Overun Debug 0.1 Mac OS

Update: In the HN discussion, awalton mentioned you can set CPUID flags in VMWare. Simply adding cpuid.7.ebx = '-----------0--------------------' to the vmx file will disable SMAP.

  1. Overrun Debug 0 1 Mac Os Catalina
  2. Overrun Debug 0 1 Mac Os Update

Late last year, I upgraded my old MBP to the 2016 model with a Skylakeprocessor. As I was debugging a kernel exploit, it turned out thatSMAP was enabled inside my VMWare FusionVM. I wanted to avoid dealing with SMAP, but couldn't figure out how to disableit in Fusion. Luckily, VirtualBox VMs do not support SMAP (yet?).

New for all Mac OS X versions: Dock Menu Faster access for everyone. Click and hold the WakeOnLan icon in the Dock (while WakeOnLan running), and select any computer to be woken up or put asleep directly from the menu. It doesn't get any simpler. The -g tells the compiler to include debugging symbols. The binary is called a.out (and you can change the program name to deng by running gcc -g deng.c -o deng) To actually run the program, you have to run./a.out (or./deng, if you ran gcc with -o deng).

This post will be a step-by-step guide on how to setup macOS kernelsource-level debugging using VirtualBox. Though all the step examples aregeared toward VirtualBox, this guide can also be used to setup kernel debuggingon VMWare Fusion since it's even more straightforward in Fusion.

Installing VirtualBox and Sierra

If you don't already have a macOS VirtualBox VM, we must first install thetarget macOS on a VM. You can either provide the vmdk from a VMWare Fusion VM,or create a fresh VM. VirtualBox requires an ISO image to install the OS fornewly created VMs. The commands below can be used to create an ISO from theSierra install app obtained from the Mac appstore.

Networking

If you are using a bridged adapter, there isn't anything special you need todo.

If you decide to go with NAT, you'll need to enable port forwarding for KDP towork with the VM. In the adapter settings, chooseAdvanced(rightarrow)Port Forwarding. We need to reach 41139/UDP on thedebugee VM, so I forward localhost 41139/UDP to the VM's 41139/UDP.

Installing XCode

Overrun Debug 0 1 Mac Os Catalina

Install XCode on your host machine. The easiest way is to install it from theMac app store.After installing, accepting the XCode license is required either by openingXCode and accepting, or through command line.

Install Kernel Debug Kit (KDK) on

On our host debugger machine, we need to install the KDK from the AppleDeveloper site corresponding toour debugee macOS version and build. In this guide, I used 10.12 build 16A323.

The KDK installs to /Library/Developer/KDKs and provides RELEASE,DEVELOPMENT, and DEBUG kernels for macOS, as well as symbols for these kernelsand various Apple kexts. The difference between the different kernels is thatthe DEVELOPMENT and DEBUG kernels have additional assertions and error checkingcompared to RELEASE with the DEBUG build having even more than DEVELOPMENT.

Note: The debugee system does not need to have the KDK installed.

Update nvram boot-args

In order to debug the VM, we must set the debug option of boot-args innvram on our debugee VM. There are numerous options in addition to debug thatwe can use. Below are a few that could be of interest including debug.

  • -v: Always boot the system in verbose mode.
  • kcsuffix: Specifies which kernel to boot using a given suffix.
  • pmuflags: Many people still seem to recommend setting this option to 1. However, Apple's Kernel Programming Guide says the power management watchdog timer 'is only present in G4 and earlier desktops and laptops and in early G5 desktops', and the other primary watchdog timer is 'normally only enabled in OS X Server.' Thus, this option doesn't seem to do anything, though setting it doesn't hurt.
  • -zc zlog1=<zone_name>: zc in conjunction with zlog# logs both allocations and frees to the specified zone where # is 1-5.
  • debug: This option allows us to perform remote kernel debugging. Available flags are listed in the Apple docs. I usually use DB_LOG_PI_SCRN DB_ARP DB_NMI.
    • Non-maskable interrupts (NMI) can be triggered by pressing control + option + command + shift + escape. Triggering an NMI will break in the debugger which is super convenient. This key combo does not play well with VirtualBox when it covers the host key combo so I rebound the host key to right command + right option.

Modifying nvram

In VMWare Fusion, you modify nvram using the nvram command like so:

On VirtualBox, you'll find it's not so easy. After a reboot, the nvrammodifications will have disappeared. VirtualBox User ManualĀ§3.13.2 sheds somelight:

It is currently not possible to manipulate EFI variables from within arunning guest (e.g., setting the 'boot-args' variable by running the nvramtool in a Mac OS X guest will not work). As an alternative way,'VBoxInternal2/EfiBootArgs' extradata can be passed to a VM in order to setthe 'boot-args' variable. To change the 'boot-args' EFI variable:

Thus, we need to shutdown our VM and run the commands below on our host.

Overrun debug 0 1 mac os catalina

Swapping Kernels

I alluded to debugging different builds of kernels previously, mentioning thatthe kcsuffix option specifies which kernel build to use. The kernel file mustbe at /System/Library/Kernels on the debugee VM. It should not be a surprisethat this directory is protected by System Integrity Protection(SIP). Therefore, if you want to usea KDK kernel or a self-compiled kernel, you mustfirst boot into recovery, copy the target kernel to the above directory,invalidate the kext cache, and then reboot.

Reliably Booting into Recovery

In Fusion, booting into recovery mode using cmd+R is as easy as doing so on aphysical machine. VirtualBox, on the other hand, requires a few moresteps.

When booting the VM, hit F12, and select Boot Manager(rightarrow)EFIInternal Shell. You will be greeted by an EFI shell. To boot into recovery,type:

Once the recovery GUI loads, launch a terminal, move the target kernels, theninvalidate the kextcache.

Before reboot, you can optionally disable SIP if desired.

Source-level Debugging

Download the XNU source code corresponding tothe debuggee XNU version. To gain source-level debugging, LLDB will look in/Library/Caches/com.apple.xbs/Sources/xnu/xnu-... for the kernel source. Youcan either place the downloaded source there, or create a symlink there thatpoints to the source. Alternatively, you can also set target.source-map inLLDB.

Previous versions of macOS like Yosemite, you had to place source code in/SourceCache/xnu/.

Overrun Debug 0 1 Mac Os Update

Setting up LLDB

Finally now, we can break out the debugger. The example below sets the targetfile to the RELEASE kernel build.

To use the XNU LLDB macros in Sierra KDK, the macholib Python module isrequired now. A simple pip install macholib should do the trick. To use thenifty LLDB macros, copy paste the KDK debug script command that is promptedwhen you first set the target file to a KDK kernel.

After triggering an NMI (or waiting for debugger to halt the boot process ifyou chose DB_HALT flag), connect to the debugee with the command kdp-remote<ip> where <ip> is the IP address (localhost if you used the NAT portforwarding).

Voila, source-level debugging macOS kernel!