Stack Overflow
Stack Overflow

Questions tagged [xnu]

xnu is the name of the operating system kernel that underpins Mac OS X/darwin and iOS.

xnu is the name of the operating system kernel that underpins Darwin, which in turn is the core of Apple's macOS (formerly OS X and Mac OS X), iOS/iPadOS (formerly iPhoneOS), tvOS, and watchOS operating systems. It has its origins in the NeXTStep operating system, and is a combination of parts of the Mach kernel (mainly the virtual memory subsystem and inter-process communication via Mach "ports"), the 4.3BSD kernel (networking, process management, POSIX compatibility, VFS/file system layer) and a device driver subsystem called the I/O Kit, which was developed in C++ specifically for the xnu kernel.

147 questions
4
votes
1 answer

Driver causing sleep wake failure

As a security research I am writing a custom IOKit driver. The driver registers itself through the power plane to drivers it depends on. (USB services). The setPowerState function is being called and the driver shutdown itself correctly. Problem is,…
mrdvlpr
  • 526
  • 4
  • 20
3
votes
1 answer

How to access unexported symbol from Kext?

I tried to load kext module on M1 machine running 11.4 Beta (20F5046g) Big Sur and encounter some error messages on binding at kext module loading. Accessing kernel symbol exported from Apple kext modules First, to access the kernel functions…
ruach
  • 1,369
  • 11
  • 21
3
votes
0 answers

Mac OS: how to fork without copying process state?

I need to create a unit of execution with a different PID, but does not acquire resources from the initial process (open files, memory, ...). On Linux, clone is used for this purpose. On other BSDs, rfork. Is there a Mac OS…
Christopher Monsanto
  • 881
  • 8
  • 11
3
votes
0 answers

SIGCONT on MACOS X behavior

When I call waitpid() with the WUNTRACED|WCONTINUED options set in order to know when the child process receives SIGSTOP's and SIGCONT's. The SIGSTOP is not the problem, but I am unable to catch sigcont signal using WIFCONTINUED(stat) function…
koneru nikhil
  • 339
  • 2
  • 12
3
votes
0 answers

Checking vnode signature from kext

I'm using kauth kernel framework in order to get events on files that are being opened in the system. after filtering out the executable macho files, I'd like to check the signature validation for each such file that it's vnode is represented in vp…
Zohar81
  • 4,554
  • 5
  • 29
  • 82
3
votes
1 answer

Adding a Custom macosx.internal SDK

Prime Objective: I want a setup where I can compile both with the standard SDK, and with a modified SDK for kernel development by passing the correct SDK into xcodebuild. When building a MacOS X kernel, the default SDK must be modified. These…
below
  • 929
  • 6
  • 26
3
votes
1 answer

Prevention of file direct memory reads in xnu kernel

I've got dylib file for which I prevent access in kernel level. I use driver that listen to kauth vnode scope with callback that prevent any access to this file. However, I've noticed that coreSymbolication framework can bypass this authorization…
user7256215
3
votes
1 answer

Kext OSDynamicCast failed during OSObject::free

I've got IOKit driver that derives from IOService base class, and its raw pointer is delivered to some event callback function from kauth framework that may be called very frequently. In order to extract this instance out of the pointer I uses the…
Zohar81
  • 4,554
  • 5
  • 29
  • 82
3
votes
1 answer

Communicating between multiple distinct kernel modules (drivers)

In order to achieve better encapsulation and modularity I've decided to split my kernel driver into 2 (can be more) modules where each is responsible for different functionality. However, there are still some data+logic which I'd like to share…
user7256215
3
votes
2 answers

Using synchronization efficiently in macOS kernel extension

I'm using synchronization KPI in my macOS kernel extension to verify that one function is fully performed before the other function starts (both functions are performed in different threads of course). These are the synchronization methods :…
user7256215
3
votes
1 answer

Reading user-space address address when debugging kext

I'd like to read user space address from lldb when debugging remote machine driver (kext) via kdp. I know that in code I could use copyin in order to move the code to kernel space and read it easily, so as expected when I've tried to read user…
user7256215
3
votes
0 answers

Debugging Kext with Xcode

It would be great to have my lldb debugger run under xcode - it works fine for user-space applications, but what about Kext. in userspace, if you may use the debugger in one of the following scenarios: start new process from your project. wait for…
user7256215
3
votes
0 answers

IP/packet interface routing based on dest port -- any tips for using PF or writing an NKE?

Hoping for some tips as to which type of NKE I should create. I'm looking to do iproute2-style routing of packets on OS X, or perhaps I should say "macOS". By default, on macOS, the "route" command appears to be limited to IP address. I'd like my…
Louis St-Amour
  • 4,065
  • 1
  • 30
  • 28
3
votes
1 answer

printf in system call returns malformed output

I'm logging system calls in OS X using a kext, like so: int hook_read(struct proc *p, struct read_args *u, user_ssize_t *r) { /* get som params here... */ printf("[IDEN] SYS_read called, %s, %d, %d, %d.\n", params); return read(p, u,…
Vis
  • 301
  • 1
  • 10
3
votes
1 answer

Dtrace print parent process command

I'd like to have a script that for each new running process, prints its starting command, as well as its parent process. i'm using the following probes : proc::posix_spawn:exec-success,proc::__mac_execve:exec-success From within the script body,…
Zohar81
  • 4,554
  • 5
  • 29
  • 82
1
2
3
9 10