kudzues/vphone-cli
1
0
Fork 0
mirror of https://github.com/Lakr233/vphone-cli.git synced 2026-04-05 13:09:06 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
7daa2c4773142c7fe9332d227cd46e161d729db4
vphone-cli/research/kernel_patch_jb/patch_vm_map_protect.md
Lakr 7daa2c4773 Enable 16 verified kernel JB patches, add per-patch research docs 
Batch-tested all 24 kernel JB patches individually:
- 18 enabled: A1,A3,A4,B5,B7,B9-B20,C21,C22
- 3 PANIC: A2, B6 (proc_security_policy), B8 (convert_port_to_map), C23 (hook_cred_label_update_execve)
- 1 NOT_BOOT: C24 (kcall10)

Added research/kernel_patch_jb/ with per-patch analysis notes.
2026-03-04 20:08:00 +08:00

824 B
Raw Blame History

B10 patch_vm_map_protect

How the patch works

  • Source: scripts/patchers/kernel_jb_patch_vm_protect.py.
  • Locator strategy:
    1. Try symbol _vm_map_protect.
    2. Fallback string anchor: "vm_map_protect(".
    3. In function body, find forward TBNZ with high bit test (bit >= 24) used as guard.
  • Patch action:
    • Rewrite that conditional TBNZ into unconditional B target.

Expected outcome

  • Force bypass of a protection-check branch in vm_map_protect flow.

Target

  • High-bit permission/attribute guard branch in vm_map_protect path.

IDA MCP evidence

  • String: 0xfffffe0007049ab7 ("vm_map_protect(%p,...)")
  • xref: 0xfffffe0007bc4680
  • containing function start: 0xfffffe0007bc405c

Risk

  • This may allow mapping/protection transitions that original VM policy intended to reject.