2026-03-30 14:00:16 +02:00 · 2024-06-19 19:38:51 +02:00
parent a7ab18bcb7
commit d9ecb027d0
2 changed files with 122 additions and 0 deletions
--- a/Antivirus/mac/_spawn_via_launchd.c
+++ b/Antivirus/mac/_spawn_via_launchd.c
@@ -0,0 +1,32 @@
+__int64 __fastcall _spawn_via_launchd(const char *a1, __int64 a2, __int64 a3)
+{
+  xpc_object_t v4; // x20
+  int v5; // w19
+  int64_t int64; // x19
+  __int64 v8; // x0
+  xpc_object_t v9; // [xsp+8h] [xbp-18h] BYREF
+
+  if ( a3 )
+  {
+    v8 = _xpc_asprintf("_spawn_via_launchd() no longer supports spawn_via_launchd_attr");
+    _xpc_api_misuse(v8);
+  }
+  v4 = xpc_dictionary_create(0LL, 0LL, 0LL);
+  xpc_dictionary_set_uint64(v4, "type", 7uLL);
+  xpc_dictionary_set_uint64(v4, "handle", 0LL);
+  xpc_dictionary_set_string(v4, "label", a1);
+  v9 = 0LL;
+  v5 = _xpc_domain_routine(817LL, v4, &v9);
+  xpc_release(v4);
+  if ( v5 )
+  {
+    *j____error() = v5;
+    return 0xFFFFFFFFLL;
+  }
+  else
+  {
+    int64 = xpc_dictionary_get_int64(v9, "pid");
+    xpc_release(v9);
+  }
+  return int64;
+}
--- a/Antivirus/mac/apply_exec_quarantine.c
+++ b/Antivirus/mac/apply_exec_quarantine.c
@@ -0,0 +1,90 @@
+intptr_t __fastcall apply_exec_quarantine(__int64 a1, struct vnode *a2)
+{
+  int flags; // w0
+  int v5; // w8
+  intptr_t result; // x0
+  struct mount *v7; // x0
+  char v8; // w8
+  struct label *v9; // x16
+  intptr_t v10; // x20
+  int v11; // w21
+  const char *v12; // x0
+  const char *v13; // x19
+  const char *v14; // x9
+  unsigned int v15; // [xsp+2Ch] [xbp-134h] BYREF
+  __int128 v16[16]; // [xsp+30h] [xbp-130h] BYREF
+
+  memset(v16, 0, sizeof(v16));
+  v15 = 0;
+  flags = quarantine_get_flags(a2, 0LL, &v15, v16);
+  if ( flags )
+  {
+    v5 = flags;
+    result = 0LL;
+    if ( v5 == 93 )
+      return result;
+    return 1LL;
+  }
+  if ( (v15 & 6) == 0 )
+    return 0LL;
+  if ( (v15 & 4) != 0 )
+  {
+LABEL_15:
+    v12 = (const char *)getpath(a2);
+    v13 = v12;
+    v14 = "created without user consent";
+    if ( (v15 & 4) == 0 )
+      v14 = "not approved by Gatekeeper";
+    _os_log_internal(
+      &dword_FFFFFE000792BD40,
+      (os_log_t)&_os_log_default,
+      OS_LOG_TYPE_ERROR,
+      "exec of %s denied since it was quarantined by %s and %s, qtn-flags was 0x%08x",
+      v12,
+      (const char *)v16,
+      v14,
+      v15);
+    kfree_data_addr_external(v13);
+    return 1LL;
+  }
+  result = 0LL;
+  if ( require_user_approved_exec )
+  {
+    if ( (v15 & 0x40) == 0 )
+    {
+      v7 = vnode_mount(a2);
+      v8 = vfs_flags(v7);
+      result = 0LL;
+      if ( a1 )
+      {
+        if ( (v8 & 1) == 0 )
+        {
+          v9 = *(struct label **)(a1 + 120);
+          if ( v9 )
+          {
+            result = mac_label_get(v9, label_slot);
+            if ( !result )
+              return result;
+            v10 = result;
+            os_ref_retain_internal((os_ref_atomic_t *)(result + 16), 0LL);
+            if ( *(_QWORD *)v10
+              && (os_ref_retain_internal((os_ref_atomic_t *)(*(_QWORD *)v10 + 60LL), 0LL), *(_QWORD *)v10) )
+            {
+              v11 = *(_DWORD *)(*(_QWORD *)v10 + 56LL);
+              qtnstate_rele();
+              cred_label_rele(v10);
+              if ( (v11 & 2) != 0 )
+                goto LABEL_15;
+            }
+            else
+            {
+              cred_label_rele(v10);
+            }
+          }
+          return 0LL;
+        }
+      }
+    }
+  }
+  return result;
+}