diff --git a/README.md b/README.md index d6ae0a4..e810214 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,10 @@ # Snake & Apple [![alt](img/Snake_Apple.jpg)](https://karol-mazurek.medium.com/snake-apple-ff87a399ecc4?sk=v2%2Fb2295773-88e6-4654-9d3d-61d73b9001e5) -This is the code repository for the "[Snake & Apple](https://karol-mazurek.medium.com/list/snakeapple-50baea541374)" article series, which documents my research on macOS security. The primary tool developed during the creation of the series is called `CrimsonUroboros`. You can find its description, along with instructions for other tools in this repository, in [Tools.md](Tools.md). +This is the code repository for the "[Snake & Apple](https://karol-mazurek.medium.com/list/snakeapple-50baea541374)" article series, which documents my research on macOS security. The primary tool developed during the creation of the series is called `CrimsonUroboros`. You can find its description, along with instructions for other tools in this repository, in [Tools.md](https://github.com/Karmaz95/Snake_Apple/blob/main/TOOLS.md). ## ARTICLES -I have been writing about Apple Security across different platforms for years, compiling them in this repository. Below is a brief explanation of the links you will find: -* I am currently writing on [Patreon](https://www.patreon.com/Karol_Mazurek), where most articles are free to read—no account needed. The same goes for my pieces on the [AFINE blog](https://afine.com/blog/). -* In 2024, I wrote only on [Medium](https://medium.com/@karol-mazurek). Those articles are paywalled, but thanks to [Monethic's](https://monethic.io/) sponsorship, you can find direct links in this repository. No Medium account is required. -* If those links ever break, ping me on [social media](https://github.com/karmaz95#-social-media---contact) or [Patreon](https://www.patreon.com/Karol_Mazurek) for a fresh one. If you're feeling generous, the [Patron subscription](https://www.patreon.com/Karol_Mazurek/membership) gets you PDF versions of all the [Medium articles](https://www.patreon.com/Karol_Mazurek/shop/all-medium-articles-121970?source=storefront). -* I'm also working on [exclusive content](https://www.patreon.com/collection/1529482) for Elite Patrons—my "thank-you" to the folks who support me. These are marked with a `*`. It's a kind of self-paced academy for vulnerability researchers. Every month, you get a new guide with technical analyses of real vulnerabilities and methods to find them, along with video demos, custom tools, and practical homework. +I have been writing about Apple Security across different platforms for years, compiling them in this repository. Currently, I am writing on [Patreon](https://www.patreon.com/Karol_Mazurek). All articles are free, except those marked with a `*`, which are [exclusive content](https://www.patreon.com/collection/1529482) for Elite Patrons—my "thank-you" to the folks who support me. + --- Each main article directory contains three subdirectories: * `mac` - source code of macOS for references and copy of presentations. @@ -79,6 +76,13 @@ The table of contents showing links to all articles is below: * ☐ [Apple Intelligence]() * ☑ [AI-Enhanced Vulnerability Research](https://www.patreon.com/posts/ai-enhanced-135545364) `*` +## REFERENCES +I have studied tons of resources, crediting other researchers and their contributions at the end of each article I wrote. Thank you all for sharing your hard-earned knowledge for free. You are all awesome! However, two individuals have significantly accelerated my progress, and I want to honor them: + +* **[Jonathan Levin](https://x.com/Morpheus______)** – His [*OS Internals trilogy](https://newosxbook.com/home.html) helped me rapidly learn the beauty of the macOS system. If there is a single resource I would recommend for anybody, it is the masterpiece you wrote. Thank you, Jonathan. + +* **[Patrick Wardle](https://x.com/patrickwardle)** – He created the [OBTS conference](https://objective-see.org/), where many brilliant minds come together to share their research. You've created something to look forward to every year. Thank you, Patrick. + ## PATRONS AFine diff --git a/TOOLS.md b/TOOLS.md index 45fb75a..8afc9cb 100644 --- a/TOOLS.md +++ b/TOOLS.md @@ -1,6 +1,6 @@ # TOOLS Here is the list of all tools in this repository: -[CrimsonUroboros](#crimsonuroboros) • [MachOFileFinder](#machofilefinder) • [TrustCacheParser](#trustcacheparser) • [SignatureReader](#signaturereader) • [extract_cms.sh](#extract_cmssh) • [ModifyMachOFlags](#modifymachoflags) • [LCFinder](#lcfinder) • [MachODylibLoadCommandsFinder](#machodylibloadcommandsfinder) • [AMFI_test.sh](VI.