Hi!

This is my first binary kext patching so please bear with my lack of knowledge.

I have a kext I would like to modify - more precisely I would like to replace 2 methods defined inside it with my own. I was thinking creating my functions in assembly and just paste them inside kext to original functions positions. That would work if my function sizes was smaller or equal to origina which is not the case so I think I need to find a way to call my own methods located in new kext/modified kernel - re-routing calls to original methods with my own.

What is the way to go here? I am not asking for complete solution - just some pointers which direction to investigate. If there is an example available that would be great. Is it possible to use asm "call" to some other function defined somewhere else?



BR,
iostres

I found that I can simply get address of the function (function pointer) from one kext and just call it from other kext like this:

asm ("movq $0xffffff7f808dee58, %%rax\n"
"call *%%rax\n"
:
:
: "%rax");

where 0xffffff7f808dee58 is address of a function.

This is ok but it makes me know correct address of a function so I would rather do calling by symbol name. Any ideas?

BR,
iostres

I have another idea. Remember that all kexts for MacOSX written in C++ using subclasses of Apple's common classes.
So you can subclass your interesting kext to call native methods that you do not want to change and call your method instead of native if you want.
Not sure I know exact example for that but FakeSMC substitute some methods instead of IOACPIPlatformDevice.

Hi Slice,

thanks for the answer :-). I was thinking about that but (not sure on this one) I think I can substitute only methods from original kext designated as virtual in original C++ class...or am I wrong? I will try to do some subclassing on my two test kexts to see how that works - it's been a long time since I last mangled vtables .

I.

Yep, only virtual.
You also can rewrite a corresponding IOxxxFamily. May be it helps.

Or very rough hack.
Create separate kext with a needed procedure with some signature.
Place into original kext search for the signature in whole memory.
Call the proc placed near the signature.

Or vice versa. Your kext should search for original in the whole memory and place here a long jump.
Your kext should have dependency on original to be loaded after it.

Hi Slice,

this is the method I will go for - search should be possible to do in a few asm commands so it would fit in every method I want to replace. Any quick idea how to implement search for a symbol in a good way? It doesn't have to be spectacularly fast since it will be done only at computer startup.

I.

Reply to my own post...weird :-).

I decided to do something like this:


void my_func(void) {

asm( "nop;"
"nop;"
"nop;"
"nop;"
"nop;"
"nop;");

/* rest of the function */
}

So I will search code segment for 6 nops - after finding it, two instructions up is function address - then just call the function to patch original kext. That's the plan - let's see if that will be possible.

Also I will take a look at "nm" utility and how it reads symbol table - that might be even better way to do it.

Comments are welcome :-).

I.

This post has been edited by iostres: Jul 31 2011, 10:31 AM

This is shortest search function I could do:



Any possibility to firther optimize it? (I have 16 nops in a row as a marker.

I.

This post has been edited by iostres: Jul 31 2011, 04:52 PM

It is not a unique sequence. I found it in Lion's mach_kernel.
Write something like

disassemble the code and search it.

Hm...that won't be stored in function itself but in data section. Something like this seems a bit better I think:



This will endup inside subroutine so it won't be hard to locate start of subroutine. I checked in SL and Lion kernel - no such sequence.