After the kext has been found, it is opened via _IOServiceOpen.Īt this point we have a connection to the CHUD kext (at least that's my understanding from the disassembly listing).įinally a call to IOConnectMethodStructureIStructureO is made, which I guess carries out the real magic. To do this, it calls _getCHUDUtilsKextService which tries to locate the CHUD kernel extension by enumerating all kexts using the IORegistr圜reateIterator imported from the I/O kit. This function seems to establish a connection to the CHUD kernel extension.
The first thing the API does is to call another function, namely _miscUtilsUserClientConnect_internal. The function doesn't seem to be very complex, but since I'm no MacOS programmer, the imports and called sys APIs don't make much sense to me. I've disassembled the function in question ( _utilPurgeDiskBuffers) from the CHUD framework.
