I was looking at Michael Lynn’s presentation on IOS exploitation and rootkit development, and thought I’d have a crack at finding some of the functions he documents. I cheated, because Lynn had already done the work to find the function prototype where he identifies an argument as being the process name. This is enough to find CreateThread. Simply match the address of the string (search sequence of bytes some names you get from ‘show proc’ in IOS, eg “Chunk Manager”). Then match the address with an operand (search immediate value). You might have to search for the upper and lower 16 bits individually as MIPS sometimes needs this to load a 32 bit address.
In Lynns slides, he documents the prototype as –>
void *CreateThread(void *entryPoint, char *name, int something, int dunno);
The 3rd argument (something) I identified as the stack size (which can be seen in ‘show proc’). I had been looking at the stack on each process while trying to work out my call tracer (which I couldn’t get to work), so when I saw the value in CreateThread, I quickly put 2 and 2 together.
As for that fourth argument, dunno.. which brings me to my next point. I really should learn IDA scripting, as putting the entry points for each process into IDA with meaningful names would be very handy.