From dd6eda76cc6319f247eb8bbe0868c9ac1935b6ae Mon Sep 17 00:00:00 2001
From: Karmaz95 <karol.mazurek95@gmail.com>
Date: Sun, 3 Mar 2024 19:37:01 +0100
Subject: [PATCH]

---
 .../GHIDRA_macos_dyld_policy_collect_state.c  | 123 ++++++++++++++++++
 .../PSEUDO_macos_dyld_policy_collect_state.c  |  78 +++++++++++
 2 files changed, 201 insertions(+)
 create mode 100644 VI. AMFI/custom/AMFI_RE/GHIDRA_macos_dyld_policy_collect_state.c
 create mode 100644 VI. AMFI/custom/AMFI_RE/PSEUDO_macos_dyld_policy_collect_state.c

diff --git a/VI. AMFI/custom/AMFI_RE/GHIDRA_macos_dyld_policy_collect_state.c b/VI. AMFI/custom/AMFI_RE/GHIDRA_macos_dyld_policy_collect_state.c
new file mode 100644
index 0000000..3954398
--- /dev/null
+++ b/VI. AMFI/custom/AMFI_RE/GHIDRA_macos_dyld_policy_collect_state.c	
@@ -0,0 +1,123 @@
+
+/* macos_dyld_policy_collect_state(proc*, unsigned long long, amfi_dyld_policy_state_t*) */
+
+void macos_dyld_policy_collect_state
+               (proc *param_1,ulonglong param_2,amfi_dyld_policy_state_t *param_3)
+
+{
+  code *UNRECOVERED_JUMPTABLE;
+  int iVar1;
+  uint uVar2;
+  undefined4 uVar3;
+  long lVar4;
+  uint uVar5;
+  ulong unaff_x30;
+  
+  iVar1 = func_0xfffffe0008a49ecc(2);
+  *(uint *)param_3 = *(uint *)param_3 & 0xfffffffe | (uint)(iVar1 != 0);
+  uVar2 = func_0xfffffe0008a49850(param_1);
+  uVar5 = (uint)param_2;
+  *(uint *)param_3 = (uVar5 & 2 | uVar2 & 1) << 1 | *(uint *)param_3 & 0xfffffff9;
+  uVar2 = func_0xfffffe0008a8d2a0(param_1);
+  *(uint *)param_3 = *(uint *)param_3 & 0xfffffff0 | *(uint *)param_3 & 7 | (uVar2 & 1) << 3;
+  uVar2 = func_0xfffffe0008a474c8(param_1);
+  *(uint *)param_3 = *(uint *)param_3 & 0xffffffe0 | *(uint *)param_3 & 0xf | (uVar2 & 1) << 4;
+  uVar2 = func_0xfffffe0008a47520(param_1);
+  *(uint *)param_3 = *(uint *)param_3 & 0xffffffc0 | *(uint *)param_3 & 0x1f | (uVar2 & 1) << 5;
+  uVar2 = func_0xfffffe0008a47fb0(param_1);
+  *(uint *)param_3 = *(uint *)param_3 & 0xffffff80 | *(uint *)param_3 & 0x3f | (uVar2 & 1) << 6;
+  iVar1 = func_0xfffffe0008a4986c(param_1);
+  if (iVar1 == 0) {
+    uVar2 = 0;
+  }
+  else {
+    iVar1 = macOSPolicyConfig::hardeningEnabled();
+    uVar2 = 0x80;
+    if (iVar1 == 0) {
+      uVar2 = 0;
+    }
+  }
+  *(uint *)param_3 = *(uint *)param_3 & 0xffffff7f | uVar2;
+  iVar1 = proc_has_entitlement(param_1,"com.apple.security.cs.allow-relative-library-loads");
+  uVar2 = 0x100;
+  if (iVar1 == 0) {
+    uVar2 = 0;
+  }
+  *(uint *)param_3 = *(uint *)param_3 & 0xfffffeff | uVar2;
+  iVar1 = proc_has_entitlement(param_1,"com.apple.security.cs.allow-dyld-environment-variables");
+  uVar2 = 0x200;
+  if (iVar1 == 0) {
+    uVar2 = 0;
+  }
+  *(uint *)param_3 = *(uint *)param_3 & 0xfffffdff | uVar2;
+  iVar1 = proc_has_get_task_allow(param_1);
+  uVar2 = 0x400;
+  if (iVar1 == 0) {
+    uVar2 = 0;
+  }
+  *(uint *)param_3 = uVar2 | (uVar5 & 1) << 0xb | *(uint *)param_3 & 0xfffff3ff;
+  iVar1 = func_0xfffffe0008a49ecc(0x10);
+  *(uint *)param_3 = (uVar5 & 4) << 0xb | (uint)(iVar1 == 0) << 0xc | *(uint *)param_3 & 0xffffcfff;
