lldb /Library/Develoer/KDKs/*/kernel
kdp-remote 1.2.3.4 to attach
I'm not sure if the KDK properly gets/sets the slide. You might have to re-load the kernel with
image load --file kernel --slide XXX
You can query/verify the slide with a syscall. Here's the code to do it:
#include <err.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#define KAS_INFO_SYSCALL 439
int main(void) {
uint64_t slide = 0;
uint64_t size = sizeof(slide);
if (syscall(KAS_INFO_SYSCALL, 9, &slide, &size))
err(1, "Failed to get slide");
printf("0x%lx\n", (unsigned long)slide);
}