mirror of
https://github.com/Karmaz95/Snake_Apple.git
synced 2026-03-30 14:00:16 +02:00
Description update.
This commit is contained in:
Karol Mazurek
16
README.md
16
README.md
@@ -1,13 +1,10 @@
|
||||
# Snake & Apple
|
||||
[](https://karol-mazurek.medium.com/snake-apple-ff87a399ecc4?sk=v2%2Fb2295773-88e6-4654-9d3d-61d73b9001e5)
|
||||
This is the code repository for the "[Snake & Apple](https://karol-mazurek.medium.com/list/snakeapple-50baea541374)" article series, which documents my research on macOS security. The primary tool developed during the creation of the series is called `CrimsonUroboros`. You can find its description, along with instructions for other tools in this repository, in [Tools.md](Tools.md).
|
||||
This is the code repository for the "[Snake & Apple](https://karol-mazurek.medium.com/list/snakeapple-50baea541374)" article series, which documents my research on macOS security. The primary tool developed during the creation of the series is called `CrimsonUroboros`. You can find its description, along with instructions for other tools in this repository, in [Tools.md](https://github.com/Karmaz95/Snake_Apple/blob/main/TOOLS.md).
|
||||
|
||||
## ARTICLES
|
||||
I have been writing about Apple Security across different platforms for years, compiling them in this repository. Below is a brief explanation of the links you will find:
|
||||
* I am currently writing on [Patreon](https://www.patreon.com/Karol_Mazurek), where most articles are free to read—no account needed. The same goes for my pieces on the [AFINE blog](https://afine.com/blog/).
|
||||
* In 2024, I wrote only on [Medium](https://medium.com/@karol-mazurek). Those articles are paywalled, but thanks to [Monethic's](https://monethic.io/) sponsorship, you can find direct links in this repository. No Medium account is required.
|
||||
* If those links ever break, ping me on [social media](https://github.com/karmaz95#-social-media---contact) or [Patreon](https://www.patreon.com/Karol_Mazurek) for a fresh one. If you're feeling generous, the [Patron subscription](https://www.patreon.com/Karol_Mazurek/membership) gets you PDF versions of all the [Medium articles](https://www.patreon.com/Karol_Mazurek/shop/all-medium-articles-121970?source=storefront).
|
||||
* I'm also working on [exclusive content](https://www.patreon.com/collection/1529482) for Elite Patrons—my "thank-you" to the folks who support me. These are marked with a `*`. It's a kind of self-paced academy for vulnerability researchers. Every month, you get a new guide with technical analyses of real vulnerabilities and methods to find them, along with video demos, custom tools, and practical homework.
|
||||
I have been writing about Apple Security across different platforms for years, compiling them in this repository. Currently, I am writing on [Patreon](https://www.patreon.com/Karol_Mazurek). All articles are free, except those marked with a `*`, which are [exclusive content](https://www.patreon.com/collection/1529482) for Elite Patrons—my "thank-you" to the folks who support me.
|
||||
|
||||
---
|
||||
Each main article directory contains three subdirectories:
|
||||
* `mac` - source code of macOS for references and copy of presentations.
|
||||
@@ -79,6 +76,13 @@ The table of contents showing links to all articles is below:
|
||||
* ☐ [Apple Intelligence]()
|
||||
* ☑ [AI-Enhanced Vulnerability Research](https://www.patreon.com/posts/ai-enhanced-135545364) `*`
|
||||
|
||||
## REFERENCES
|
||||
I have studied tons of resources, crediting other researchers and their contributions at the end of each article I wrote. Thank you all for sharing your hard-earned knowledge for free. You are all awesome! However, two individuals have significantly accelerated my progress, and I want to honor them:
|
||||
|
||||
* **[Jonathan Levin](https://x.com/Morpheus______)** – His [*OS Internals trilogy](https://newosxbook.com/home.html) helped me rapidly learn the beauty of the macOS system. If there is a single resource I would recommend for anybody, it is the masterpiece you wrote. Thank you, Jonathan.
|
||||
|
||||
* **[Patrick Wardle](https://x.com/patrickwardle)** – He created the [OBTS conference](https://objective-see.org/), where many brilliant minds come together to share their research. You've created something to look forward to every year. Thank you, Patrick.