+  iVar1 = proc_has_entitlement(param_1,"com.apple.security.app-sandbox");
+  uVar2 = 0x4000;
+  if (iVar1 == 0) {
+    uVar2 = 0;
+  }
+  *(uint *)param_3 = *(uint *)param_3 & 0xffffbfff | uVar2;
+  lVar4 = func_0xfffffe0008a478e4(param_1);
+  if (lVar4 == 0) {
+    uVar2 = 0;
+  }
+  else {
+    iVar1 = func_0xfffffe0008a47a28();
+    uVar2 = (uint)(iVar1 == 6) << 0xf;
+  }
+  *(uint *)param_3 = *(uint *)param_3 & 0xffff7fff | uVar2;
+  iVar1 = func_0xfffffe0008a84714(param_1);
+  *(uint *)param_3 =
+       *(uint *)param_3 & 0xfffc0000 | *(uint *)param_3 & 0xffff | (uint)(iVar1 == 2) << 0x10;
+  uVar2 = func_0xfffffe0008a473e4(param_1);
+  *(uint *)param_3 =
+       *(uint *)param_3 & 0xfff80000 | *(uint *)param_3 & 0x3ffff | (uVar2 & 1) << 0x12;
+  iVar1 = func_0xfffffe0008a49ecc(4);
+  *(uint *)param_3 =
+       *(uint *)param_3 & 0xfff00000 | *(uint *)param_3 & 0x7ffff | (uint)(iVar1 == 0) << 0x13;
+  lVar4 = func_0xfffffe0008a478e4(param_1);
+  if (lVar4 == 0) {
+    uVar2 = *(uint *)param_3 & 0xffefffff;
+    *(uint *)param_3 = uVar2;
+    uVar3 = 0;
+  }
+  else {
+    *(uint *)param_3 = *(uint *)param_3 | 0x100000;
+    uVar3 = func_0xfffffe0008a47ac8();
+    uVar2 = *(uint *)param_3;
+  }
+  *(undefined4 *)(param_3 + 4) = uVar3;
+  if ((uVar2 >> 0xc & 1) != 0) {
+    iVar1 = proc_has_entitlement(param_1,"com.apple.security.amfi.test.mac-app-store-test");
+    if (iVar1 != 0) {
+      func_0xfffffe0008c3c908
+                (
+                "dyldPolicy: AppleInternal and com.apple.security.amfi.test.mac_app_store_test, masq uerading as app store\n"
+                );
+      *(uint *)param_3 = *(uint *)param_3 | 0x8000;
+    }
+    if (_BootedDevice != '\0') {
+      *(uint *)param_3 = *(uint *)param_3 | 0x80000;
+    }
+  }
+  if (((unaff_x30 ^ unaff_x30 << 1) >> 0x3e & 1) == 0) {
+    logDyldPolicyData(param_1,param_2,param_3);
+    return;
+  }
+                    /* WARNING: Treating indirect jump as call */
+  UNRECOVERED_JUMPTABLE = (code *)SoftwareBreakpoint(0xc471,0xfffffe0009aca2c0);
+  (*UNRECOVERED_JUMPTABLE)();
+  return;
+}
+
+/* 
+logDyldPolicyData():
+  "dyldPolicy: (%d) (%s) in(%08llx) sip(%d) cs_restrict(%d) restrict_segment(%d) setugid (%d) lv(%d) forced_lv(%d) platform(%d) hardened(%d) arl(%d) aev(%d) gta(%d) sim(%d) ai (%d) fp(%d) request_sandbox(%d) is_mac_app_store(%d) is_ios_app(%d) unrestrict_task_for_pid(%d)\n");
+*/
\ No newline at end of file
diff --git a/VI. AMFI/custom/AMFI_RE/PSEUDO_macos_dyld_policy_collect_state.c b/VI. AMFI/custom/AMFI_RE/PSEUDO_macos_dyld_policy_collect_state.c
new file mode 100644
index 0000000..a753354
--- /dev/null
+++ b/VI. AMFI/custom/AMFI_RE/PSEUDO_macos_dyld_policy_collect_state.c	
@@ -0,0 +1,78 @@
+// Function to collect macOS dynamic linker (dyld) policy state
+macos_dyld_policy_collect_state(calling_process, param_2, amfi_dyld_policy_state) {
+
+    // Get process name & PID
+    process_name = get_process_name(calling_process);
+    process_ID = get_process_ID(calling_process);
