Kernel Hooks using the UI
The Kernel Hooks feature is available for iOS devices only for on-site customers.
When you navigate to the iOS device you will see a new Kernel Hooks tab (1) available. To start using this feature, you need to power on (2) the device first.
Overview
You can configure kernel hook behavior for select devices.
A few options are available:
- Disabled
- Enabled
- Enabled next boot only
Creating your first hook
If you wanted to hook into the execve sandbox hook at 0xfffffff0068a1b1c, typically you would use something like this in the debugger:
mon patch 0xfffffff0068a1b1c print("execve sandbox hook\n");
To do the same thing in the Corellium UI, you can create a new hook by clicking the add new hook button (1)
When you click the add new hook button, you will see a new hook draft:
- Hook name, by default every new hook name has the following pattern -
hook {hook order number}, you can change it to something more recognizable. - Hook address, must be a valid hex address and 16 chars long
- Patch type. Supports
csmfccandcsmfvm(more on this below) - Hook code itself
- Is the hook enabled?
- Create hook
- Discard unsaved hook
- A little tooltip which indicates a hook's status (draft hooks have an orange icon color)
Patch Types
csmfcc: A Limited C-like language. This compiles intocsmfvmautomatically.csmfvm: Custom stack-based virtual machine language.
Existing Hooks
Once you have created your first hook you can see extra buttons (4, 5, 6).
- Updated tooltip with created/updated datetime + enabled/disabled status
- Update hook data
- Delete hook (confirmation required)
- Execute all hooks
- See execution result in device Console (navigates directly to the device Console)
- Clears hooks execution result
- Add one more hook (same steps as creating your first hook)
Searching through hooks
If you have more than 5 hooks you can search by hook name and see matching results
