1*e3723e1fSApple OSS Distributions""" 2*e3723e1fSApple OSS Distributions XNU Triage commands 3*e3723e1fSApple OSS Distributions""" 4*e3723e1fSApple OSS Distributionsfrom xnu import * 5*e3723e1fSApple OSS Distributionsimport sys, shlex 6*e3723e1fSApple OSS Distributionsfrom utils import * 7*e3723e1fSApple OSS Distributionsimport xnudefines 8*e3723e1fSApple OSS Distributionsimport re 9*e3723e1fSApple OSS Distributionsimport os.path 10*e3723e1fSApple OSS Distributions 11*e3723e1fSApple OSS Distributions# Macro: xi 12*e3723e1fSApple OSS Distributionsdef OutputAddress(cmd_args=None): 13*e3723e1fSApple OSS Distributions """ Returns out address and symbol corresponding to it without newline 14*e3723e1fSApple OSS Distributions Parameters: <address whose symbol is needed> 15*e3723e1fSApple OSS Distributions """ 16*e3723e1fSApple OSS Distributions if cmd_args is None or len(cmd_args) == 0: 17*e3723e1fSApple OSS Distributions raise ArgumentError() 18*e3723e1fSApple OSS Distributions 19*e3723e1fSApple OSS Distributions a = unsigned(cmd_args[0]) 20*e3723e1fSApple OSS Distributions cmd_str = "image lookup -a {:#x}".format(a) 21*e3723e1fSApple OSS Distributions cmd_out = lldb_run_command(cmd_str) 22*e3723e1fSApple OSS Distributions if len(cmd_out) != 0 and cmd_out != "ERROR:": 23*e3723e1fSApple OSS Distributions cmd_out1 = cmd_out.split('\n') 24*e3723e1fSApple OSS Distributions if len(cmd_out1) != 0: 25*e3723e1fSApple OSS Distributions cmd_out2 = cmd_out1[1].split('`') 26*e3723e1fSApple OSS Distributions if cmd_out2 != 0: 27*e3723e1fSApple OSS Distributions cmd_out3 = cmd_out2[1].split(' at') 28*e3723e1fSApple OSS Distributions if len(cmd_out3) != 0: 29*e3723e1fSApple OSS Distributions symbol_str = "{:#018x} <{:s}>".format(unsigned(a), cmd_out3[0]) 30*e3723e1fSApple OSS Distributions return symbol_str 31*e3723e1fSApple OSS Distributions return "" 32*e3723e1fSApple OSS Distributions 33*e3723e1fSApple OSS Distributions@lldb_command('xi') 34*e3723e1fSApple OSS Distributionsdef SymbolicateWithInstruction(cmd_args=None): 35*e3723e1fSApple OSS Distributions """ Prints out address and symbol similar to x/i 36*e3723e1fSApple OSS Distributions Usage: xi <address whose symbol is needed> 37*e3723e1fSApple OSS Distributions """ 38*e3723e1fSApple OSS Distributions if cmd_args is None or len(cmd_args) == 0: 39*e3723e1fSApple OSS Distributions raise ArgumentError() 40*e3723e1fSApple OSS Distributions 41*e3723e1fSApple OSS Distributions a = ArgumentStringToInt(cmd_args[0]) 42*e3723e1fSApple OSS Distributions print(OutputAddress([a])) 43*e3723e1fSApple OSS Distributions 44*e3723e1fSApple OSS Distributions# Macro: xi 45*e3723e1fSApple OSS Distributions 46*e3723e1fSApple OSS Distributions# Macro: newbt 47*e3723e1fSApple OSS Distributions@lldb_command('newbt') 48*e3723e1fSApple OSS Distributionsdef NewBt(cmd_args=None): 49*e3723e1fSApple OSS Distributions """ Prints all the instructions by walking the given stack pointer 50*e3723e1fSApple OSS Distributions """ 51*e3723e1fSApple OSS Distributions if cmd_args is None or len(cmd_args) == 0: 52*e3723e1fSApple OSS Distributions raise ArgumentError() 53*e3723e1fSApple OSS Distributions 54*e3723e1fSApple OSS Distributions a = ArgumentStringToInt(cmd_args[0]) 55*e3723e1fSApple OSS Distributions while a != 0: 56*e3723e1fSApple OSS Distributions if kern.arch == "x86_64" or kern.arch.startswith("arm64"): 57*e3723e1fSApple OSS Distributions offset = 8 58*e3723e1fSApple OSS Distributions else: 59*e3723e1fSApple OSS Distributions offset = 4 60*e3723e1fSApple OSS Distributions link_register = dereference(kern.GetValueFromAddress(a + offset, 'uintptr_t *')) 61*e3723e1fSApple OSS Distributions cmd_str = "di -s {:#x} -c 1".format(link_register) 62*e3723e1fSApple OSS Distributions cmd_out = lldb_run_command(cmd_str) 63*e3723e1fSApple OSS Distributions if len(cmd_out) != 0: 64*e3723e1fSApple OSS Distributions cmd_out1 = list(filter(None, cmd_out.split('\n'))) 65*e3723e1fSApple OSS Distributions if len(cmd_out1) != 0: 66*e3723e1fSApple OSS Distributions address = OutputAddress([unsigned(link_register)]) 67*e3723e1fSApple OSS Distributions if not address: 68*e3723e1fSApple OSS Distributions address = '{:#018x} <???