CalvinBackup/SnakeAppleSecurityFiles
1
0
Fork 0
mirror of https://github.com/Karmaz95/Snake_Apple.git synced 2026-04-13 14:58:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: CalvinBackup:v0.4
Branches Tags
CalvinBackup:main
CalvinBackup:v1.1 CalvinBackup:v1.0 CalvinBackup:v0.9 CalvinBackup:v0.8 CalvinBackup:v0.7 CalvinBackup:v0.6 CalvinBackup:v0.5 CalvinBackup:v0.4 CalvinBackup:v0.3 CalvinBackup:v0.2 CalvinBackup:v0.1
..
compare: CalvinBackup:v0.6
Branches Tags
CalvinBackup:main
CalvinBackup:v1.1 CalvinBackup:v1.0 CalvinBackup:v0.9 CalvinBackup:v0.8 CalvinBackup:v0.7 CalvinBackup:v0.6 CalvinBackup:v0.5 CalvinBackup:v0.4 CalvinBackup:v0.3 CalvinBackup:v0.2 CalvinBackup:v0.1

30 Commits
v0.4 ... v0.6

Author SHA1 Message Date
Karmaz95
007c9f5786 2024-03-25 11:32:24 +01:00
Karmaz95
6c12efc925 2024-03-25 09:34:55 +01:00
Karmaz95
7c2231ec8d 2024-03-25 08:42:22 +01:00
Karmaz95
ab449adc7b 2024-03-24 22:45:00 +01:00
Karmaz95
3bb4b95384 2024-03-24 21:30:43 +01:00
Karmaz95
c7e8ea46ae 2024-03-24 21:29:13 +01:00
Karmaz95
1342b2054a 2024-03-24 16:07:27 +01:00
Karmaz95
0b5b02fdb9 2024-03-16 17:27:25 +01:00
Karmaz95
655a7cb94c 2024-03-16 16:45:47 +01:00
Karmaz95
a0355a6f29 2024-03-15 22:22:41 +01:00
Karmaz95
dceee00b32 2024-03-09 23:29:23 +01:00
Karmaz95
6d8bec4987 2024-03-09 23:28:54 +01:00
Karmaz95
f0643d4c79 2024-03-05 17:37:07 +01:00
Karmaz95
ee72631d38 2024-03-05 17:35:31 +01:00
Karmaz95
dd6eda76cc 2024-03-03 19:37:01 +01:00
Karmaz95
1b1cbb3d02 2024-02-27 16:27:53 +01:00
Karmaz95
d3b1e459ec 2024-02-18 22:34:40 +01:00
Karmaz95
d0d8b8a471 2024-02-18 22:32:36 +01:00
Karmaz95
13c8587f28 2024-02-18 21:58:01 +01:00
Karmaz95
ea0d485e57 2024-02-18 17:17:44 +01:00
Karmaz95
acaa13158b 2024-02-18 17:02:01 +01:00
Karmaz95
464f5317ae 2024-02-18 15:35:56 +01:00
Karmaz95
73bf3b3aa0 2024-02-18 13:25:12 +01:00
Karmaz95
ba7fdc92f2 2024-02-11 10:27:09 +01:00
Karmaz95
c8425c8430 2024-02-04 19:40:58 +01:00
Karmaz95
bf82224406 2024-02-04 19:39:27 +01:00
Karmaz95
c5c1aeef65 2024-02-03 09:24:09 +01:00
Karmaz95
6b614c778e 2024-01-18 13:44:03 +01:00
Karmaz95
c58ca4bed6 2024-01-18 13:12:03 +01:00
Karmaz95
9f67cfcf99 2024-01-18 13:10:23 +01:00
33 changed files with 11290 additions and 396 deletions
Expand all files Collapse all files

14
.gitignore vendored
View File

@@ -1,2 +1,14 @@
# Exclude .DS_Store files
**/.DS_Store
**/.vscode
# Exclude .vscode directory
**/.vscode/
# Exclude __pycache__ directories
__pycache__/
# Exclude pytest_cache directories
.pytest_cache/
# Exclude changes_release.md
changes_release.md

1
III. Checksec/custom/example.m
View File

@@ -1,3 +1,4 @@
// clang -fobjc-arc -framework Foundation example.m -o arc_example
#import <Foundation/Foundation.h>
@interface Person : NSObject

