mirror of
https://github.com/Karmaz95/Snake_Apple.git
synced 2026-07-10 19:43:40 +02:00
This commit is contained in:
@@ -33,11 +33,47 @@ Each article directory contains three subdirectories:
|
||||
Core program resulting from the Snake&Apple article series for binary analysis. You may find older versions of this script in each article directory in this repository.
|
||||
* Usage
|
||||
```console
|
||||
usage: CrimsonUroboros [-h] -p PATH [--file_type] [--header_flags] [--endian] [--header] [--load_commands] [--segments] [--sections] [--symbols] [--imported_symbols] [--chained_fixups] [--exports_trie] [--uuid] [--main] [--encryption_info [(optional) save_path.bytes]] [--strings_section] [--all_strings]
|
||||
[--save_strings all_strings.txt] [--info] [--verify_signature] [--cd_info] [--cd_requirements] [--entitlements [human|xml|var]] [--extract_cms cms_signature.der] [--extract_certificates certificate_name] [--remove_sig unsigned_binary] [--sign_binary [adhoc|identity]] [--has_pie] [--has_arc]
|
||||
[--is_stripped] [--has_canary] [--has_nx_stack] [--has_nx_heap] [--has_xn] [--is_notarized] [--is_encrypted] [--is_restricted] [--is_hr] [--is_as] [--is_fort] [--has_rpath] [--has_lv] [--checksec] [--dylibs] [--rpaths] [--rpaths_u] [--dylibs_paths] [--dylibs_paths_u]
|
||||
[--broken_relative_paths] [--dylibtree [cache_path,output_path,is_extracted]] [--dylib_id] [--reexport_paths] [--hijack_sec] [--dylib_hijacking [(optional) cache_path]] [--dylib_hijacking_a [cache_path]] [--prepare_dylib [(optional) target_dylib_name]] [--is_built_for_sim] [--get_dyld_env]
|
||||
[--compiled_with_dyld_env] [--has_interposing] [--interposing_symbols]
|
||||
usage: CrimsonUroboros [-h] -p PATH [--file_type] [--header_flags] [--endian]
|
||||
[--header] [--load_commands] [--has_cmd LC_MAIN]
|
||||
[--segments] [--has_segment __SEGMENT] [--sections]
|
||||
[--has_section __SEGMENT,__section] [--symbols]
|
||||
[--imports] [--exports] [--imported_symbols]
|
||||
[--chained_fixups] [--exports_trie] [--uuid] [--main]
|
||||
[--encryption_info [(optional) save_path.bytes]]
|
||||
[--strings_section] [--all_strings]
|
||||
[--save_strings all_strings.txt] [--info]
|
||||
[--dump_data [offset,size,output_path]]
|
||||
[--calc_offset vm_offset] [--constructors]
|
||||
[--verify_signature] [--cd_info] [--cd_requirements]
|
||||
[--entitlements [human|xml|var]]
|
||||
[--extract_cms cms_signature.der]
|
||||
[--extract_certificates certificate_name]
|
||||
[--remove_sig unsigned_binary]
|
||||
[--sign_binary [adhoc|identity]] [--cs_offset]
|
||||
[--cs_flags] [--has_pie] [--has_arc] [--is_stripped]
|
||||
[--has_canary] [--has_nx_stack] [--has_nx_heap]
|
||||
[--has_xn] [--is_notarized] [--is_encrypted]
|
||||
[--is_restricted] [--is_hr] [--is_as] [--is_fort]
|
||||
[--has_rpath] [--has_lv] [--checksec] [--dylibs]
|
||||
[--rpaths] [--rpaths_u] [--dylibs_paths]
|
||||
[--dylibs_paths_u] [--broken_relative_paths]
|
||||
[--dylibtree [cache_path,output_path,is_extracted]]
|
||||
[--dylib_id] [--reexport_paths] [--hijack_sec]
|
||||
[--dylib_hijacking [(optional) cache_path]]
|
||||
[--dylib_hijacking_a [cache_path]]
|
||||
[--prepare_dylib [(optional) target_dylib_name]]
|
||||
[--is_built_for_sim] [--get_dyld_env]
|
||||
[--compiled_with_dyld_env] [--has_interposing]
|
||||
[--interposing_symbols]
|
||||
[--dump_prelink_info [(optional) out_name]]
|
||||
[--dump_prelink_text [(optional) out_name]]
|
||||
[--dump_prelink_kext [kext_name]]
|
||||
[--kext_prelinkinfo [kext_name]]
|
||||
[--kmod_info kext_name] [--kext_entry kext_name]
