Corellium virtual devices offer user programs running inside the CHARM hypervisor a way to access either kernel or physical views of VM RAM. This allows users to write research tools that do not rely on other, more complex, paths to gain that privilege, which is normally reserved for the kernel.
The access interface has two parts. The first part allows for obtaining information on the kernel location in memory, as well as the current values of relevant Arm system registers. The second part operates like a privileged equivalent to the memcpy function, adding the ability to copy data across typically privileged address space boundaries.
Note: kernel memory page faults are not supported; they will result in partial copy (and return value set appropriately). User page faults are supported.
Only 64-bit EL0 code can use this interface and is accessed via the use of HVC instructions. The exact syntax form differs slightly between iOS and Android VMs. Both are shown below, and are also available in the Corellium GitHub as guest-tools, along with examples.
The following header file declares the interface for both:
Experience Corellium’s groundbreaking virtualization technology for mobile devices and discover never-before-possible mobile vulnerability and threat research for iOS and Android phones. Book a meeting today to explore how our platform can optimize mobile security research and malware analysis.