svc · unix #439
kas_info
Retourne le décalage et les informations de segments de l'espace d'adressage du noyau.
Prototype
int kas_info(int selector, void *value, size_t *size);Retour: int
Arguments
| Name | Type | Dir | Description |
|---|---|---|---|
| selector | int | - | |
| value | void | - | |
| size | size_t | - |
Historique des versions
| XNU tag | macOS | # |
|---|---|---|
| xnu-2050.18.24 | macOS 10.8 Mountain Lion | 439 |
| xnu-2422.115.4 | macOS 10.9 Mavericks | 439 |
| xnu-2782.40.9 | macOS 10.10 Yosemite | 439 |
| xnu-3247.1.106 | macOS 10.11 El Capitan | 439 |
| xnu-3789.1.32 | macOS 10.12 Sierra | 439 |
| xnu-4570.1.46 | macOS 10.13 High Sierra | 439 |
| xnu-4903.221.2 | macOS 10.14 Mojave | 439 |
| xnu-6153.11.26 | macOS 10.15 Catalina | 439 |
| xnu-7195.50.7.100.1 | macOS 11.0 Big Sur | 439 |
| xnu-8019.41.5 | macOS 12.0 Monterey | 439 |
| xnu-8792.41.9 | macOS 13.0 Ventura | 439 |
| xnu-10002.1.13 | macOS 14.0 Sonoma | 439 |
| xnu-11215.1.10 | macOS 15.0 Sequoia | 439 |
| xnu-11417.101.15 | macOS 15.4 Sequoia | 439 |
| xnu-12377.1.9 | macOS 26.0 Tahoe | 439 |
| xnu-10002.41.9 | — | 439 |
| xnu-10002.61.3 | — | 439 |
| xnu-10002.81.5 | — | 439 |
| xnu-10063.101.15 | — | 439 |
| xnu-10063.121.3 | — | 439 |
| xnu-10063.141.1 | — | 439 |
| xnu-11215.41.3 | — | 439 |
| xnu-11215.61.5 | — | 439 |
| xnu-11215.81.4 | — | 439 |
| xnu-11417.121.6 | — | 439 |
| xnu-11417.140.69 | — | 439 |
| xnu-12377.101.15 | — | 439 |
| xnu-12377.41.6 | — | 439 |
| xnu-12377.61.12 | — | 439 |
| xnu-12377.81.4 | — | 439 |
| xnu-2050.22.13 | — | 439 |
| xnu-2050.24.15 | — | 439 |
| xnu-2050.48.11 | — | 439 |
| xnu-2050.7.9 | — | 439 |
| xnu-2050.9.2 | — | 439 |
| xnu-2422.1.72 | — | 439 |
| xnu-2422.100.13 | — | 439 |
| xnu-2422.110.17 | — | 439 |
| xnu-2422.90.20 | — | 439 |
| xnu-2782.1.97 | — | 439 |
| xnu-2782.10.72 | — | 439 |
| xnu-2782.20.48 | — | 439 |
| xnu-2782.30.5 | — | 439 |
| xnu-3247.10.11 | — | 439 |
| xnu-3248.20.55 | — | 439 |
| xnu-3248.30.4 | — | 439 |
| xnu-3248.40.184 | — | 439 |
| xnu-3248.50.21 | — | 439 |
| xnu-3248.60.10 | — | 439 |
| xnu-3789.21.4 | — | 439 |
| xnu-3789.31.2 | — | 439 |
| xnu-3789.41.3 | — | 439 |
| xnu-3789.51.2 | — | 439 |
| xnu-3789.60.24 | — | 439 |
| xnu-3789.70.16 | — | 439 |
| xnu-4570.20.62 | — | 439 |
| xnu-4570.31.3 | — | 439 |
| xnu-4570.41.2 | — | 439 |
| xnu-4570.51.1 | — | 439 |
| xnu-4570.61.1 | — | 439 |
| xnu-4570.71.2 | — | 439 |
| xnu-4903.231.4 | — | 439 |
| xnu-4903.241.1 | — | 439 |
| xnu-4903.270.47 | — | 439 |
| xnu-6153.101.6 | — | 439 |
| xnu-6153.121.1 | — | 439 |
| xnu-6153.141.1 | — | 439 |
| xnu-6153.41.3 | — | 439 |
| xnu-6153.61.1 | — | 439 |
| xnu-6153.81.5 | — | 439 |
| xnu-7195.101.1 | — | 439 |
| xnu-7195.121.3 | — | 439 |
| xnu-7195.141.2 | — | 439 |
| xnu-7195.60.75 | — | 439 |
| xnu-7195.81.3 | — | 439 |
| xnu-8019.61.5 | — | 439 |
| xnu-8019.80.24 | — | 439 |
| xnu-8020.101.4 | — | 439 |
| xnu-8020.121.3 | — | 439 |
| xnu-8020.140.41 | — | 439 |
| xnu-8792.61.2 | — | 439 |
| xnu-8792.81.2 | — | 439 |
| xnu-8796.101.5 | — | 439 |
| xnu-8796.121.2 | — | 439 |
| xnu-8796.141.3 | — | 439 |
Notes
kas_info(selector, ptr, size) supporte KAS_INFO_KERNEL_TEXT_SLIDE_SELECTOR (le slide KASLR) et KAS_INFO_KERNEL_SEGMENT_VMADDR_SELECTOR (adresses virtuelles par segment). Sur les noyaux de production il exige root et le flag de lockdown du noyau doit l'autoriser ; sur un noyau développeur il est largement accessible. Divulguer le slide casse trivialement KASLR, donc le syscall est fortement restreint sur iOS et les Mac Apple Silicon avec SIP activé.
Détection
Tout kas_info réussi sur une machine avec SIP activé depuis un binaire non-Apple est un précurseur d'exploit noyau à haute confiance. Hooker via DTrace fbt::kas_info:entry ; ES n'a pas d'événement dédié.