1*699cd480SApple OSS Distributions""" 2*699cd480SApple OSS Distributions XNU Triage commands 3*699cd480SApple OSS Distributions""" 4*699cd480SApple OSS Distributionsfrom __future__ import absolute_import, print_function 5*699cd480SApple OSS Distributions 6*699cd480SApple OSS Distributionsfrom xnu import * 7*699cd480SApple OSS Distributionsimport sys, shlex 8*699cd480SApple OSS Distributionsfrom utils import * 9*699cd480SApple OSS Distributionsimport xnudefines 10*699cd480SApple OSS Distributionsimport re 11*699cd480SApple OSS Distributionsimport os.path 12*699cd480SApple OSS Distributions 13*699cd480SApple OSS Distributions# Macro: xi 14*699cd480SApple OSS Distributionsdef OutputAddress(cmd_args=None): 15*699cd480SApple OSS Distributions """ Returns out address and symbol corresponding to it without newline 16*699cd480SApple OSS Distributions Parameters: <address whose symbol is needed> 17*699cd480SApple OSS Distributions """ 18*699cd480SApple OSS Distributions if not cmd_args: 19*699cd480SApple OSS Distributions print("No arguments passed") 20*699cd480SApple OSS Distributions print(OutputAddress.__doc__) 21*699cd480SApple OSS Distributions return False 22*699cd480SApple OSS Distributions a = unsigned(cmd_args[0]) 23*699cd480SApple OSS Distributions cmd_str = "image lookup -a {:#x}".format(a) 24*699cd480SApple OSS Distributions cmd_out = lldb_run_command(cmd_str) 25*699cd480SApple OSS Distributions if len(cmd_out) != 0 and cmd_out != "ERROR:": 26*699cd480SApple OSS Distributions cmd_out1 = cmd_out.split('\n') 27*699cd480SApple OSS Distributions if len(cmd_out1) != 0: 28*699cd480SApple OSS Distributions cmd_out2 = cmd_out1[1].split('`') 29*699cd480SApple OSS Distributions if cmd_out2 != 0: 30*699cd480SApple OSS Distributions cmd_out3 = cmd_out2[1].split(' at') 31*699cd480SApple OSS Distributions if len(cmd_out3) != 0: 32*699cd480SApple OSS Distributions symbol_str = "{:#018x} <{:s}>".format(unsigned(a), cmd_out3[0]) 33*699cd480SApple OSS Distributions return symbol_str 34*699cd480SApple OSS Distributions return "" 35*699cd480SApple OSS Distributions 36*699cd480SApple OSS Distributions@lldb_command('xi') 37*699cd480SApple OSS Distributionsdef SymbolicateWithInstruction(cmd_args=None): 38*699cd480SApple OSS Distributions """ Prints out address and symbol similar to x/i 39*699cd480SApple OSS Distributions Usage: xi <address whose symbol is needed> 40*699cd480SApple OSS Distributions """ 41*699cd480SApple OSS Distributions if not cmd_args: 42*699cd480SApple OSS Distributions print("No arguments passed") 43*699cd480SApple OSS Distributions print(SymbolicateWithInstruction.__doc__) 44*699cd480SApple OSS Distributions return False 45*699cd480SApple OSS Distributions a = ArgumentStringToInt(cmd_args[0]) 46*699cd480SApple OSS Distributions print(OutputAddress([a])) 47*699cd480SApple OSS Distributions 48*699cd480SApple OSS Distributions# Macro: xi 49*699cd480SApple OSS Distributions 50*699cd480SApple OSS Distributions# Macro: newbt 51*699cd480SApple OSS Distributions@lldb_command('newbt') 52*699cd480SApple OSS Distributionsdef NewBt(cmd_args=None): 53*699cd480SApple OSS Distributions """ Prints all the instructions by walking the given stack pointer 54*699cd480SApple OSS Distributions """ 55*699cd480SApple OSS Distributions if not cmd_args: 56*699cd480SApple OSS Distributions print("No arguments passed") 57*699cd480SApple OSS Distributions print(NewBt.