Small fixes - cleanup

README.md

@@ -54,17 +54,17 @@ The kext portion runs as a kernel extension. The kext code is present in the `ke
 
 The userspace portion can either be built as a static library or command line tool. The code for both is in the `user` folder.
 
-.
-├── arm64/
-├── x86_64/
-├── darwinkit/
-├── kernel/
-│   ├── start.cc
-└── user/
-│   ├── main.cc
+    .
+    ├── arm64/
+    ├── x86_64/
+    ├── darwinkit/
+    ├── kernel/
+    │   ├── start.cc
+    └── user/
+        ├── main.cc
 
-### Features
-####  Kext
+## Features
+###  Kext
 - Symbolicating the XNU Kernel and all loaded kexts in the `KernelCache`/`KernelCollection`
 - Parse MachOs of all kinds in Kernels/Kexts/etc
 - Read/Write/Allocate/Deallocate/Map/Remap/Protect Virtual Memory

arm64/disassembler_arm64.cc

@@ -50,7 +50,7 @@ bool Init() {
         cs_err err = cs_option(0, CS_OPT_MEM, reinterpret_cast<size_t>(&setup));
 
         if (err != CS_ERR_OK) {
-            DARWIN_RK_LOG("MacRK::Disassembler::init() failed 1!\n");
+            DARWIN_KIT_LOG("MacRK::Disassembler::init() failed 1!\n");
 
             return false;
         }
@@ -63,7 +63,7 @@ bool Init() {
     cs_err err = cs_open(CS_ARCH_ARM64, CS_MODE_ARM, &handle_arm64);
 
     if (err != CS_ERR_OK) {
-        DARWIN_RK_LOG("MacRK::Disassembler::init() failed! 2 err = %d\n", err);
+        DARWIN_KIT_LOG("MacRK::Disassembler::init() failed! 2 err = %d\n", err);
 
         return false;
     }
@@ -74,13 +74,13 @@ bool Init() {
         err = cs_option(handle_arm64, CS_OPT_DETAIL, CS_OPT_ON);
 
         if (err != CS_ERR_OK) {
-            DARWIN_RK_LOG("MacRK::Disassembler::init() failed! 3\n");
+            DARWIN_KIT_LOG("MacRK::Disassembler::init() failed! 3\n");
 
             return false;
         }
     }
 
-    DARWIN_RK_LOG("MacRK::Disassembler::init() success!\n");
+    DARWIN_KIT_LOG("MacRK::Disassembler::init() success!\n");
 
     return true;
 }
@@ -232,7 +232,7 @@ xnu::mach::VmAddress DisassembleNthInstruction(xnu::mach::VmAddress address, arm
     cs_insn* result = nullptr;
 
     if (!address) {
-        DARWIN_RK_LOG("MacRK::Disassembler::disassembleNthInstruction() address = 0!\n");
+        DARWIN_KIT_LOG("MacRK::Disassembler::disassembleNthInstruction() address = 0!\n");
 
         return 0;
     }
@@ -273,7 +273,7 @@ xnu::mach::VmAddress DisassembleNthInstruction(xnu::mach::VmAddress address, arm
         offset += disasm_size;
     }
 
-    DARWIN_RK_LOG("MacRK::Disassembler::disasm size = 0!!\n");
+    DARWIN_KIT_LOG("MacRK::Disassembler::disasm size = 0!!\n");
 
     return 0;
 }

darwinkit/hook.cc

@@ -135,11 +135,8 @@ xnu::mach::VmAddress Hook::GetTrampolineFromChain(xnu::mach::VmAddress address)
 
         if (to == address) {
 #ifdef __arm64__
-
             __asm__ volatile("PACIZA %[pac]" : [pac] "+rm"(trampoline));
-
 #endif
-
             return trampoline;
         }
     }
@@ -222,7 +219,7 @@ void Hook::HookFunction(xnu::mach::VmAddress to, enum HookType hooktype) {
     min = disassembler->InstructionSize(from, branch_size);
 
     if (!min) {
-        DARWIN_RK_LOG("Cannot hook! Capstone failed!\n");
+        DARWIN_KIT_LOG("Cannot hook! Capstone failed!\n");
 
         return;
     }
@@ -238,8 +235,8 @@ void Hook::HookFunction(xnu::mach::VmAddress to, enum HookType hooktype) {
 
     union Branch to_hook_function;
 
-    // build the FunctionPatch branch/jmp instruction from original function to hooked function
-    // NOTE: if function is hooked more than once, then original = previous hook
+    // Builds the FunctionPatch branch/jmp instruction from original function to hooked function
+    // If the function is hooked more than once, then original = previous hook
 
     architecture->MakeBranch(&to_hook_function, to, from);
 