|
||||
|
||||
## PATRONS
|
||||
<a href="https://afine.com/">
|
||||
<img src="./img/afine_banner.png" alt="AFine" width="200" height="100">
|
||||
|
||||
48
TOOLS.md
48
TOOLS.md
@@ -1,6 +1,6 @@
|
||||
# TOOLS
|
||||
Here is the list of all tools in this repository:
|
||||
[CrimsonUroboros](#crimsonuroboros) • [MachOFileFinder](#machofilefinder) • [TrustCacheParser](#trustcacheparser) • [SignatureReader](#signaturereader) • [extract_cms.sh](#extract_cmssh) • [ModifyMachOFlags](#modifymachoflags) • [LCFinder](#lcfinder) • [MachODylibLoadCommandsFinder](#machodylibloadcommandsfinder) • [AMFI_test.sh](VI.%20AMFI/custom/AMFI_test.sh) • [make_plist](VIII.%20Sandbox/python/make_plist.py) • [sandbox_inspector](VIII.%20Sandbox/python/sandbox_inspector.py) • [spblp_compiler_wrapper](VIII.%20Sandbox/custom/sbpl_compiler_wrapper) • [make_bundle](#make_bundle) • [make_bundle_exe](#make_bundle_exe) • [make_dmg](#make_dmg) • [electron_patcher](#electron_patcher) • [sandbox_validator](#sandbox_validator) • [sandblaster](#sandblaster) • [sip_check](#sip_check) • [crimson_waccess.py](#crimson_waccesspy) • [sip_tester](#sip_tester) • [UUIDFinder](#uuidfinder)
|
||||
[CrimsonUroboros](#crimsonuroboros) • [MachOFileFinder](#machofilefinder) • [TrustCacheParser](#trustcacheparser) • [SignatureReader](#signaturereader) • [extract_cms.sh](#extract_cmssh) • [ModifyMachOFlags](#modifymachoflags) • [LCFinder](#lcfinder) • [MachODylibLoadCommandsFinder](#machodylibloadcommandsfinder) • [AMFI_test.sh](VI.%20AMFI/custom/AMFI_test.sh) • [make_plist](VIII.%20Sandbox/python/make_plist.py) • [sandbox_inspector](VIII.%20Sandbox/python/sandbox_inspector.py) • [spblp_compiler_wrapper](VIII.%20Sandbox/custom/sbpl_compiler_wrapper) • [make_bundle](#make_bundle) • [make_bundle_exe](#make_bundle_exe) • [make_dmg](#make_dmg) • [electron_patcher](#electron_patcher) • [sandbox_validator](#sandbox_validator) • [sandblaster](#sandblaster) • [sip_check](#sip_check) • [crimson_waccess.py](#crimson_waccesspy) • [sip_tester](#sip_tester) • [UUIDFinder](#uuidfinder) • [IOVerify](#IOVerify)
|
||||
***
|
||||
|
||||
### [CrimsonUroboros](tests/CrimsonUroboros.py)
|
||||
@@ -625,3 +625,49 @@ Notes:
|
||||
- The tool retrieves details such as client, service, and authorization status for each entry in the TCC database.
|
||||
- The `--list_db` option helps users locate all known TCC databases on the system, sourced from `REG.db`.
|
||||
```
|
||||
|
||||
### [IOVerify](X.%20NU/custom/drivers/IOVerify.c)
|
||||
This tool allows for direct interaction with macOS IOKit drivers using IOConnectCallMethod. It was introduced in the article I made for PHRACK - [Mapping IOKit Methods Exposed to User Space on macOS](https://phrack.org/issues/72/9_md#article).
|
||||
```bash
|
||||
❯ ./IOVerify -h
|
||||
Usage: ./IOVerify -n <name> (-m <method> | -y <spec>) [options]
|
||||
Options:
|
||||
-n <name> Target driver class name (required).
|
||||
-t <type> Connection type (default: 0).
|
||||
-m <id> Method selector ID.
|
||||
-y <spec> Specify method and buffer sizes in one string.
|
||||
Format: "ID: [IN_SCA, IN_STR, OUT_SCA, OUT_STR]"
|
||||
Example: -y "0: [0, 96, 0, 96]"
|
||||
-p <string> Payload as a string.
|
||||
-f <file> File path for payload.
|
||||
-b <hex_str> Space-separated hex string payload.
|
||||
-i <size> Input buffer size (ignored if -y is used).
|
||||
-o <size> Output buffer size (ignored if -y is used).
|
||||
-s <value> Scalar input (uint64_t). Can be specified multiple times.
|
||||
-S <count> Scalar output count (ignored if -y is used).
|
||||
-h Show this help message.
|
||||
|
||||
|
||||
❯ ./IOVerify -n "H11ANEIn" -t 1 -y "0: [0,1,0,1]"
|
||||
Starting verification for driver: H11ANEIn
|
||||
|
||||
--- [VERIFY] Event Log ---
|
||||
Driver: H11ANEIn
|
||||
Connection Type: 1
|
||||
Method Selector: 0
|
||||
Result: 0xe00002c2 ((iokit/common) invalid argument)
|
||||
|
||||
--- Scalar I/O ---
|
||||
Scalar In Cnt: 0
|
||||
Scalar Out Cnt: 0
|
||||
|
||||
--- Structure I/O ---
|
||||
Input Size: 1 bytes
|
||||
Input Data:
|
||||
00
|
||||
|
||||
Output Size: 1 bytes
|
||||
Output Data:
|
||||
00
|
||||
--- End of Log ---
|
||||
```
|
||||
@@ -3,8 +3,7 @@
|
||||
* @brief Standalone tool for IOKit driver communication verification.
|
||||
* clang IOVerify.c -o IOVerify -framework IOKit
|
||||
*
|
||||
* This tool, relevant to your work with IOKit and reverse engineering[5][7], allows for direct
|
||||
* interaction with macOS IOKit drivers by sending structured data to specific methods.
|
||||
* This tool allows for direct interaction with macOS IOKit drivers using IOConnectCallMethod.
|
||||
*
|
||||
* Usage:
|
||||
* IOVerify -n <name> (-m <method> | -y <spec>) [options]
|
||||
|
||||
Reference in New Issue
Block a user