+
+    // Check if system integrity protection is enabled
+    SIP_enabled = check_system_integrity_protection();
+
+    // Check if CS_RESTRICT bit is ON
+    has_CS_RESTRICT = check_cs_restrict_flag(calling_process);
+    
+    // Check if process has restrict segment 
+    has_RESTRICT_segment = check_restricted_segment(calling_process);
+
+    // Check if setuid/setgid behavior is enabled
+    is_setUGid = check_setuid_setgid(calling_process);
+
+    // Check if library validation is enabled
+    has_LV = !has_entitlement(calling_process, "com.apple.security.cs.disable-library-validation");
+
+    // Check if forced library validation is enabled (required by Hardened System Policy)
+    has_CS_FORCED_LV = check_forced_library_validation(calling_process);
+
+    // Check macOS platform (hardware)
+    platform = get_platform();
+
+    // Check if Hardened Runtime is enabled
+    has_HR = check_hardened_runtime(calling_process);
+
+    // Check entitlement for Allowing Relative Library loads
+    has_ARL = has_entitlement(calling_process, "com.apple.security.cs.allow-relative-library-loads");
+
+    // Check entitlement for allowing Dyld Environment Variables
+    has_AEV = has_entitlement(calling_process, "com.apple.security.cs.allow-dyld-environment-variables");
+
+    // Check entitlement for Getting Task Allow
+    has_GTA = has_entitlement(calling_process, "com.apple.security.get-task-allow");
+
+    // Check if the binary is built for simulator
+    is_SIM = is_built_for_sim(calling_process);
+
+    // Check if it is AppleInternal app
+    is_AI = check_internal_test_app(calling_process);
+
+    // Check if the application is masquerading mac App Store?
+    is_mac_app_store = has_entitlement(calling_process,"com.apple.security.amfi.test.mac-app-store-test") && is_AI;
+
+    // Not sure - checking Force Policy? (macOSPolicyConfig::forceDefaultDyldEnvVarsPolicy())
+    is_fp = is_policy_forced()
+
+    // Check if sandbox entitlement is present
+    request_sandbox = has_entitlement(calling_process, "com.apple.security.app-sandbox");
+
+    // Check if process is an iOS app:
+    is_ios_app = is_iOS_app(calling_process);
+
+    // Check if any of the below boot-args was used or process has GTA:
+    is_AMFI_disabled = has_nvram_boot_arg('PE_i_can_has_debugger',
+    'amfi_unrestrict_task_for_pid',
+    'amfi_allow_any_signature',
+    'amfi_get_out_of_my_way', 
+    'cs_enforcement_disable', 
+    'cs_debug') 
+    unrestrict_task_for_pid = is_AMFI_disabled || has_GTA
+
+    // Set the collected state according to the above functions.
+    amfi_dyld_policy_state(process_name, process_ID, SIP_enabled, has_CS_RESTRICT, has_RESTRICT_segment, is_setUGid, \
+    has_LV, has_CS_FORCED_LV, platform, has_HR, has_ARL, has_AEV, has_GTA, is_SIM, is_AI, is_mac_app_store, is_fp, \
+    request_sandbox, is_ios_app, unrestrict_task_for_pid);
+
+    // Log collected data
+    log_dyld_policy_data(calling_process, param_2, amfi_dyld_policy_state);
+}
+
+
+