diff --git a/X. NU/python/CrimsonUroboros.py b/X. NU/python/CrimsonUroboros.py index cb322c6..d8b4750 100755 --- a/X. NU/python/CrimsonUroboros.py +++ b/X. NU/python/CrimsonUroboros.py @@ -2607,9 +2607,6 @@ class SandboxProcessor: if args.sandbox_profile_data: # Print the sandbox profile data snake_instance.printSandboxProfileData() - if args.dump_kext: # Dump the kernel extension binary from the kernelcache.decompressed file - snake_instance.dumpKernelExtensionBinary(args.dump_kext) - if args.extract_sandbox_operations: # Extract sandbox operations from the kernelcache.decompressed file snake_instance.printSandboxOperations() @@ -2818,11 +2815,6 @@ class SnakeVIII(SnakeVII): else: print("No SandboxProfileData found for the given App Bundle.") - def dumpKernelExtensionBinary(self, kext_name): - ''' Dump the kernel extension binary from the kernelcache.decompressed file. - For now it is only wrapper arround ipsw''' - os.system(f"ipsw kernel extract {self.file_path} {kext_name} --output .") - def extractSandboxOperations(self): ''' Extract sandbox operations from the Sandbox.kext file. ''' all_strings = self.getStringSection() @@ -3179,6 +3171,9 @@ class XNUProcessor: if args.mig: # Search for MIG subsystem and prints message handlers snake_instance.printMIG() + if args.dump_kext: # Dump the kernel extension binary from the kernelcache.decompressed file + snake_instance.dumpKernelExtensionBinary(args.dump_kext) + class SnakeX(SnakeIX): def __init__(self, binaries, file_path): super().__init__(binaries, file_path) @@ -3490,6 +3485,11 @@ class SnakeX(SnakeIX): for message, details in messages.items(): print(f"- {message}: {hex(details['impl_routine'])}") + def dumpKernelExtensionBinary(self, kext_name): + ''' Dump the kernel extension binary from the kernelcache.decompressed file. + For now it is only wrapper arround ipsw''' + os.system(f"ipsw kernel extract {self.file_path} {kext_name} --output .") + ### --- ARGUMENT PARSER --- ### class ArgumentParser: def __init__(self): @@ -3644,7 +3644,6 @@ class ArgumentParser: sandbox_group.add_argument('--sandbox_system_profiles', action='store_true', help="Print the system profile from the sandbox container metadata in JSON format") sandbox_group.add_argument('--sandbox_content_protection', action='store_true', help="Print the content protection from the sandbox container metadata") sandbox_group.add_argument('--sandbox_profile_data', action='store_true', help="Print raw bytes ofthe sandbox profile data from the sandbox container metadata") - sandbox_group.add_argument('--dump_kext', help="Dump the kernel extension binary from the kernelcache.decompressed file", metavar='kext_name') sandbox_group.add_argument('--extract_sandbox_operations', action='store_true', help="Extract sandbox operations from the Sandbox.kext file") sandbox_group.add_argument('--extract_sandbox_platform_profile', action='store_true', help="Extract sandbox platform profile from the Sandbox.kext file") @@ -3678,6 +3677,7 @@ class ArgumentParser: xnu_group.add_argument('--kext_entry', metavar='kext_name', help="Calculate the virtual memory address of the __start (entrypoint) for the given {kext_name} Kernel Extension") xnu_group.add_argument('--kext_exit', metavar='kext_name', help="Calculate the virtual memory address of the __stop (exitpoint) for the given {kext_name} Kernel Extension") xnu_group.add_argument('--mig', action='store_true', help="Search for MIG subsystem and prints message handlers") + xnu_group.add_argument('--dump_kext', help="Dump the kernel extension binary from the kernelcache.decompressed file", metavar='kext_name') def parseArgs(self): args = self.parser.parse_args() diff --git a/tests/test_CrimsonUroboros.py b/tests/test_CrimsonUroboros.py index ca8709b..a9d1037 100644 --- a/tests/test_CrimsonUroboros.py +++ b/tests/test_CrimsonUroboros.py @@ -2385,23 +2385,6 @@ class TestSnakeVIII(): assert expected_output not in uroboros_output - def test_dump_kext(self): - '''Test the --dump_kext flag of SnakeVIII.''' - args_list = ['-p', self.kernelcache_path, '--dump_kext', 'sandbox'] - args = argumentWrapper(args_list) - snake_hatchery = SnakeHatchery(args, snake_class) - snake_hatchery.hatch() - - def code_block(): - macho_processor = MachOProcessor() - macho_processor.process(args) - sandbox_processor = SandboxProcessor() - sandbox_processor.process(args) - - executeCodeBlock(code_block) - assert os.path.exists("sandbox") - os.remove("sandbox") - def test_extract_sandbox_operations(self): '''Test the --extract_sandbox_operations flag of SnakeVIII.''' a = run_and_get_stdout(f'python3 CrimsonUroboros.py -p {self.kernelcache_path} --dump_kext sandbox') @@ -2665,7 +2648,7 @@ class TestSnakeIX: uroboros_output = executeCodeBlock(code_block) assert 'iCloud Access: False' in uroboros_output -class TestSnakeX(): +class TestSnakeX: '''Testing X. XNU''' @classmethod def setup_class(cls): @@ -2840,3 +2823,20 @@ class TestSnakeX(): assert expected_output_7 in uroboros_output assert expected_output_8 in uroboros_output assert expected_output_9 in uroboros_output + + def test_dump_kext(self): + '''Test the --dump_kext flag of SnakeX.''' + args_list = ['-p', self.kernelcache_path, '--dump_kext', 'sandbox'] + args = argumentWrapper(args_list) + snake_hatchery = SnakeHatchery(args, snake_class) + snake_hatchery.hatch() + + def code_block(): + macho_processor = MachOProcessor() + macho_processor.process(args) + xnu_processor = XNUProcessor() + xnu_processor.process(args) + + executeCodeBlock(code_block) + assert os.path.exists("sandbox") + os.remove("sandbox")