mirror of
https://github.com/Karmaz95/Snake_Apple.git
synced 2026-06-30 19:15:30 +02:00
This commit is contained in:
@@ -0,0 +1,41 @@
|
||||
|
||||
/* macos_dyld_policy_at_path(proc*, amfi_dyld_policy_state_t*) */
|
||||
|
||||
undefined8 macos_dyld_policy_at_path(proc *process,amfi_dyld_policy_state_t *policy_state)
|
||||
|
||||
{
|
||||
int is_restricted_fp;
|
||||
undefined8 allowAtPaths;
|
||||
char *log_message;
|
||||
uint flags;
|
||||
|
||||
if ((*(uint *)policy_state & 0x10800) == 0) {
|
||||
is_restricted_fp = procIsDyldsRestricted(policy_state);
|
||||
if (is_restricted_fp == 0) {
|
||||
check_CS_FORCED_LV:
|
||||
is_restricted_fp = procIsDyldsRestricted(policy_state);
|
||||
if ((is_restricted_fp == 0) || (((byte)*policy_state >> 4 & 1) != 0))
|
||||
goto set_allowAtPaths_to_1;
|
||||
log_message = "process is not hardened, restricted and does not use Library Validation";
|
||||
}
|
||||
else {
|
||||
flags = *(uint *)policy_state;
|
||||
if ((flags >> 6 & 1) == 0) goto check_CS_FORCED_LV;
|
||||
if ((flags >> 5 & 1) == 0) {
|
||||
if ((flags >> 4 & 1) != 0) goto set_allowAtPaths_to_1;
|
||||
log_message = "platform process is restricted and does not use Library Validation";
|
||||
}
|
||||
else {
|
||||
log_message = "platform process is restricted and is not signed with Library Validation";
|
||||
}
|
||||
}
|
||||
logDyldPolicyRejection(process,"relative path loading disallowed",log_message);
|
||||
allowAtPaths = 0;
|
||||
}
|
||||
else {
|
||||
set_allowAtPaths_to_1:
|
||||
allowAtPaths = 1;
|
||||
}
|
||||
return allowAtPaths;
|
||||
}
|
||||
|
||||
@@ -0,0 +1,41 @@
|
||||
// Set amfiFlags->allowEnvVarsPrint (AMFI_DYLD_OUTPUT_ALLOW_PRINT_VARS)
|
||||
// RPL == Relative Path Loading
|
||||
// HR == Hardening Runtime
|
||||
// LV == Library Validation
|
||||
// RP == Restricted Process
|
||||
// RPP == Restricted Platform Process
|
||||
|
||||
macos_dyld_policy_at_path(proc *process, amfi_dyld_policy_state_t *policy_state) {
|
||||
uint flags = policy_state->flags;
|
||||
|
||||
// Check if process is not restricted (CS_RUNTIME == 0x10000 and CS_RESTRICT == 0x800):
|
||||
if ((flags & 0x10800) == 0) {
|
||||
|
||||
// Check if the process is not forcibly restricted
|
||||
int is_restricted = procIsDyldsRestricted(policy_state);
|
||||
if (is_restricted == 0) {
|
||||
|
||||
// Check if the process does not use Library Validation (CS_FORCED_LV == 0x10):
|
||||
if ((flags & 0x10) == 0) {
|
||||
log("RPL: 0, HR: 0, RP: 0, LV: 0");
|
||||
}
|
||||
} else {
|
||||
// 0x40 == CS_EXECSEG_JIT used ?? (not sure aobut it)
|
||||
if ((flags & 0x40) != 0) {
|
||||
|
||||
// (macOS Only) Page invalidation allowed by task port policy (CS_INVALID_ALLOWED == 0x20) not used
|
||||
if ((flags & 0x20) == 0) {
|
||||
|
||||
// Check if process does not use Library Validation
|
||||
if ((flags & 0x10) == 0) {
|
||||
log("RPL: 0, PPR: 1, LV: 0");
|
||||
}
|
||||
} else {
|
||||
log("RPL: 0, PPR: 1, LV: 0");
|
||||
}
|
||||
}
|
||||
}
|
||||
allowAtPaths == 0;
|
||||
}
|
||||
allowAtPaths == 1;
|
||||
}
|
||||
@@ -0,0 +1,20 @@
|
||||
import sys
|
||||
flags = {
|
||||
"AMFI_DYLD_OUTPUT_ALLOW_AT_PATH": 1,
|
||||
"AMFI_DYLD_OUTPUT_ALLOW_PATH_VARS": 2,
|
||||
"AMFI_DYLD_OUTPUT_ALLOW_CUSTOM_SHARED_CACHE": 4,
|
||||
"AMFI_DYLD_OUTPUT_ALLOW_FALLBACK_PATHS": 8,
|
||||
"AMFI_DYLD_OUTPUT_ALLOW_PRINT_VARS": 16,
|
||||
"AMFI_DYLD_OUTPUT_ALLOW_FAILED_LIBRARY_INSERTION": 32,
|
||||
"AMFI_DYLD_OUTPUT_ALLOW_LIBRARY_INTERPOSING": 64,
|
||||
"AMFI_DYLD_OUTPUT_ALLOW_EMBEDDED_VARS": 128
|
||||
}
|
||||
def check_flags(value):
|
||||
return [flag_name for flag_name, flag_value in flags.items() if value & flag_value]
|
||||
|
||||
input_value = int(sys.argv[1], 16)
|
||||
set_flags = check_flags(input_value)
|
||||
|
||||
if set_flags:
|
||||
print("Flags set:")
|
||||
print(*set_flags, sep="\n"
|
||||
Reference in New Issue
Block a user