>'.format(unsigned(link_register)) 69*e3723e1fSApple OSS Distributions print(address + ": " + cmd_out1[-1].split(':', 1)[1]) 70*e3723e1fSApple OSS Distributions a = dereference(kern.GetValueFromAddress(unsigned(a), 'uintptr_t *')) 71*e3723e1fSApple OSS Distributions 72*e3723e1fSApple OSS Distributions# EndMacro: newbt 73*e3723e1fSApple OSS Distributions 74*e3723e1fSApple OSS Distributionspaniclog_data = "" 75*e3723e1fSApple OSS Distributions 76*e3723e1fSApple OSS Distributions# Macro: parseLR 77*e3723e1fSApple OSS Distributions@lldb_command('parseLR') 78*e3723e1fSApple OSS Distributionsdef parseLR(cmd_args=None): 79*e3723e1fSApple OSS Distributions """ Decode the LR value from panic log into source code location 80*e3723e1fSApple OSS Distributions """ 81*e3723e1fSApple OSS Distributions global paniclog_data 82*e3723e1fSApple OSS Distributions panic_found = 1 83*e3723e1fSApple OSS Distributions 84*e3723e1fSApple OSS Distributions if not paniclog_data: 85*e3723e1fSApple OSS Distributions if kern.arch == "x86_64": 86*e3723e1fSApple OSS Distributions paniclog_data += lldb_run_command("paniclog -v") 87*e3723e1fSApple OSS Distributions else: 88*e3723e1fSApple OSS Distributions paniclog_data += lldb_run_command("paniclog") 89*e3723e1fSApple OSS Distributions 90*e3723e1fSApple OSS Distributions if panic_found == 1: 91*e3723e1fSApple OSS Distributions srch_string = "lr:\s+0x[a-fA-F0-9]+\s" 92*e3723e1fSApple OSS Distributions lr_pc_srch = re.findall(srch_string, paniclog_data) 93*e3723e1fSApple OSS Distributions if lr_pc_srch: 94*e3723e1fSApple OSS Distributions print(paniclog_data, lr_pc_srch) 95*e3723e1fSApple OSS Distributions for match in lr_pc_srch: 96*e3723e1fSApple OSS Distributions sp=match.strip("lr: ") 97*e3723e1fSApple OSS Distributions print(sp) 98*e3723e1fSApple OSS Distributions print("(lldb) list *{:s}".format(sp)) 99*e3723e1fSApple OSS Distributions print(lldb_run_command("list *{:s}".format(sp))) 100*e3723e1fSApple OSS Distributions 101*e3723e1fSApple OSS Distributions else: 102*e3723e1fSApple OSS Distributions print("Currently unsupported on x86_64 architecture") 103*e3723e1fSApple OSS Distributions#EndMacro: parseLR 104*e3723e1fSApple OSS Distributions 105*e3723e1fSApple OSS Distributions# Macro: parseLRfromfile 106*e3723e1fSApple OSS Distributions@lldb_command('parseLRfromfile') 107*e3723e1fSApple OSS Distributionsdef parseLRfromfile(cmd_args=None): 108*e3723e1fSApple OSS Distributions """ Decode the LR value from file into source code location 109*e3723e1fSApple OSS Distributions 110*e3723e1fSApple OSS Distributions Usage: parseLRfromfile [file_path] 111*e3723e1fSApple OSS Distributions """ 112*e3723e1fSApple OSS Distributions if cmd_args is None or len(cmd_args) == 0: 113*e3723e1fSApple OSS Distributions raise ArgumentError() 114*e3723e1fSApple OSS Distributions 115*e3723e1fSApple OSS Distributions f = open(cmd_args[0], 'r') 116*e3723e1fSApple OSS Distributions parse_data= f.read() 117*e3723e1fSApple OSS Distributions srch_string = "lr:\s+0x[a-fA-F0-9]+\s" 118*e3723e1fSApple OSS Distributions lr_pc_srch = re.findall(srch_string, parse_data) 119*e3723e1fSApple OSS Distributions if lr_pc_srch: 120*e3723e1fSApple OSS Distributions print(paniclog_data, lr_pc_srch) 121*e3723e1fSApple OSS Distributions for match in lr_pc_srch: 122*e3723e1fSApple OSS Distributions sp=match.strip("lr: ") 123*e3723e1fSApple OSS Distributions print(sp) 124*e3723e1fSApple OSS Distributions print("(lldb) list *{:s}".format(sp)) 125*e3723e1fSApple OSS Distributions print(lldb_run_command("list *{:s}".format(sp))) 126*e3723e1fSApple OSS Distributions 127*e3723e1fSApple OSS Distributions#EndMacro: parseLRfromfile 128*e3723e1fSApple OSS Distributions 129