|
||||
[--kext_exit kext_name] [--mig] [--has_suid]
|
||||
[--has_sgid] [--has_sticky] [--injectable_dyld]
|
||||
[--test_insert_dylib] [--test_prune_dyld]
|
||||
[--test_dyld_print_to_file]
|
||||
|
||||
Mach-O files parser for binary analysis
|
||||
|
||||
@@ -51,84 +87,188 @@ MACH-O ARGS:
|
||||
--endian Print binary endianess
|
||||
--header Print binary header
|
||||
--load_commands Print binary load commands names
|
||||
--has_cmd LC_MAIN Check of binary has given load command
|
||||
--segments Print binary segments in human-friendly form
|
||||
--has_segment __SEGMENT
|
||||
Check if binary has given '__SEGMENT'
|
||||
--sections Print binary sections in human-friendly form
|
||||
--has_section __SEGMENT,__section
|
||||
Check if binary has given '__SEGMENT,__section'
|
||||
--symbols Print all binary symbols
|
||||
--imported_symbols Print symbols imported from external libraries
|
||||
--imports Print imported symbols
|
||||
--exports Print exported symbols
|
||||
--imported_symbols Print symbols imported from external libraries with
|
||||
dylib names
|
||||
--chained_fixups Print Chained Fixups information
|
||||
--exports_trie Print Export Trie information
|
||||
--uuid Print UUID
|
||||
--main Print entry point and stack size
|
||||
--encryption_info [(optional) save_path.bytes]
|
||||
Print encryption info if any. Optionally specify an output path to dump the encrypted data (if cryptid=0, data will be in plain text)
|
||||
Print encryption info if any. Optionally specify an
|
||||
output path to dump the encrypted data (if cryptid=0,
|
||||
data will be in plain text)
|
||||
--strings_section Print strings from __cstring section
|
||||
--all_strings Print strings from all sections
|
||||
--save_strings all_strings.txt
|
||||
Parse all sections, detect strings, and save them to a file
|
||||
--info Print header, load commands, segments, sections, symbols, and strings
|
||||
Parse all sections, detect strings, and save them to a
|
||||
file
|
||||
--info Print header, load commands, segments, sections,
|
||||
symbols, and strings
|
||||
--dump_data [offset,size,output_path]
|
||||
Dump {size} bytes starting from {offset} to a given
|
||||
{filename} (e.g. '0x1234,0x1000,out.bin')
|
||||
--calc_offset vm_offset
|
||||
Calculate the real address (file on disk) of the given
|
||||
Virtual Memory {vm_offset} (e.g. 0xfffffe000748f580)
|
||||
--constructors Print binary constructors
|
||||
|
||||
CODE SIGNING ARGS:
|
||||
--verify_signature Code Signature verification (if the contents of the binary have been modified)
|
||||
--verify_signature Code Signature verification (if the contents of the
|
||||
binary have been modified)
|
||||
--cd_info Print Code Signature information
|
||||
--cd_requirements Print Code Signature Requirements
|
||||
--entitlements [human|xml|var]
|
||||
Print Entitlements in a human-readable, XML, or DER format (default: human)
|
||||
Print Entitlements in a human-readable, XML, or DER
|
||||
format (default: human)
|
||||
--extract_cms cms_signature.der
|
||||
Extract CMS Signature from the Code Signature and save it to a given file
|
||||
Extract CMS Signature from the Code Signature and save
|
||||
it to a given file
|
||||
--extract_certificates certificate_name
|
||||
Extract Certificates and save them to a given file. To each filename will be added an index at the end: _0 for signing, _1 for intermediate, and _2 for root CA certificate
|
||||
Extract Certificates and save them to a given file. To
|
||||
