As part of HTool I wanted to add in-depth analysis of iOS Kernel Caches - especially Kernel Extensions. The iOS version of XNU differs from that of macOS as the kernel is instead shipped as a cache file, rather than a simple executable binary. The kernelcache differs from the standalone kernel as instead of shipping seperate .kext Mach-O files in a seperate directory, which the Kernel then searches for and load’s, iOS kernelcache’s have all the extensions bundled into the same Mach-O file. This is similar to how all libraries are merged into the dyld_shared_cache.

I don’t intend for this to be a long post, just a quick announcement. HTool has been released! Beta 1 is available for download here with detailed usage information and download links for both macOS and iOS. Linux support is planned, but not for the next few beta’s.

As some of you may have already been aware, for the past few weeks I have been working on Libhelper. This is a small library aimed at assisting the handling and parsing of Mach-O files, Image4 files and other things related to iOS Security analysis.

I’ve recently been working a lot with parsing Mach-O files, so I’m begining to understand in a fair bit of detail how they are structured and how they work. I’ve been developing a library, called libhelper, which can parse Mach-O files. Libhelper-macho also powers Img4helper, and HTool.