From 7fbc231ed69a9833915aded0a0fdde9b7d399024 Mon Sep 17 00:00:00 2001 From: Karmaz95 Date: Sat, 20 Jul 2024 14:07:01 +0200 Subject: [PATCH] Updating tools section. --- README.md | 102 +++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 86 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index c776ab0..e87c8b3 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ The table of contents showing links to all articles are shown below: ## TOOLS -[CrimsonUroboros](#crimsonuroboros) • [MachOFileFinder](#machofilefinder) • [TrustCacheParser](#trustcacheparser) • [SignatureReader](#signaturereader) • [extract_cms.sh](#extract_cmssh) • [ModifyMachOFlags](#modifymachoflags) • [LCFinder](#lcfinder) • [MachODylibLoadCommandsFinder](#machodylibloadcommandsfinder) • [AMFI_test.sh](VI.%20AMFI/custom/AMFI_test.sh) • [make_plist](VIII.%20Sandbox/python/make_plist.py) • [sandbox_inspector](VIII.%20Sandbox/python/sandbox_inspector.py) • [spblp_compiler_wrapper](VIII.%20Sandbox/custom/sbpl_compiler_wrapper) +[CrimsonUroboros](#crimsonuroboros) • [MachOFileFinder](#machofilefinder) • [TrustCacheParser](#trustcacheparser) • [SignatureReader](#signaturereader) • [extract_cms.sh](#extract_cmssh) • [ModifyMachOFlags](#modifymachoflags) • [LCFinder](#lcfinder) • [MachODylibLoadCommandsFinder](#machodylibloadcommandsfinder) • [AMFI_test.sh](VI.%20AMFI/custom/AMFI_test.sh) • [make_plist](VIII.%20Sandbox/python/make_plist.py) • [sandbox_inspector](VIII.%20Sandbox/python/sandbox_inspector.py) • [spblp_compiler_wrapper](VIII.%20Sandbox/custom/sbpl_compiler_wrapper) • [make_bundle](#make_bundle) • [make_bundle_exe](#make_bundle_exe) • [make_dmg](#make_dmg) • [electron_patcher](#electron_patcher) *** ### [CrimsonUroboros](tests/CrimsonUroboros.py) @@ -48,9 +48,10 @@ The table of contents showing links to all articles are shown below: Core program resulting from the Snake&Apple article series for binary analysis. You may find older versions of this script in each article directory in this repository. * Usage ```console -usage: CrimsonUroboros [-h] -p PATH [--file_type] [--header_flags] [--endian] - [--header] [--load_commands] [--has_cmd LC_MAIN] - [--segments] [--has_segment __SEGMENT] [--sections] +usage: CrimsonUroboros [-h] [-p PATH] [-b BUNDLE] [--file_type] + [--header_flags] [--endian] [--header] + [--load_commands] [--has_cmd LC_MAIN] [--segments] + [--has_segment __SEGMENT] [--sections] [--has_section __SEGMENT,__section] [--symbols] [--imports] [--exports] [--imported_symbols] [--chained_fixups] [--exports_trie] [--uuid] [--main] @@ -59,18 +60,22 @@ usage: CrimsonUroboros [-h] -p PATH [--file_type] [--header_flags] [--endian] [--save_strings all_strings.txt] [--info] [--dump_data [offset,size,output_path]] [--calc_offset vm_offset] [--constructors] - [--verify_signature] [--cd_info] [--cd_requirements] - [--entitlements [human|xml|var]] + [--dump_section __SEGMENT,__section] + [--bundle_structure] [--bundle_info] + [--bundle_info_syntax_check] [--bundle_frameworks] + [--bundle_plugins] [--verify_signature] [--cd_info] + [--cd_requirements] [--entitlements [human|xml|var]] [--extract_cms cms_signature.der] [--extract_certificates certificate_name] [--remove_sig unsigned_binary] [--sign_binary [adhoc|identity]] [--cs_offset] - [--cs_flags] [--has_pie] [--has_arc] [--is_stripped] - [--has_canary] [--has_nx_stack] [--has_nx_heap] - [--has_xn] [--is_notarized] [--is_encrypted] - [--is_restricted] [--is_hr] [--is_as] [--is_fort] - [--has_rpath] [--has_lv] [--checksec] [--dylibs] - [--rpaths] [--rpaths_u] [--dylibs_paths] + [--cs_flags] [--verify_bundle_signature] + [--remove_sig_from_bundle] [--has_pie] [--has_arc] + [--is_stripped] [--has_canary] [--has_nx_stack] + [--has_nx_heap] [--has_xn] [--is_notarized] + [--is_encrypted] [--is_restricted] [--is_hr] [--is_as] + [--is_fort] [--has_rpath] [--has_lv] [--checksec] + [--dylibs] [--rpaths] [--rpaths_u] [--dylibs_paths] [--dylibs_paths_u] [--broken_relative_paths] [--dylibtree [cache_path,output_path,is_extracted]] [--dylib_id] [--reexport_paths] [--hijack_sec] @@ -88,13 +93,22 @@ usage: CrimsonUroboros [-h] -p PATH [--file_type] [--header_flags] [--endian] [--kext_exit