__doc__) 58*699cd480SApple OSS Distributions return False 59*699cd480SApple OSS Distributions a = ArgumentStringToInt(cmd_args[0]) 60*699cd480SApple OSS Distributions while a != 0: 61*699cd480SApple OSS Distributions if kern.arch == "x86_64" or kern.arch.startswith("arm64"): 62*699cd480SApple OSS Distributions offset = 8 63*699cd480SApple OSS Distributions else: 64*699cd480SApple OSS Distributions offset = 4 65*699cd480SApple OSS Distributions link_register = dereference(kern.GetValueFromAddress(a + offset, 'uintptr_t *')) 66*699cd480SApple OSS Distributions cmd_str = "di -s {:#x} -c 1".format(link_register) 67*699cd480SApple OSS Distributions cmd_out = lldb_run_command(cmd_str) 68*699cd480SApple OSS Distributions if len(cmd_out) != 0: 69*699cd480SApple OSS Distributions cmd_out1 = list(filter(None, cmd_out.split('\n'))) 70*699cd480SApple OSS Distributions if len(cmd_out1) != 0: 71*699cd480SApple OSS Distributions address = OutputAddress([unsigned(link_register)]) 72*699cd480SApple OSS Distributions if not address: 73*699cd480SApple OSS Distributions address = '{:#018x} <???>'.format(unsigned(link_register)) 74*699cd480SApple OSS Distributions print(address + ": " + cmd_out1[-1].split(':', 1)[1]) 75*699cd480SApple OSS Distributions a = dereference(kern.GetValueFromAddress(unsigned(a), 'uintptr_t *')) 76*699cd480SApple OSS Distributions 77*699cd480SApple OSS Distributions# EndMacro: newbt 78*699cd480SApple OSS Distributions 79*699cd480SApple OSS Distributions# Macro: parseLR 80*699cd480SApple OSS Distributions@lldb_command('parseLR') 81*699cd480SApple OSS Distributionsdef parseLR(cmd_args=None): 82*699cd480SApple OSS Distributions """ Decode the LR value from panic log into source code location 83*699cd480SApple OSS Distributions """ 84*699cd480SApple OSS Distributions global paniclog_data 85*699cd480SApple OSS Distributions panic_found = 1 86*699cd480SApple OSS Distributions 87*699cd480SApple OSS Distributions if not paniclog_data: 88*699cd480SApple OSS Distributions if kern.arch == "x86_64": 89*699cd480SApple OSS Distributions paniclog_data += returnfunc("\n(lldb) paniclog\n", "paniclog -v") 90*699cd480SApple OSS Distributions else: 91*699cd480SApple OSS Distributions paniclog_data += returnfunc("\n(lldb) paniclog\n", "paniclog") 92*699cd480SApple OSS Distributions 93*699cd480SApple OSS Distributions if panic_found == 1: 94*699cd480SApple OSS Distributions srch_string = "lr:\s+0x[a-fA-F0-9]+\s" 95*699cd480SApple OSS Distributions lr_pc_srch = re.findall(srch_string, paniclog_data) 96*699cd480SApple OSS Distributions if lr_pc_srch: 97*699cd480SApple OSS Distributions print(paniclog_data, lr_pc_srch) 98*699cd480SApple OSS Distributions for match in lr_pc_srch: 99*699cd480SApple OSS Distributions sp=match.strip("lr: ") 100*699cd480SApple OSS Distributions print(sp) 101*699cd480SApple OSS Distributions print("(lldb) list *{:s}".format(sp)) 102*699cd480SApple OSS Distributions print(lldb_run_command("list *{:s}".format(sp))) 103*699cd480SApple OSS Distributions 104*699cd480SApple OSS Distributions else: 105*699cd480SApple OSS Distributions print("Currently unsupported on x86_64 architecture") 106*699cd480SApple OSS Distributions#EndMacro: parseLR 107*699cd480SApple OSS Distributions 108*699cd480SApple OSS Distributions# Macro: parseLRfromfile 109*699cd480SApple OSS Distributions@lldb_command('parseLRfromfile') 110*699cd480SApple OSS Distributionsdef parseLRfromfile(cmd_args=None): 111*699cd480SApple OSS Distributions """ Decode the LR value from file into source code location 112*699cd480SApple OSS Distributions """ 113*699cd480SApple OSS Distributions f = open('/tmp/lrparsefile', 'r') 114*699cd480SApple OSS Distributions parse_data= f.read() 115*699cd480SApple OSS Distributions srch_string = "lr:\s+0x[a-fA-F0-9]+\s" 116*699cd480SApple OSS Distributions lr_pc_srch = re.findall(srch_string, parse_data) 117*699cd480SApple OSS Distributions if lr_pc_srch: 118*699cd480SApple OSS Distributions print(paniclog_data, lr_pc_srch) 119*699cd480SApple OSS Distributions for match in lr_pc_srch: 120*699cd480SApple OSS Distributions sp=match.strip("lr: ") 121*699cd480SApple OSS Distributions print(sp) 122*699cd480SApple OSS Distributions print("(lldb) list *{:s}".format(sp)) 123*699cd480SApple OSS Distributions print(lldb_run_command("list *{:s}".format(sp))) 124*699cd480SApple OSS Distributions 125*699cd480SApple OSS Distributions#EndMacro: parseLRfromfile 126*699cd480SApple OSS Distributions 127