each filename will be added an index at the end: _0
|
||||
for signing, _1 for intermediate, and _2 for root CA
|
||||
certificate
|
||||
--remove_sig unsigned_binary
|
||||
Save the new file on a disk with removed signature
|
||||
--sign_binary [adhoc|identity]
|
||||
Sign binary using specified identity - use : 'security find-identity -v -p codesigning' to get the identity (default: adhoc)
|
||||
Sign binary using specified identity - use : 'security
|
||||
find-identity -v -p codesigning' to get the identity
|
||||
(default: adhoc)
|
||||
--cs_offset Print Code Signature file offset
|
||||
--cs_flags Print Code Signature flags
|
||||
|
||||
CHECKSEC ARGS:
|
||||
--has_pie Check if Position-Independent Executable (PIE) is set
|
||||
--has_arc Check if Automatic Reference Counting (ARC) is in use (can be false positive)
|
||||
--has_arc Check if Automatic Reference Counting (ARC) is in use
|
||||
(can be false positive)
|
||||
--is_stripped Check if binary is stripped
|
||||
--has_canary Check if Stack Canary is in use (can be false positive)
|
||||
--has_canary Check if Stack Canary is in use (can be false
|
||||
positive)
|
||||
--has_nx_stack Check if stack is non-executable (NX stack)
|
||||
--has_nx_heap Check if heap is non-executable (NX heap)
|
||||
--has_xn Check if binary is protected by eXecute Never (XN) ARM protection
|
||||
--is_notarized Check if the application is notarized and can pass the Gatekeeper verification
|
||||
--is_encrypted Check if the application is encrypted (has LC_ENCRYPTION_INFO(_64) and cryptid set to 1)
|
||||
--is_restricted Check if binary has __RESTRICT segment or CS_RESTRICT flag set
|
||||
--has_xn Check if binary is protected by eXecute Never (XN) ARM
|
||||
protection
|
||||
--is_notarized Check if the application is notarized and can pass the
|
||||
Gatekeeper verification
|
||||
--is_encrypted Check if the application is encrypted (has
|
||||
LC_ENCRYPTION_INFO(_64) and cryptid set to 1)
|
||||
--is_restricted Check if binary has __RESTRICT segment or CS_RESTRICT
|
||||
flag set
|
||||
--is_hr Check if the Hardened Runtime is in use
|
||||
--is_as Check if the App Sandbox is in use
|
||||
--is_fort Check if the binary is fortified
|
||||
--has_rpath Check if the binary utilise any @rpath variables
|
||||
--has_lv Check if the binary has Library Validation (protection against Dylib Hijacking)
|
||||
--has_lv Check if the binary has Library Validation (protection
|
||||
against Dylib Hijacking)
|
||||
--checksec Run all checksec module options on the binary
|
||||
|
||||
DYLIBS ARGS:
|
||||
--dylibs Print shared libraries used by specified binary with compatibility and the current version (loading paths unresolved, like @rpath/example.dylib)
|
||||
--rpaths Print all paths (resolved) that @rpath can be resolved to
|
||||
--rpaths_u Print all paths (unresolved) that @rpath can be resolved to
|
||||
--dylibs_paths Print absolute dylib loading paths (resolved @rpath|@executable_path|@loader_path) in order they are searched for
|
||||
--dylibs Print shared libraries used by specified binary with
|
||||
compatibility and the current version (loading paths
|
||||
unresolved, like @rpath/example.dylib)
|
||||
--rpaths Print all paths (resolved) that @rpath can be resolved
|
||||
to
|
||||
--rpaths_u Print all paths (unresolved) that @rpath can be
|
||||
resolved to
|
||||
--dylibs_paths Print absolute dylib loading paths (resolved
|
||||
@rpath|@executable_path|@loader_path) in order they
|
||||
are searched for
|
||||
--dylibs_paths_u Print unresolved dylib loading paths.