@@ -249,8 +246,7 @@ void Hook::HookFunction(xnu::mach::VmAddress to, enum HookType hooktype) {
 
     union Branch to_original_function;
 
-    // build the FunctionPatch branch/jmp instruction from trampoline to original function
-
+    // Builds the FunctionPatch branch/jmp instruction from trampoline to original function
     architecture->MakeBranch(&to_original_function, from + min,
                              payload->GetAddress() + payload->GetCurrentOffset());
 
@@ -310,9 +306,8 @@ void Hook::AddBreakpoint(xnu::mach::VmAddress breakpoint_hook, enum HookType hoo
 
     union Branch to_trampoline;
 
-    // build the FunctionPatch branch/jmp instruction from original function to hooked function
-    // NOTE: if function is hooked more than once, then original = previous hook
-
+    // Builds the FunctionPatch branch/jmp instruction from original function to hooked function
+    // If the function is hooked more than once, then original = previous hook
     architecture->MakeBranch(&to_trampoline, trampoline, from);
 
     replace_opcodes = new UInt8[branch_size];
@@ -322,7 +317,7 @@ void Hook::AddBreakpoint(xnu::mach::VmAddress breakpoint_hook, enum HookType hoo
     Size breakpoint_size = architecture->GetBreakpointSize();
 
     if (breakpoint_hook) {
-        // set a conditional breakpoint
+        // Sets a conditional breakpoint
         union FunctionCall call_breakpoint_hook;
 
         union Breakpoint breakpoint;
@@ -349,7 +344,7 @@ void Hook::AddBreakpoint(xnu::mach::VmAddress breakpoint_hook, enum HookType hoo
         payload->WriteBytes((UInt8*)pop_registers,
                             (Size)((UInt8*)pop_registers_end - (UInt8*)pop_registers));
     } else {
-        // break regardless
+        // Breaks regardless
         union Breakpoint breakpoint;
 
         payload->WriteBytes((UInt8*)push_registers,
@@ -365,8 +360,7 @@ void Hook::AddBreakpoint(xnu::mach::VmAddress breakpoint_hook, enum HookType hoo
 
     union Branch to_original_function;
 
-    // build the FunctionPatch branch/jmp instruction from trampoline to original function
-
+    // Builds the FunctionPatch branch/jmp instruction from trampoline to original function
     payload->WriteBytes(original_opcodes, min);
 
     architecture->MakeBranch(&to_original_function, from + min,
@@ -393,4 +387,6 @@ void Hook::AddBreakpoint(xnu::mach::VmAddress breakpoint_hook, enum HookType hoo
     RegisterHook(hook);
 }
 
-void Hook::RemoveBreakpoint() {}
+void Hook::RemoveBreakpoint() {
+
+}

darwinkit/log.h

@@ -26,12 +26,12 @@ extern "C" {
 
 #include <os/log.h>
 
-#define DARWIN_RK_LOG(...) os_log(OS_LOG_DEFAULT, __VA_ARGS__)
+#define DARWIN_KIT_LOG(...) os_log(OS_LOG_DEFAULT, __VA_ARGS__)
 
 #endif
 
 #ifdef __USER__
 
-#define DARWIN_RK_LOG printf
+#define DARWIN_KIT_LOG printf
 
 #endif

darwinkit/macho.cc

@@ -322,10 +322,10 @@ void MachO::ParseSymbolTable(xnu::macho::Nlist64* symtab, UInt32 nsyms, char* st
 
         symbolTable->AddSymbol(symbol);
 
-        DARWIN_RK_LOG("MacRK::Symbol %s 0x%llx\n", name, address);
+        DARWIN_KIT_LOG("MacRK::Symbol %s 0x%llx\n", name, address);
     }
 
-    DARWIN_RK_LOG("MacRK::MachO::%u syms!\n", nsyms);
+    DARWIN_KIT_LOG("MacRK::MachO::%u syms!\n", nsyms);
 }
 
 void MachO::ParseLinkedit() {}

darwinkit/segment.h

@@ -38,18 +38,14 @@ class Segment {
           size(segment_command->vmsize), fileoffset(segment_command->fileoff),
           filesize(segment_command->filesize) {
         name = new char[strlen(segment_command->segname) + 1];
-
         strlcpy(name, segment_command->segname, strlen(segment_command->segname) + 1);
-
         PopulateSections();
     }
 
