Generation of IOKit's Classes Hierarchy

In the begin

On the week i have got email with request how to generate the file iokit.csv. This file used by dendrogram.

The article contains steps required for file generation. For more information how does it work you can see papers/presentation/videos about reverse engineering kernelcache and iOS. The script was written for IDA Pro and works with kernelcache without PAC/tagged pointers. Also, it is worth mentioning iokit-dumper-arm64. According to the description, the result is the same, but the methods of obtaining data are different. My script is used to automatically restore vtable/class structure. The generation of class inheritance isn’t main function.

Instruments

For file generation you should have:

  • IDA Pro
  • Unicorn engine
  • Plugin for IDA Pro - idaemu you have to copy idaemu.py to %IDAPro%/plugins
  • 2 scripts from nixerr/ida_scripts for IDA Pro
    • rename_got.py
    • reconstruct_iokit_classes.py
  • Script for convertation output data to csv
    • parse_to_csv.py
  • HTML-template for dendrogram in directory
    • d3_dentogramm

What does rename_got.py?

Rename functions in each “*.got” driver-section in kernelcache. The script should run first.

What does reconstruct_iokit_classes.py?

Quite a bit difficult (in simple view):

  1. Looking for each *.__mod_init_func driver-section get addresses of init-function.
  2. Emulate init-function by unicorn engine for getting values of parameters in call OSMetaClass::OSMetaClass and address of meta-vtable.
  3. Take address of the alloc-function from meta-vtable (step 2). Emulate the alloc-function and save adddress of the object-vtable.
  4. Create structures of class and object-vtable.

Example

You can download iOS firmware from ipsw.me. Next, unpack the firmware and then unpack kernelcache:

  1. Open kernelcache in IDA Pro and wait when analysing will end.
  2. Run rename_got.py File->Script file (Alt+F7) and choose rename_got.py
  3. Run reconstruct_iokit_classes.py File->Script file (Alt+F7) and choose reconstruct_iokit_classes.py. Wait. The script will work some time.
  4. In the directory where IDA Pro contains database file (*.i64) will create file classes_iphone.txt.
  5. You should delete dublicates in file by run command: cat classes_iphone.txt | sort -u > classes_X_11.4.txt If you didn’t do that, you can have problems with HTML-template.
  6. Convert file classes_X_11.4.txt to CSV-format by run script parse_to_csv.py: python parse_to_csv.py -in classes_X_11.4.txt -out d3_dentogramm/iokit.csv
  7. Go to the directory d3_dentogramm and run web-server: cd d3_dentogramm && python -m SimpleHTTPServer
  8. Open the page in browser http://localhost:8000/

Congratulations! Now you have dendrogram of IOKit’s classes hierarchy.