|
||||
--broken_relative_paths
|
||||
Print 'broken' relative paths from the binary (cases where the dylib source is specified for an executable directory without @executable_path)
|
||||
Print 'broken' relative paths from the binary (cases
|
||||
where the dylib source is specified for an executable
|
||||
directory without @executable_path)
|
||||
--dylibtree [cache_path,output_path,is_extracted]
|
||||
Print the dynamic dependencies of a Mach-O binary recursively. You can specify the Dyld Shared Cache path in the first argument, the output directory as the 2nd argument, and if you have already extracted DSC in the 3rd argument (0 or 1). The output_path will be used as a base for
|
||||
dylibtree. For example, to not extract DSC, use: --dylibs ",,1", or to extract from default to default use just --dylibs or --dylibs ",,0" which will extract DSC to extracted_dyld_share_cache/ in the current directory
|
||||
Print the dynamic dependencies of a Mach-O binary
|
||||
recursively. You can specify the Dyld Shared Cache
|
||||
path in the first argument, the output directory as
|
||||
the 2nd argument, and if you have already extracted
|
||||
DSC in the 3rd argument (0 or 1). The output_path will
|
||||
be used as a base for dylibtree. For example, to not
|
||||
extract DSC, use: --dylibs ",,1", or to extract from
|
||||
default to default use just --dylibs or --dylibs ",,0"
|
||||
which will extract DSC to extracted_dyld_share_cache/
|
||||
in the current directory
|
||||
--dylib_id Print path from LC_ID_DYLIB
|
||||
--reexport_paths Print paths from LC_REEXPORT_DLIB
|
||||
--hijack_sec Check if binary is protected against Dylib Hijacking
|
||||
--dylib_hijacking [(optional) cache_path]
|
||||
Check for possible Direct and Indirect Dylib Hijacking loading paths. The output is printed to console and saved in JSON format to /tmp/dylib_hijacking_log.json(append mode). Optionally, specify the path to the Dyld Shared Cache
|
||||
Check for possible Direct and Indirect Dylib Hijacking
|
||||
loading paths. The output is printed to console and
|
||||
saved in JSON format to
|
||||
/tmp/dylib_hijacking_log.json(append mode).
|
||||
Optionally, specify the path to the Dyld Shared Cache
|
||||
--dylib_hijacking_a [cache_path]
|
||||
Like --dylib_hijacking, but shows only possible vectors (without protected binaries)
|
||||
Like --dylib_hijacking, but shows only possible
|
||||
vectors (without protected binaries)
|
||||
--prepare_dylib [(optional) target_dylib_name]
|
||||
Compile rogue dylib. Optionally, specify target_dylib_path, it will search for the imported symbols from it in the dylib specified in the --path argument and automatically add it to the source code of the rogue lib. Example: --path lib1.dylib --prepare_dylib /path/to/lib2.dylib
|
||||
Compile rogue dylib. Optionally, specify
|
||||
target_dylib_path, it will search for the imported
|
||||
symbols from it in the dylib specified in the --path
|
||||
argument and automatically add it to the source code
|
||||
of the rogue lib. Example: --path lib1.dylib
|
||||
--prepare_dylib /path/to/lib2.dylib
|
||||
|
||||
DYLD ARGS:
|
||||
--is_built_for_sim Check if binary is built for simulator platform.
|
||||
--get_dyld_env Extract Dyld environment variables from the loader binary.
|
||||
--get_dyld_env Extract Dyld environment variables from the loader
|
||||
binary.
|
||||
--compiled_with_dyld_env
|
||||
Check if binary was compiled with -dyld_env flag and print the environment variables and its values.
|
||||
Check if binary was compiled with -dyld_env flag and
|
||||
print the environment variables and its values.
|
||||
--has_interposing Check if binary has interposing sections.
|
||||
--interposing_symbols
|
||||
Print interposing symbols if any.
