KEXT Debugging on Mac

Copy the kext to temp folder

    sudo cp -r /…xx.kext /tmp/

     cd /tmp

Modify the priviledges

    sudo chown -R root:wheel xx.kext
    sudo chmod -R 775 xx.kext

Load the kext at the starting address where the affected kext loaded. you will get the address from the panic report

    sudo kextload -z -n -a xxx.yyy.kext.zzz@0x47cd1000 -s . xx.kext

Open another terminal and launch the gdb

    gdb -arch i386 /Volumes/KernelDebugKit/mach_kernel

Add debug source symbols
    source  /Volumes/KernelDebugKit/kgmacros

Add system and application symbols

    add-symbol-file /tmp/com.apple.kpi.bsd.sym
    add-symbol-file /tmp/com.apple.kpi.libkern.sym
    add-symbol-file /tmp/com.apple.kpi.iokit.sym
    add-symbol-file /tmp/com.apple.kpi.mach.sym
    add-symbol-file /tmp/xxx.yyy.kext.zzz.sym

Query the symbols

    x/i address

// For remote debugging

As it is exec the following command
    target remote-kdp

Attach to the remote system
    attach ip

Execute the bt to get all the symbols or use x/i to get a particular symbol
    bt   // back trace  , it loads all symbols, otherwise

Blogged with Flock

Tags: , , ,

How to get current process name in kernel level program

proc_name(proc_selfpid(),buffer,sizeof(buffer));

buffer contains process name.

Blogged with Flock

Tags: , ,