From f54a7d952e9d96749592f32438cd2cbfe9d9f5f6 Mon Sep 17 00:00:00 2001
From: royalgraphx <39929362+royalgraphx@users.noreply.github.com>
Date: Sun, 1 Dec 2024 04:47:16 -0600
Subject: [PATCH] Further flesh out sysctl children resolution

---
 VMHide/kern_start.cpp | 45 +++++++++++++++++++++++++++++++++++++++++--
 VMHide/kern_start.hpp |  5 +++++
 2 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/VMHide/kern_start.cpp b/VMHide/kern_start.cpp
index 61d61fb..224d254 100644
--- a/VMHide/kern_start.cpp
+++ b/VMHide/kern_start.cpp
@@ -11,10 +11,50 @@ static VMH vmhInstance;
 
 VMH *VMH::callbackVMH;
 
+// gets sysctl__children memory address and returns it
+mach_vm_address_t sysctlChildrenAddr(KernelPatcher &patcher) {
+    
+    // resolve the _sysctl__children symbol with the given patcher
+    mach_vm_address_t sysctlChildrenAddress = patcher.solveSymbol(KernelPatcher::KernelID, "_sysctl__children");
+    
+    // check if the address was successfully resolved, else return 0
+    if (sysctlChildrenAddress) {
+        DBGLOG(MODULE_SYSCTL, "Resolved _sysctl__children at address: 0x%llx", sysctlChildrenAddress);
+
+        // cast the address to sysctl_oid_list*
+        sysctl_oid_list *sysctlChildren = reinterpret_cast<sysctl_oid_list *>(sysctlChildrenAddress);
+
+        // log the address for debugging
+        DBGLOG(MODULE_SYSCTL, "Sysctl children list at address: 0x%llx", reinterpret_cast<mach_vm_address_t>(sysctlChildren));
+
+        // iterate over the sysctl_oid_list
+        sysctl_oid *oid;
+        SLIST_FOREACH(oid, sysctlChildren, oid_link) {
+            // log each OID's name and number
+            DBGLOG(MODULE_SYSCTL, "OID Name: %s, OID Number: %d", oid->oid_name, oid->oid_number);
+        }
+
+        return sysctlChildrenAddress;
+    } else {
+        KernelPatcher::Error err = patcher.getError();
+        SYSLOG(MODULE_SYSCTL, "Failed to resolve _sysctl__children. (Lilu returned: %d)", err);
+        patcher.clearError();
+        return 0;
+    }
+    
+}
+
 // Function to solve the _sysctl__children symbol address
 static void solveSysCtlChildrenAddr(void *user __unused, KernelPatcher &Patcher) {
     
-    DBGLOG(MODULE_SYSCTL, "solveSysCtlChildrenAddr called");
+    // Log area
+    DBGLOG(MODULE_SYSCTL, "solveSysCtlChildrenAddr called after Patcher loaded successfully.");
+    
+    // Get the address of _sysctl__children here
+    mach_vm_address_t sysCtlChildrenAddress = sysctlChildrenAddr(Patcher);
+    
+    // Log area
+    DBGLOG(MODULE_SYSCTL, "mach_vm_address_t of sysCtlChildrenAddress is: 0x%llx", sysCtlChildrenAddress);
     
 }
 
@@ -26,7 +66,8 @@ void VMH::init() {
     DBGLOG(MODULE_INIT, "Hello World from VMHide!");
     
     // Register the root function to solve _sysctl__children on patcher load
-    lilu.onPatcherLoad(solveSysCtlChildrenAddr);
+    DBGLOG(MODULE_INIT, "Attempting to onPatcherLoadForce...");
+    lilu.onPatcherLoadForce(solveSysCtlChildrenAddr);
     
 }
 
diff --git a/VMHide/kern_start.hpp b/VMHide/kern_start.hpp
index 7599d0e..7462db0 100644
--- a/VMHide/kern_start.hpp
+++ b/VMHide/kern_start.hpp
@@ -51,6 +51,11 @@ class VMH {
      */
     static void solveSysCtlChildrenAddr(void *user __unused, KernelPatcher &Patcher);
     
+    /**
+     *  Returns address for the sysctl children symbol
+     */
+    mach_vm_address_t sysctlChildrenAddr(KernelPatcher &patcher);
+    
     /**
      *  Function to reroute kern hv vmm present function to our own custom one in VMH
      */