|
||||
|
||||
AMFI ARGS:
|
||||
--dump_prelink_info [(optional) out_name]
|
||||
Dump "__PRELINK_INFO,__info" to a given file (default:
|
||||
"PRELINK_info.txt")
|
||||
--dump_prelink_text [(optional) out_name]
|
||||
Dump "__PRELINK_TEXT,__text" to a given file (default:
|
||||
"PRELINK_text.txt")
|
||||
--dump_prelink_kext [kext_name]
|
||||
Dump prelinked KEXT {kext_name} from decompressed
|
||||
Kernel Cache PRELINK_TEXT segment to a file named:
|
||||
prelinked_{kext_name}.bin
|
||||
--kext_prelinkinfo [kext_name]
|
||||
Print _Prelink properties from PRELINK_INFO,__info for
|
||||
a give {kext_name}
|
||||
--kmod_info kext_name
|
||||
Parse kmod_info structure for the given {kext_name}
|
||||
from Kernel Cache
|
||||
--kext_entry kext_name
|
||||
Calculate the virtual memory address of the __start
|
||||
(entrpoint) for the given {kext_name} Kernel Extension
|
||||
--kext_exit kext_name
|
||||
Calculate the virtual memory address of the __stop
|
||||
(exitpoint) for the given {kext_name} Kernel Extension
|
||||
--mig Search for MIG subsystem and prints message handlers
|
||||
--has_suid Check if the file has SetUID bit set
|
||||
--has_sgid Check if the file has SetGID bit set
|
||||
--has_sticky Check if the file has sticky bit set
|
||||
--injectable_dyld Check if the binary is injectable using
|
||||
DYLD_INSERT_LIBRARIES
|
||||
--test_insert_dylib Check if it is possible to inject dylib using
|
||||
DYLD_INSERT_LIBRARIES (INVASIVE - the binary is
|
||||
executed)
|
||||
--test_prune_dyld Check if Dyld Environment Variables are cleared (using
|
||||
DYLD_PRINT_INITIALIZERS=1) (INVASIVE - the binary is
|
||||
executed)
|
||||
--test_dyld_print_to_file
|
||||
Check if YLD_PRINT_TO_FILE Dyld Environment Variables
|
||||
works (INVASIVE - the binary is executed)
|
||||
|
||||
```
|
||||
* Example:
|
||||
```bash
|
||||
@@ -268,6 +408,14 @@ Print the total Mach-O files analyzed and how many DYLIB-related LCs existed
|
||||
```console
|
||||
MachODylibLoadCommandsFinder 2>/dev/null
|
||||
```
|
||||
***
|
||||
### [check_amfi](VI.%20AMFI/python/check_amfi.py)
|
||||
Simple script for calculating `amfiFlags` (described [here](https://karol-mazurek.medium.com/dyld-do-you-like-death-vi-1013a69118ff) in `ProcessConfig — AMFI properties`)
|
||||
* Usage:
|
||||
```console
|
||||
python3 check_amfi.py 0x1df
|
||||
```
|
||||
|
||||
|
||||
## INSTALL
|
||||
```
|
||||
@@ -300,10 +448,11 @@ Each Snake class will be a child of the previous one and infinitely "eat itself"
|
||||
* Every method in the Snake class that use Entitlements should parse first XML > DER (currently, only XML parser exists)
|
||||
* After making a SuperBlob parser and CodeDirectory blob parser, modify hasHardenedRuntime to check Runtime flag by using bitmask, instead of string.
|
||||
* Build Dyld Shared Cache parser and extractor to make SnakeIV independant of dyld-shared-cache-extractor.
|
||||
* Make testing branch and implement tests, before pushing new updates.
|
||||
* Create `RottenApple.app` in another repository and use it for testing.
|
||||
* Add Dyld Closure chapter to Snake&Apple V - Dyld
|
||||
* Move `kext_prelinkinfo`, `dumpPrelink_info` and `dumpPrelink_text` to Snake & Apple chapter about Kernel Extensions when ready.
|
||||
* Add kernelcache parser.
|
||||
* Add `LC_FILESET_ENTRY` method to `dumpKernelExtension`.
|
||||
* Consider moving methods like `removeNullBytesAlignment`, `calcTwoComplement64` etc. to `Utils` class.
|
||||
* Consider moving methods like `removeNullBytesAlignment`, `calcTwoComplement64` etc. to `Utils` class.
|
||||
* Move `--mig` option to Snake & Apple chapter about Mach Kernel when ready.
|
||||
* Make Thread manager class and improve the Threading.thread with tracing methods and `kill()`.
|
||||
|
||||
Reference in New Issue
Block a user