MacOS Kernel Debug Environment setup

Http://ddeville.me/2015/08/using-the-vmware-fusion-gdb-stub-for-kernel-debugging-with-lldb
Http://ddeville.me/2015/08/kernel-debugging-with-lldb-and-vmware-fusion
79297177
https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/ Defcon-25-min-spark-zheng-macos-ios-kernel-debugging.pdf
Https://theori.io/research/korean/osx-kernel-exploit-1

Method One: Lldb+vmware FUSION+KDK preparation work 1. Install the LLDB on your Mac (install Xcode for your Mac version, with LLDB in Xcode): https://developer.apple.com/ Download/more/2. Install VMware fusion,3 in your Mac. Get ready for a MacOS Image 4. Download the corresponding version of the Kernel Debug Toolkit (kdk,;https://developer.apple.com/download/ More/for operations in a virtual machine 1. Install MacOS Virtual machine

2. Install the corresponding version Kernel Debug Toolkit (KDK)

3. Turn off SIP

Close the SIP of the virtual machine, press Command+r to enter recovery mode when booting, and then enter csrutil disable in the terminal. After restarting, you can use the Csrutil status command to see if the shutdown was successful.

4. Kernel replacement

Copy the executable file Kernel.development in the KDK installation directory to/system/library/kernels

cp /Library/Developer/KDKs/KDK_10.12.1_16B2657.kdk/System/Library/Kernels/kernel.development /System/Library/Kernels

5. Set Boot-args

In order to set the virtual machine to debug mode, you need to set the Boot-args with NVRAM, the command is as follows

sudo nvram boot-args="debug=0x141 kext-dev-mode=1 kcsuffix=development pmuflags=1 -v"

debug=0x141 meaning as shown

kext-dev-mode=1 Allow loading unsigned kext,kcsuffix=development Specifies to load the Kernel.development,pmuflags=1 off timer of the above copy,-V displays kernel load information

6. Clear the Kext cache

sudo kextcache -invalidate /

Invalidates the Kext cache for the virtual machine system and uses the new kernel debug

7. Download Kernel code

Run the uname-v command to view the XNU source version and download it from Apple's Open source code: https://opensource.apple.com/tarballs/xnu/

8. View virtual Machine Network configuration information

In order to connect the debugger to a virtual machine, we need some information about its network configuration

For operations in the host 1. Install Xcode

With Lldb in Xcode, choose the Xcode version for your Mac version to install, I choose 8.3.3

2. Installing the Kernel Debug Toolkit

Install the same version of the Kernel Debug Toolkit as the virtual machine

3. Turn off SIP start debugging 1. Restart the virtual machine

Virtual Opportunity Wait Debugger link

2. Start the LLDB and set the target to the (local) kernel binary in KDK

$lldb
(LLDB) Target create/library/developer/kdks/kdk_10.12.1_16b2657.kdk/system/library/kernels/kernel.development

If you experience the following issues

Just execute the following command

(lldb) command script import "/Library/Developer/KDKs/KDK_10.12.1_16B2657.kdk/System/Library/Kernels/kernel.dSYM/Contents/Resources/DWARF/../Python/kernel.py"$ echo "settings set target.load-script-from-symbol-file true" > ~/.lldbinit

Restart Lldb and set the target to the (local) kernel binary in KDK

3. Connecting a virtual machine

Execute command

kdp-remote 虚拟机IP地址

You're ready to start debugging.

Problems that exist

一旦内核启动并且调试器继续运行，内核就不能再从调试器中停止。

1. Improvements

Executing in a virtual machine

$sudo nvram boot-args="debug=0x144 kext-dev-mode=1 kcsuffix=development pmuflags=1 -v"

Then, if you want to disconnect from the runtime, press the key combination in the virtual machine

Command-Option-Control-Shift-Escape     

You can do it.

Method Two: VMware Fusion GDB stub + lldb Modify the virtual machine configuration file

Each virtual machine file contains a. VMX configuration file that can be edited. VMWAREVM (make sure the virtual machine is not running when editing)

Open it in a text editor and add the following line:

# If you are debugging a 32-bit machine use `guest32`debugStub.listen.guest64 = "TRUE"

Debugging with GDB

GDB needs to be installed on Mac, please resolve it yourself

Start a virtual machine, attach a virtual machine to debug in GDB

(gdb) file /Library/Developer/KDKs/KDK_10.10.5_14F27.kdk/System/Library/Kernels/kernel.developmentReading symbols from /Library/Developer/KDKs/KDK_10.10.5_14F27.kdk/System/Library/Kernels/kernel.development...Reading symbols from /Library/Developer/KDKs/KDK_10.10.5_14F27.kdk/System/Library/Kernels/kernel.development.dSYM/Contents/Resources/DWARF/kernel.development...done.(gdb) target remote localhost:8864Remote debugging using localhost:88640xffffff800f9f1e52 in ?? ()

Commissioning with the Lldb

Lldb actually supports using the Gdb-remote command to connect to the GDB remote machine

(lldb) file /Library/Developer/KDKs/KDK_10.10.5_14F27.kdk/System/Library/Kernels/kernel.developmentCurrent executable set to '/Library/Developer/KDKs/KDK_10.10.5_14F27.kdk/System/Library/Kernels/kernel.development' (x86_64).(lldb) gdb-remote 8864Kernel UUID: C75BDFDD-9F27-3694-BB80-73CF991C13D8Load Address: 0xffffff800f800000Kernel slid 0xf600000 in memory.Loaded kernel file /Library/Developer/KDKs/KDK_10.10.5_14F27.kdk/System/Library/Kernels/kernel.developmentLoading 87 kext modules ....................................................................................... done.Target arch: x86_64Connected to live debugserver or arm core. Will associate on-core threads to registers reported by server.Process 1 stopped* thread #3: tid = 0x0066, name = '0xffffff801c91d9c0', queue = 'cpu-0', stop reason = signal SIGTRAP    frame #0: 0xffffffffffffffff

Real-time breakpoints

Only CTRL + C is required to interrupt the debugger in time

MacOS Kernel Debug Environment setup