%20AMFI/custom/AMFI_test.sh) • [make_plist](VIII.%20Sandbox/python/make_plist.py) • [sandbox_inspector](VIII.%20Sandbox/python/sandbox_inspector.py) • [spblp_compiler_wrapper](VIII.%20Sandbox/custom/sbpl_compiler_wrapper) • [make_bundle](#make_bundle) • [make_bundle_exe](#make_bundle_exe) • [make_dmg](#make_dmg) • [electron_patcher](#electron_patcher) • [sandbox_validator](#sandbox_validator) • [sandblaster](#sandblaster) • [sip_check](#sip_check) • [crimson_waccess.py](#crimson_waccesspy) • [sip_tester](#sip_tester) • [UUIDFinder](#uuidfinder) +[CrimsonUroboros](#crimsonuroboros) • [MachOFileFinder](#machofilefinder) • [TrustCacheParser](#trustcacheparser) • [SignatureReader](#signaturereader) • [extract_cms.sh](#extract_cmssh) • [ModifyMachOFlags](#modifymachoflags) • [LCFinder](#lcfinder) • [MachODylibLoadCommandsFinder](#machodylibloadcommandsfinder) • [AMFI_test.sh](VI.%20AMFI/custom/AMFI_test.sh) • [make_plist](VIII.%20Sandbox/python/make_plist.py) • [sandbox_inspector](VIII.%20Sandbox/python/sandbox_inspector.py) • [spblp_compiler_wrapper](VIII.%20Sandbox/custom/sbpl_compiler_wrapper) • [make_bundle](#make_bundle) • [make_bundle_exe](#make_bundle_exe) • [make_dmg](#make_dmg) • [electron_patcher](#electron_patcher) • [sandbox_validator](#sandbox_validator) • [sandblaster](#sandblaster) • [sip_check](#sip_check) • [crimson_waccess.py](#crimson_waccesspy) • [sip_tester](#sip_tester) • [UUIDFinder](#uuidfinder) • [IOVerify](#IOVerify) *** ### [CrimsonUroboros](tests/CrimsonUroboros.py) @@ -625,3 +625,49 @@ Notes: - The tool retrieves details such as client, service, and authorization status for each entry in the TCC database. - The `--list_db` option helps users locate all known TCC databases on the system, sourced from `REG.db`. ``` + +### [IOVerify](X.%20NU/custom/drivers/IOVerify.c) +This tool allows for direct interaction with macOS IOKit drivers using IOConnectCallMethod. It was introduced in the article I made for PHRACK - [Mapping IOKit Methods Exposed to User Space on macOS](https://phrack.org/issues/72/9_md#article). +```bash +❯ ./IOVerify -h +Usage: ./IOVerify -n (-m | -y ) [options] +Options: + -n Target driver class name (required). + -t Connection type (default: 0). + -m Method selector ID. + -y Specify method and buffer sizes in one string. + Format: "ID: [IN_SCA, IN_STR, OUT_SCA, OUT_STR]" + Example: -y "0: [0, 96, 0, 96]" + -p Payload as a string. + -f File path for payload. + -b Space-separated hex string payload. + -i Input buffer size (ignored if -y is used). + -o Output buffer size (ignored if -y is used). + -s Scalar input (uint64_t). Can be specified multiple times. + -S Scalar output count (ignored if -y is used). + -h Show this help message. + + +❯ ./IOVerify -n "H11ANEIn" -t 1 -y "0: [0,1,0,1]" +Starting verification for driver: H11ANEIn + +--- [VERIFY] Event Log --- +Driver: H11ANEIn +Connection Type: 1 +Method Selector: 0 +Result: 0xe00002c2 ((iokit/common) invalid argument) + +--- Scalar I/O --- +Scalar In Cnt: 0 +Scalar Out Cnt: 0 + +--- Structure I/O --- +Input Size: 1 bytes +Input Data: +00 + +Output Size: 1 bytes +Output Data: +00 +--- End of Log --- +``` \ No newline at end of file diff --git a/X. NU/custom/drivers/IOVerify.c b/X. NU/custom/drivers/IOVerify.c index 3c66e06..a0e6598 100644 --- a/X. NU/custom/drivers/IOVerify.c +++ b/X. NU/custom/drivers/IOVerify.c @@ -3,8 +3,7 @@ * @brief Standalone tool for IOKit driver communication verification. * clang IOVerify.c -o IOVerify -framework IOKit * - * This tool, relevant to your work with IOKit and reverse engineering[5][7], allows for direct - * interaction with macOS IOKit drivers by sending structured data to specific methods. + * This tool allows for direct interaction with macOS IOKit drivers using IOConnectCallMethod. * * Usage: * IOVerify -n (-m | -y ) [options]