SceNetPs

Module
SceNetPs module is stored in file bootfs:net_ps.elf and since FW 3.61 also in os0:kd/net_ps_dev.skprx.

net_ps_dev.skprx was introduced in FW 3.61 to patch HENkaku kernel exploit. net_ps_dev.skprx exists only in DevKit os0: and is loaded instead of net_ps.skprx only in development mode. Basic exports, etc. are the same as net_ps.elf.

sceNetRegisterDeviceForDriver
Registers network interface in OS.

Fills netdev_t structure with OS functions, allocates netdev2_t and netdev3_t structures and finally adds interface to global interface linked-list.

Custom malloc/free implementation
This module contains a custom malloc and free implementation.

In 3.35  is located at offset 0x57b8 and   at 0x5a40.

Another way to find them is search for immediate value 0x4D61416B, one will be in a data segment and referenced by malloc, another is an immediate value used from free.

Here's an illustration of how allocated/free chunks work:



Chunks are linked to each other, but for example busy chunk and free chunk are never linked.

The primary problem with exploiting heap overflows are the red "heap cookies":,  ,.

When a chunk is allocated and the freelist is iterated it checks for the presence of "FrEe" on every iterated chunk.

When a chunk is freed, it checks for "BuSy" and "MaAk".

If cookies don't match, the code does an  which crashes the system.

Note that "MaAk" is appended right after the user provided "size" bytes, so it might not be aligned.

Also these implementations are completely part of SceNetPs so you can't use this logic to call sceNetPsMalloc with a custom heap.

sceNetPsFree
Return type may not be correct