Issue
If the ASLR play a role in IOS and randomize the start address of heap , then how to get the start address of the current process and other process's heap from pid?
In aslr.c supplied with the paper:"iOS kernel Exploitation", seems that you try to get the start address of the current process's heap code blew.
void* heap = malloc(0);
I test the code, find that the return value are not all the same. According ISO/IEC 9899:TC2 (i.e. the C99 standard), §7.20.3 states:
If the size of the space requested is zero, the behavior is implementation-defined: either a null pointer is returned, or the behavior is as if the size were some nonzero value, except that the returned pointer shall not be used to access an object.
Solution
If the ASLR play a role in IOS and randomize the start address of heap,
It does.
then how to get the start address of the current process and other process's heap from pid?
You can't (at least not easily -- I can't think of any method, short of attaching GDB and examining glibc-internal variable __curbrk).
I test the code, find that the return value are not all the same
Why did you expect them to be the same?
In a single executable, with ASLR disabled, malloc(0) inside main will return the same value. If you enable ASLR, you'll get different values. If you build different executables, you'll get different values.
Answered By - Employed Russian