Skip to content

malus-security/kextractor

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
README.md
README.md
 
 

Repository files navigation

Kextractor - kernel cache manipulation library

Python library for viewing and extracting kernel extensions from a given iOS kernel cache. It is currently available for both Linux and macOS.

Note that the kernel cache should be decompressed and decrypted (if needed) before Kextractor is used. For versions starting from iOS 10, the kernel cache is not encrypted. The compression algorithm used for versions up to iOS 14 is LZSS, and for iOS 14 onwards the compression changed to BVX2.

Instalation

In order to install the library you should first install lief with python bindings and then use:

$ sudo ./setup.py install

You might get this error:

No module named defusedxml.xmlrpc

If that is the case, you need to install defusedxml with python bindings.

After installing the library you can use kextractor script from the /scripts directory.

Usage

usage: kextractor [-h] [-K KEXT] [-k] [-o OUTDIR] KCACHE

Kernel cache manipulation tool

positional arguments:
  KCACHE                path to decrypted kernel cache

optional arguments:
  -h, --help            show this help message and exit
  -K KEXT, --extract-kext KEXT
                        extract kernel extension from kernel cache
  -k, --show-kexts      show kernel extensions in kernel cache
  -o OUTDIR, --output-dir OUTDIR
                        store data to given directory

KCACHE is the path to the decrypted kernel cache file. If you use kextractor without any optional argument, it will extract all kernel extensions from cache. This option is more time consuming for the most recent iOS versions.

	$ kextractor KCACHE

If you only want to target a certain extension, you should use the -K argument followed by the name of the targeted extension:

	$ kextractor -K <name_of_extension> KCACHE

Kextractor also has a decompression script for kernel cache from iOS 14 onwards. For that, use the decompress script from kextractorlib. Before using the script, you will need to create a file with the extension mach.arm which will be used to store the result and you need to install pyliblzfse(https://github.com/ydkhatri/pyliblzfse). The script requires 2 offsets which can be found by using the get_bvx_section_offsets script from kextractorlib. Note that the decompression script doesn't need any arguments, while the get_bvx_section_offsets script needs the path to the compressed kernel cache file.

Supported iOS versions

Kextractor is currently working for every iOS version up to iOS 12. For versions starting from iOS 12 Kextractor is only able to extract the text section. The format of kernelcaches has changed significantly from this version onwards: - Some segments from the extensions have been integrated into the __TEXT,__DATA_CONST, __TEXT_EXEC, __DATA and __LINKEDIT segments - There are some new sections - Some old segments are now 0 bytes long (__PRELINK_TEXT, __PLK_TEXT_EXEC, __PRELINK_DATA and __PLK_DATA_CONST) - There is no symbol information

About

Kernel Cache Manipulation Library

Topics

ios reverse-engineering hacktoberfest kernelcache

Resources

Readme
Activity
Custom properties

Stars

4 stars

Watchers

9 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •