Decompile a Mac Kernel Extension?

Is it possible to dec开发者_StackOverflow中文版ompile a Mac kernel extension?

---

In theory it is possible to decompile any binary code.

Kernel extensions are a little bit tricky because a) they're C++, so virtual methods make the code harder to follow. b) linking happens differently in kernel extensions, so any decompiler would need be specially designed to handle kernel extensions in order to find dependencies and symbol names.

---

you can use gdb (as nate c suggested) to inspect the assembly code of a kernel extension. i'm not aware of any decompilers for kernel extensions specifically.

you can use the kextload tool to create a symbols file that you can load into gdb. this will let you see decoded symbol names for functions, &c. there's a crash (haha get it?) tutorial here: http://praveenmatanam.wordpress.com/2008/05/22/kext-debugging-on-mac/

why do you want to do this?

---

It is no problem to decompile 32bit kext's using the hexrays decompiler.

Decompiling c++ code, means you have to define your structs in the right way: when an object has virtual methods, the first item in the object will be a pointer to the object's vtable. if you declare the vtable in IDA or hexrays as well, and make sure all the types of the function pointers are correct, hexrays will produce quite readable code.

But chances are that the parts of the kext you are interested in were written in C-like C++, and you don't need to worry about that at all.

---

For reversing 64-bit kexts, acquire ida pro and x64 Decompiler (any of mac/lin/win).

Also, you can usually debug a kext (without symbols) using lldb remote setup. (gdb is gone.)

If you happen to work for a large security shop, do the song-and-dance: sign an NDA, give rights to first born and just get the OSX source.

Also, here's a large list of decompilers:

https://en.wikibooks.org/wiki/X86_Disassembly/Disassemblers_and_Decompilers