Dump Kext information from Macos. Support batch analysis. The disassembly framework used is Capstone
32bit(arm): ioskextdump_32
64bit(aarch64): ioskextdump
64bit(arm): ioskextdump_ios10
Download
git clone https://github.com/cocoahuke/machkextdump.git && cd machkextdump
Compile and install to /usr/local/bin/
make
make install
Usage
Usage: mackextdump [-s <specify a single exxc file of kext to analysis>] <Extensions folder>
-s
example:
mackextdump -s /System/Library/Extensions/IOHIDFamily.kext/Contents/MacOS/IOHIDFamily
or batch analysis kexts copy that from /System/Library/Extensions
mackextdump /System/Library/Extensions
Save the batch analysis output as file, so you got a file that include all kext class, methods name and vtable address, do some searching in this file may give some help to you
mostly rdx are 0xffffffffffffffff, because its super class didn't defined in a same binary file, it reference from outside
All addresses from output are file offset, not virtual memory address
Tested on Macos 10.12.1
Example to use
...
******** 43:com.apple.AMDRadeonAccelerator *******
**/Users/huke/Desktop/mackext_copy/10_12_1_kext/AMDRadeonX3000.kext/Contents/MacOS/AMDRadeonX3000**
(0x3c6d8)->OSMetaClass:OSMetaClass call 4 args list
rdi:0x567488
rsi:AMDR8xxGLContext
rdx:0xffffffffffffffff
rcx:0x1d58
vtable_start: 0x236b00
vtable functions:
AMDR8xxGLContext_E
AMDR8xxGLContext_
AMDR8xxGLContext_getMetaClass
AMDR8xxGLContext_getTargetAndMethodForIndex
IOAccelContext2_getOwningTask
IOAccelContext2_getGPUTask
IOAccelContext2_getOwningTaskPid
...