     ~Segment() {
         delete name;
-
         for (int i = 0; i < sections.size(); i++) {
             Section* section = sections.at(i);
-
             delete section;
         }
     }
@@ -103,10 +99,9 @@ class Segment {
     }
 
     void PopulateSections() {
-        xnu::macho::Segment64 *segment = segment;
-        UInt32 nsects = segment->nsects;
+        Int32 nsects = segment->nsects;
         UInt32 offset = sizeof(struct segment_command_64);
-        for (int32_t i = 0; i < nsects; i++) {
+        for (Int32 i = 0; i < nsects; i++) {
             xnu::macho::Section64* sect =
                 reinterpret_cast<xnu::macho::Section64*>((UInt8*)segment + offset);
             Section* section = new Section(sect);

kernel/backtrace.cc

@@ -170,16 +170,16 @@ void debug::PrintBacktrace() {
 
                 snprintf(buffer, 128, "0x%llx", fp);
 
-                DARWIN_RK_LOG("DarwinKit::frame pointer = %s\n", buffer);
+                DARWIN_KIT_LOG("DarwinKit::frame pointer = %s\n", buffer);
 
                 snprintf(buffer, 128, "0x%llx", lr);
 
-                DARWIN_RK_LOG("DarwinKit::link register = %s\n", buffer);
+                DARWIN_KIT_LOG("DarwinKit::link register = %s\n", buffer);
 
                 symbol = debug::symbolicate::GetSymbolFromAddress(lr, &delta);
 
                 if (symbol) {
-                    DARWIN_RK_LOG("DarwinKit::frame %u: %s %s + %llu\n", frame, buffer, symbol->GetName(),
+                    DARWIN_KIT_LOG("DarwinKit::frame %u: %s %s + %llu\n", frame, buffer, symbol->GetName(),
                                delta);
                 }
 
@@ -206,7 +206,7 @@ void debug::PrintBacktrace() {
             if (LooksLikeKernelPointer(rip)) {
                 symbol = debug::symbolicate::GetSymbolFromAddress(rip, &delta);
 
-                DARWIN_RK_LOG("frame %u: 0x%x %s + %llu", frame, rip, symbol->GetName(), delta);
+                DARWIN_KIT_LOG("frame %u: 0x%x %s + %llu", frame, rip, symbol->GetName(), delta);
 
                 rbp = *(UInt64*)rbp;
             } else

kernel/device_tree.cc

@@ -273,7 +273,7 @@ DeviceTreeProperty* DeviceTree::FindProperty(char* nodename, char* propname) {
         if (success) {
             DeviceTreeProperty* prop = (DeviceTreeProperty*)node;
 
-            DARWIN_RK_LOG("%s %s ", nodename, prop->name);
+            DARWIN_KIT_LOG("%s %s ", nodename, prop->name);
 
             DeviceTree::PrintData((UInt8*)&prop->val, prop->size);
 
@@ -286,17 +286,17 @@ DeviceTreeProperty* DeviceTree::FindProperty(char* nodename, char* propname) {
 
 void DeviceTree::PrintData(UInt8* prop_data, UInt32 prop_size) {
     if (is_ascii((char*)prop_data, prop_size) && !prop_data[strlen((char*)prop_data)]) {
-        DARWIN_RK_LOG("%s ", (char*)prop_data);
+        DARWIN_KIT_LOG("%s ", (char*)prop_data);
     } else if (prop_size == sizeof(UInt64)) {
-        DARWIN_RK_LOG("0x%llx ", *(UInt64*)prop_data);
+        DARWIN_KIT_LOG("0x%llx ", *(UInt64*)prop_data);
     } else if (prop_size == sizeof(UInt32)) {
-        DARWIN_RK_LOG("0x%x ", *(UInt32*)prop_data);
+        DARWIN_KIT_LOG("0x%x ", *(UInt32*)prop_data);
     } else {
         for (UInt32 j = 0; j < prop_size; j++)
-            DARWIN_RK_LOG("%x ", prop_data[j]);
+            DARWIN_KIT_LOG("%x ", prop_data[j]);
     }
 
-    DARWIN_RK_LOG("\n");
+    DARWIN_KIT_LOG("\n");
 }
 
 void DeviceTree::PrintNode(char* nodename) {
@@ -333,9 +333,9 @@ void DeviceTree::Print(DeviceTreeNode* node, Size node_size) {
         UInt32 prop_size = prop->size;
 
         for (UInt32 j = 0; j < depth; j++)
-            DARWIN_RK_LOG("\t");
+            DARWIN_KIT_LOG("\t");
 
-        DARWIN_RK_LOG("%s ", prop->name);
+        DARWIN_KIT_LOG("%s ", prop->name);
 
         PrintData(prop_data, prop_size);
 
@@ -363,7 +363,7 @@ T DeviceTree::Dump() {
         UInt64 to_read = sz / 0x1000 > 0 ? 0x1000 : sz;
 
         if (!(UInt64*)(dt + off, device_tree + off, to_read)) {
-            DARWIN_RK_LOG("Failed to dump device tree at 0x%llx\n", dt + off);
+            DARWIN_KIT_LOG("Failed to dump device tree at 0x%llx\n", dt + off);
 
             return nullptr;
         }