kext_name] [--mig] [--has_suid] [--has_sgid] [--has_sticky] [--injectable_dyld] [--test_insert_dylib] [--test_prune_dyld] - [--test_dyld_print_to_file] + [--test_dyld_print_to_file] [--test_dyld_SLC] [--xattr] + [--xattr_value xattr_name] [--xattr_all] + [--has_quarantine] [--remove_quarantine] + [--add_quarantine] Mach-O files parser for binary analysis options: -h, --help show this help message and exit + +GENERAL ARGS: -p PATH, --path PATH Path to the Mach-O file + -b BUNDLE, --bundle BUNDLE + Path to the App Bundle (can be used with -p to change + path of binary which is by default set to: + /target.app/Contents/MacOS/target) MACH-O ARGS: --file_type Print binary file type @@ -136,6 +150,16 @@ MACH-O ARGS: Calculate the real address (file on disk) of the given Virtual Memory {vm_offset} (e.g. 0xfffffe000748f580) --constructors Print binary constructors + --dump_section __SEGMENT,__section + Dump '__SEGMENT,__section' to standard output as a raw + bytes + --bundle_structure Print the structure of the app bundle + --bundle_info Print the Info.plist content of the app bundle (JSON + format) + --bundle_info_syntax_check + Check if bundle info syntax is valid + --bundle_frameworks Print the list of frameworks in the bundle + --bundle_plugins Print the list of plugins in the bundle CODE SIGNING ARGS: --verify_signature Code Signature verification (if the contents of the @@ -161,6 +185,11 @@ CODE SIGNING ARGS: (default: adhoc) --cs_offset Print Code Signature file offset --cs_flags Print Code Signature flags + --verify_bundle_signature + Code Signature verification (if the contents of the + bundle have been modified) + --remove_sig_from_bundle + Remove Code Signature from the bundle CHECKSEC ARGS: --has_pie Check if Position-Independent Executable (PIE) is set @@ -264,7 +293,8 @@ AMFI ARGS: from Kernel Cache --kext_entry kext_name Calculate the virtual memory address of the __start - (entrpoint) for the given {kext_name} Kernel Extension + (entrypoint) for the given {kext_name} Kernel + Extension --kext_exit kext_name Calculate the virtual memory address of the __stop (exitpoint) for the given {kext_name} Kernel Extension @@ -281,9 +311,23 @@ AMFI ARGS: DYLD_PRINT_INITIALIZERS=1) (INVASIVE - the binary is executed) --test_dyld_print_to_file - Check if YLD_PRINT_TO_FILE Dyld Environment Variables + Check if DYLD_PRINT_TO_FILE Dyld Environment Variables works (INVASIVE - the binary is executed) + --test_dyld_SLC Check if DYLD_SHARED_REGION=private Dyld Environment + Variables works and code can be injected using + DYLD_SHARED_CACHE_DIR (INVASIVE - the binary is + executed) +ANTIVIRUS ARGS: + --xattr Print all extended attributes names + --xattr_value xattr_name + Print single extended attribute value + --xattr_all Print all extended attributes names and their values + --has_quarantine Check if the file has quarantine extended attribute + --remove_quarantine Remove com.apple.quarantine extended attribute from + the file + --add_quarantine Add com.apple.quarantine extended attribute to the + file ``` * Example: ```bash @@ -430,7 +474,33 @@ Simple script for calculating `amfiFlags` (described [here](https://karol-mazure ```console python3 check_amfi.py 0x1df ``` - +*** +### [make_bundle](App%20Bundle%20Extension/custom/make_bundle.sh) +Build a codeless bundle with a red icon. +* Usage: +```console +./make_bundle.sh +``` +*** +### [make_bundle_exe](App%20Bundle%20Extension/custom/make_bundle_exe.sh) +Bash template for building a PoC app bundle with Mach-O binary that utilizes Framework: +* Usage: +```console +./make_bundle_exe.sh +``` +*** +### [make_dmg](App%20Bundle%20Extension/custom/make_dmg.sh) +Script for packing the app in a compressed DMG container: +* Usage (change names in the script): +```console +./make_dmg.sh +``` +### [electron_patcher](App%20Bundle%20Extension/custom/electron_patcher.py) +Pytthon script for extracting ASAR files from Electron apps and patching them with a custom ASAR file. +``` +python3 electron_patcher.py extract app_bundle.app extracted_asar +python3 electron_patcher.py pack extracted_asar app_bundle.app +``` ## INSTALL ```