From b09efb266fb50a6e2b7f32c728a2c56e5eab6593 Mon Sep 17 00:00:00 2001 From: Karmaz95 Date: Thu, 19 Sep 2024 16:57:19 +0200 Subject: [PATCH] Snake VIII update --- Article_tags.md | 7 +++++-- README.md | 6 ++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/Article_tags.md b/Article_tags.md index 45d7149..f3e73f4 100644 --- a/Article_tags.md +++ b/Article_tags.md @@ -376,9 +376,12 @@ ___ * Eicar test * Malware creator test ___ +#### ☑ [Apple Gatekeeper Bypass](https://karol-mazurek.medium.com/apple-gatekeeper-bypass-4315bbb33018?sk=v2%2F3c20fa28-1a3d-4bd0-9a25-79646f60c44f) +USB flash drive bypass | Network Shares bypass +___ -### [VIII. Sandbox]() -com.apple.security.app-sandbox | Sandbox Operations | Sandbox Profiles | SBPL | /System/Library/Sandbox/Profiles/application.sb | SandboxProfileData | libsystem_sandbox.dylib | libsystem_sandbox.dylib | AppSandbox.framework | sandboxd | containermanagerd | sandbox_init | .com.apple.containermanagerd.metadata.plist | SandboxProfileDataValidationInfo +### [VIII. Sandbox](https://karol-mazurek.medium.com/snake-apple-viii-app-sandbox-5aff081f07d5?sk=v2%2F5b65151b-d1f3-4f18-93da-4ad9aeacadb7) +com.apple.security.app-sandbox | Sandbox Operations | Sandbox Profiles | SBPL | /System/Library/Sandbox/Profiles/application.sb | SandboxProfileData | libsystem_sandbox.dylib | libsystem_sandbox.dylib | AppSandbox.framework | sandboxd | containermanagerd | sandbox_init | .com.apple.containermanagerd.metadata.plist | SandboxProfileDataValidationInfo | com.apple.MobileInstallation.ContentProtectionClass | com.apple.security.sandbox | AppleSystemPolicy.kext | CVE-2021–30853 | AppSandbox Framework | ___ #### [SBPL Compilator](https://karol-mazurek.medium.com/sbpl-compilator-c05f5304d057?sk=v2%2F4ae3bf90-ff12-4fea-b0fc-0f2ef60d7b93) .com.apple.containermanagerd.metadata.plist | SandboxProfileData | /System/Library/Sandbox/Profiles/ | sandbox_compile_file | com.apple.security.get-task-allow | sandbox-exec | Sandbox.kext diff --git a/README.md b/README.md index bd80120..0d8d213 100644 --- a/README.md +++ b/README.md @@ -34,11 +34,12 @@ The table of contents showing links to all articles is below: * ☑ [Unexpected but expected behavior](https://karol-mazurek.medium.com/unexpected-but-expected-behavior-bf281cc21ee2?sk=v2%2Fda20f402-b7fa-4bb1-a160-83e758cdd513) * ☑ [VII. Antivirus](https://karol-mazurek.medium.com/snake-apple-vii-antivirus-0a57acc10185?sk=v2%2F2c46d7ac-4435-41e6-bbda-2acb4eb78c76) * ☑ [Apple Gatekeeper Bypass](https://karol-mazurek.medium.com/apple-gatekeeper-bypass-4315bbb33018?sk=v2%2F3c20fa28-1a3d-4bd0-9a25-79646f60c44f) -* ☐ [VIII. Sandbox]() +* ☐ [VIII. Sandbox](https://karol-mazurek.medium.com/snake-apple-viii-app-sandbox-5aff081f07d5?sk=v2%2F5b65151b-d1f3-4f18-93da-4ad9aeacadb7) * ☑ [SBPL Compilator](https://karol-mazurek.medium.com/sbpl-compilator-c05f5304d057?sk=v2%2F4ae3bf90-ff12-4fea-b0fc-0f2ef60d7b93) * ☑ [Sandbox Detector](https://karol-mazurek.medium.com/sandbox-detector-4268ab3cd361?sk=v2%2F58fe49fb-1381-4db3-9db9-3f6309e4053a) * ☑ [Sandbox Validator](https://karol-mazurek.medium.com/sandbox-validator-e760e5d88617?sk=v2%2F145ac2ef-ca06-41a0-b310-c96f4ce0037b) * ☑ [App Sandbox startup](https://karol-mazurek.medium.com/app-sandbox-startup-71daf8f259d1?sk=v2%2F9f3b09a6-c7c0-445d-8613-8e25bf3f4e4d) + * ☐ [System Intigrity Protection]() * ☐ [IX. TCC]() * ☐ [X. NU]() * ☑ [Kernel Debugging Setup on MacOS](https://karol-mazurek.medium.com/kernel-debugging-setup-on-macos-07dd8c86cdb6?sk=v2%2F782bf539-a057-4f14-bbe7-f8e1ace26701) @@ -566,4 +567,5 @@ Each Snake class will be a child of the previous one and infinitely "eat itself" * Consider moving methods like `removeNullBytesAlignment`, `calcTwoComplement64` etc. to `Utils` class. * Move `--mig` option to Snake & Apple chapter about Mach Kernel when ready. * Make Thread manager class and improve the Threading.thread with tracing methods and `kill()`. -* Reconsider moving --xattr like args to another Snake class related to filesystem. \ No newline at end of file +* Reconsider moving --xattr like args to another Snake class related to filesystem. +* Consider adding second option to dump Sandbox Operations based on this [Csaba Fitzl comment](https://x.com/theevilbit/status/1828773101041221755). \ No newline at end of file