Skip to content

Instantly share code, notes, and snippets.

@uroboro

uroboro/OFFSET_IOSURFACEROOTUSERCLIENT_VTAB explanation.md

Created December 9, 2017 18:31
Show Gist options
  • Save uroboro/2cc054e1bc995232a4919044eae29967 to your computer and use it in GitHub Desktop.
Save uroboro/2cc054e1bc995232a4919044eae29967 to your computer and use it in GitHub Desktop.
Download ZIP
OFFSET_IOSURFACEROOTUSERCLIENT_VTAB explanation.md
Raw
OFFSET_IOSURFACEROOTUSERCLIENT_VTAB explanation.md

Explanation for OFFSET_IOSURFACEROOTUSERCLIENT_VTAB

  1. extract the IOSurface kext
  2. hex -dump the entire __DATA_CONST.__const segment
  3. you should see a lot of pointers, occasionally separated by some zeroes - you're looking at vtable contents, e.g.:

now subclasses of IOUserClient have huge vtables, a couple hundred pointers also radare2 nicely shows pointers from the kext in red and those from the kernel in green now you go through vtables and use the 8th pointer (here 0xfffffff0066c1f60) to check what type it belongs to

that function looks like:

0xfffffff0066c1f60      007b00d0       adrp x0, 0xfffffff007623000
0xfffffff0066c1f64      00c03a91       add x0, x0, 0xeb0
0xfffffff0066c1f68      c0035fd6       ret

This is the metaclass pointer, so now you gotta look for other code doing adrp x0, 0xfffffff007623000; add x0, x0, 0xeb0

from all locations doing that, it's usually the second-last you're looking for, e.g.:

0xfffffff0066c512c      e07a00d0       adrp x0, 0xfffffff007623000
0xfffffff0066c5130      00c03a91       add x0, x0, 0xeb0
0xfffffff0066c5134      e1d6fff0       adrp x1, 0xfffffff0061a4000
0xfffffff0066c5138      21e82b91       add x1, x1, 0xafa
0xfffffff0066c513c      62410090       adrp x2, 0xfffffff006ef1000

here x1 is loaded with a pointer to a string, and that string is the class'es name, in this case IOSurfaceRootUserClient

left column is the address, middle two columns is the data at that address and right columns is that same data, just in ASCII now you see one group starting at 0xfffffff006ef1d48 first 4 values being 0xfffffff0066b9098 0xfffffff0066b90ac 0xfffffff007433cec 0xfffffff007433d00 (first red text) and the 8th pointer there would be 0xfffffff0066b90d4 example walk:

One more time

ok, in that screenshot, there are 3 vtables, starting at 0xfffffff006ef1d48, 0xfffffff006ef2050 and 0xfffffff006ef20e0 each (just the ones with two null pointers before them) (* two or more, I should say) now, the first and third have a red 8th pointer while the 2nd vtable has a green one that means the 2nd is a metaclass and not of interest also, merely from the size you can infer that the third cannot be an IOService or IOUserClient

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment