Some helpful OSX command-line kernel phun...

No replies
Offline
Joined: Feb 11 2004
Posts: 208

FYI this info's always helped me out in the past. As a hardcore BSD freak (on X86 and various other platforms) and in general, a UNIX Lifer (started in the 80's), I've always been a bit hackish on the UNIX stuff. I was bottle fed at a command-line, I live by the command-line and you'd better believe I'll die by the CLI as well.

I found MacOS to be about as usefull, if not less so, than PalmOS. I loved the hardware but not the OS. I found solace in MkLinux and Yellow Dog, and had a mild fascination with BeOS as well. When OSX came about, I gave my all into playing with the ins and outs.

On my Wallstreet, I would often do wireless network assessments with KisMAC, and since the wallstreet doesn't have AirPort, I used a normal Intersil Prism-based card for wireless. Also, since OSX doesn't play nice with Prism-based cards, I had to buy the IOXperts driver.

KisMAC kills off the IOXPerts driver when you start scanning. So, simply pulling the card and re-inserting it doesn't help much, because the driver's no longer up and running. A re-boot would fix it, but that's a pain. I made it my mission to get around that. Also, as a hacker (in the good sense), I believe not in finding the steps to fix the problem, but rather how to understand the root of the problem. What that means is that one single problem led me to find not just an answer. I went beyond that to understand OSX kernel modules and ultimately, the whole IOKit framework.

So, with that out of the way, here's some helpful commands and what they do and how to use them.

kextstat: lists the status of all kernel loaded kernel extensions. To find out what the name of the IOXperts kernel extension, I simply did a diff of this before and after KisMAC ran. You can use the list of drivers here and unload/reload them at will (they won't unload if something is using them)

Quote:

kozoru-DEFAULT:~ ndunker$ kextstat
Index Refs Address Size Wired Name (Version)
1 1 0x0 0x0 0x0 com.apple.kernel (8.4.0)
2 11 0x0 0x0 0x0 com.apple.kpi.bsd (8.4.0)
3 12 0x0 0x0 0x0 com.apple.kpi.iokit (8.4.0)
4 13 0x0 0x0 0x0 com.apple.kpi.libkern (8.4.0)
5 12 0x0 0x0 0x0 com.apple.kpi.mach (8.4.0)
6 10 0x0 0x0 0x0 com.apple.kpi.unsupported (8.4.0)
...
...
...
104 0 0x3c8f9000 0xb000 0xa000 com.apple.iokit.IOBluetoothSerialManager (1.7f18) <87 11>
105 0 0x3c927000 0xf000 0xe000 com.apple.driver.IOBluetoothSCOAudioDriver (1.7f18) <75 59 11>
106 1 0x12734000 0x24000 0x24000 com.apple.driver.ndrv.ATY,Jasper.0x12735e4c (1.0.0b226)
107 0 0x3cfc7000 0x81000 0x80000 com.cisco.nke.ipsec (1.0.0d1) <4 2>

kextload and kextunload are fairly self-explanatory. You can load or unload modules at will. Without any command-line switches, these utilities require the whole pathname to the file to be passed as an argument. With the -b switch, it uses the "bundle name", as in, the name shown by kextstat

I'll unload the module that gets installed with my VPN client, and re-load it as an example.

Quote:

kozoru-DEFAULT:~ ndunker$ sudo kextunload -b com.cisco.nke.ipsec
Password: ...entered my password, not echoed...
kextunload: unload id com.cisco.nke.ipsec succeeded (any personalities also unloaded)
kozoru-DEFAULT:~ ndunker$ sudo kextload -b com.cisco.nke.ipsec
kextload: /System/Library/Extensions/CiscoVPN.kext loaded successfully

sysctl is a mainstay of almost all modern UNIX systems. It's a command that can view, set, and update kernel parameters on-the-fly. It looks curiousely like an SNMP tree for those who have seen one before. For those who haven't, here's a taste:

Quote:

kozoru-DEFAULT:~ ndunker$ sysctl -A | less
Use pstat to view kern.vnode information
Use ps to view kern.proc information
Use pstat to view kern.file information
kernel is not compiled for profiling

kern.ostype = Darwin
kern.osrelease = 8.4.0
kern.osrevision = 199506
kern.version = Darwin Kernel Version 8.4.0: Tue Jan 3 18:22:10 PST 2006; root:xnu-792.6.56.obj~1/RELEASE_PPC
kern.maxvnodes = 17408
kern.maxproc = 532
kern.maxfiles = 12288
kern.argmax = 262144
kern.securelevel = 1
kern.hostname = kozoru-DEFAULT.local
kern.hostid = 0
kern.clockrate: hz = 100, tick = 10000, profhz = 100, stathz = 100
... (hundreds of lines)

You can use sysctl -w variable.name= to arbitrarily set most of these parameters. Most of these values you don't want to mess with, however, used in the right place, you can induce some very handy behaviour changes in OSX, such as how network traffic works, security settings, etc.

ioreg: This beast dumps a list of the entire IOKit registry. The command-line switches can be used to tweak how much (or little) info it displays, use man ioreg for more info. The dump contains lots of markup-esque characters and won't display cleanly here, so I'll spare you.

I hope this helps a few of you that are looking at getting a bit deeper into the soft UNIX underbelly of OSX.

__________________

Chimera: Black MacBook - Core2 Duo, 1GB Dual Channel, 120GB SATA
Hackintosh: Wallstreet Built-to-the-hilt with security and wireless software for penetration testing, OSX 10.2
Blackintosh: SE/30, two 4GB Seagate Barracudas, 32MB RAM, NetBSD (Painted/cle