Researcher shows how to compute XNU offsets from stripped iOS kernelcaches

What the post shows

It has been reported that a new ReverseSociety blog post walks through a repeatable method for extracting struct offsets from stripped XNU kernelcaches. The write-up builds on a kernel read/write primitive shared by Opa334 — allegedly similar to a primitive observed in DarkSword — and demonstrates how, once you can read and write kernel memory, you can hunt back to the Mach‑O magic and compute the kernel slide, then recover offsets to key kernel objects. The author intentionally avoids Apple’s Kernel Development Kit and works directly from ARM64 assembly using Binary Ninja, validating the approach against iOS 16.7.12.

How the technique works

The core insight is simple and elegant: many exported accessor functions are thin wrappers that load a field from a struct, so when decompiled they reveal the field offset. The guide pairs cross‑referencing with the open XNU source — treated as a map, not gospel — and locating anchor globals in __DATA (allproc, kernproc, etc.). The post details phase‑by‑phase checks and practical caveats: Apple often reorders or splits fields, so source headers are a starting point but the binary is the ultimate truth.

Why it matters

For researchers this is a tidy toolbox for turning stripped kernel binaries into readable structure maps. For defenders, it’s a reminder that a kernel read/write primitive alone isn’t the whole story — once you can map offsets, the attack surface changes. The emotional moment in the piece is clear: the thrill of turning raw bytes into meaningful kernel objects — a puzzle solved, piece by piece. Dangerous in the wrong hands? Sure. Valuable for forensic and hardening work? Absolutely.

Read the full technical walkthrough on ReverseSociety’s blog (linked via Hacker News). The post includes step‑by‑step examples, caveats, and the author’s Binary Ninja workflow for anyone wanting to follow along.

Sources: reversesociety.co, Hacker News