Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Mac OS Kernel Debugging
El Capitan Debugging with Thunderbolt/Firewire adapter
1. Reboot into recovery mode with CMD-R
2. Disable system integrity mode: csrutil disable
3. reboot
4. nvram boot-args="debug=0x146 kdp_match_name=firewire fwkdp=0x8004"
Pre-El Capitan Instructions
The following instructions apply to systems prior to El Capitan
Setup the debug target system
-
Find the precise kernel version
sw_vers | grep BuildVersion - Install the KDK for the precise kernel version
- Copy the kernel.development kernel from the KDK to /System/Library/Kernels/
- Identify the proper network interface for debugging. In this example it's en0
-
Configure nvram boot-args
nvram boot-args "debug=0x146 kcsuffix=development pmuflags=1 kext-dev-mode=1 slide=0 kdp_match_name=en0 -v" - Reboot the target system
- Get the IP address
Setup the host debugger system
- Install the KDK matching the target system's kernel version
- Install the XNU sources for the target system's kernel version
-
Run LLDB for the matching kernel
xcrun lldb /Library/Developer/KDKs/KDK_XXX/System/Library/Kernels/kernel.development
Begin Debugging
-
Trigger a breakpoint on the debug target
dtrace -w -n "BEGIN { breakpoint{}; }" -
Attach to the debug target from the host debugger's lldb session
settings set target.load-script-from-symbol-file true kdp-remote X.X.X.X settings set target.source-map /SourceCache/xnu/xnu-XXXX /path/to/xnu/xnu-XXXX
You should have an active debug session now. Have fun, hope you had a snapshot.