873
IV. Dylibs/python/CrimsonUroboros.py
View File

File diff suppressed because it is too large Load Diff

269
README.md
View File

@@ -13,28 +13,67 @@ Each article directory contains three subdirectories:
* &#9745; [II. Code Signing](https://karol-mazurek95.medium.com/snake-apple-ii-code-signing-f0a9967b7f02?sk=v2%2Fbbc87007-89ca-4135-91d6-668b5d2fe9ae)
* &#9745; [III. Checksec](https://karol-mazurek95.medium.com/snake-apple-iii-checksec-ed64a4b766c1?sk=v2%2Fb4b8d637-e906-4b6b-8088-ca1f893cd787)
* &#9745; [IV. Dylibs](https://karol-mazurek.medium.com/snake-apple-iv-dylibs-2c955439b94e?sk=v2%2Fdef72b7a-121a-47a1-af89-7bf53aed1ea2)
* &#9745; [V. Dyld](https://karol-mazurek.medium.com/snake-apple-v-dyld-8b36b674cc44?sk=v2%2F4acb16f8-fa88-41f0-8d7c-1362f4060010)
* &#9745; [DYLD — Do You Like Death? (I)](https://karol-mazurek.medium.com/dyld-do-you-like-death-i-8199faad040e?sk=v2%2F359b081f-d944-409b-9e7c-95f7c171b969) - Startup | kernArgs | rebaseSelf | initializeLibc | task_self_trap | stack_guard | findArgv | findEnvp | findApple
* &#9745; [DYLD — Do You Like Death? (II)](https://karol-mazurek.medium.com/dyld-do-you-like-death-ii-b74360b8af47?sk=v2%2Ff0cff71c-5345-4228-a639-653325fc979d) - handleDyldInCache| isBuiltForSimulator | isTranslated | crossarch_trap | Calling Convention on ARM64v8 | __unused attribute | Dyld Shared Region | thisDyldUuid | hasExistingDyldCache | shared_region_check_np | Carry flag | dynamic data header | dyldInCacheMH
* &#9745; [DYLD — Do You Like Death? (III)](https://karol-mazurek.medium.com/dyld-do-you-like-death-iii-af77701a3034?sk=v2%2F06c92503-2db9-40e2-b139-c9ae0a35e7b3) - handleDyldInCache | DYLD_IN_CACHE | restartWithDyldInCache | dyld_all_image_infos | calculating offset for debugging Dyld in Cache
* &#9745; [DYLD — Do You Like Death? (IV)](https://karol-mazurek.medium.com/dyld-do-you-like-death-iv-ede6b157752c?sk=v2%2F87ebe38d-004c-41a6-bc1f-43898494a512) - RuntimeLocks | MemoryManager | dyld_hw_tpro | Lambda Capture | withWritableMemory | PAC | arm64e_preview_abi | __ptrauth_dyld_tpro0 | WriteProtectionState | previousState | os_compiler_barrier |
* &#9745; [DYLD — Do You Like Death? (V)](https://karol-mazurek.medium.com/dyld-do-you-like-death-v-c40a267573cb?sk=v2%2F4c9f16b2-59bd-406a-945d-10a1fba1001b) - Linker Standard Library | EphemeralAllocator | Dyld Private Memory | PersistentAllocator | vm_allocate | vm_protect | _kernelrpc_mach_vm_allocate_trap | _kernelrpc_mach_vm_protect_trap
* &#9745; [DYLD — Do You Like Death? (VI)](https://karol-mazurek.medium.com/dyld-do-you-like-death-vi-1013a69118ff?sk=v2%2F37b3a61f-8483-4b38-977d-7f860944862b) - ProcessConfig | Process::Process | Process::Security | csr_check | CSR_ALLOW_APPLE_INTERNAL | csrctl | syscall_csr_check | AMFI | internalInstall | isRestricted | isFairPlayEncrypted | amfiFlags | amfi_check_dyld_policy_self | ___sandbox_ms | ___mac_syscall | mpo_policy_syscall_t | MAC policy | com.apple.driver.AppleMobileFileIntegrity | _policy_syscall | _check_dyld_policy_internal | macos_Dyld_policy_collect_state | logDyldPolicyData | DYLD_AMFI_FAKE | getAMFI | pruneEnvVars | com.apple.security.cs.allow-dyld-environment-variables
* &#9744; [DYLD — Do You Like Death? (VII)]() - ProcessConfig::Logging::Logging
* &#9745; [VI. AMFI](https://karol-mazurek.medium.com/snake-apple-vi-amfi-31c48fb92d33?sk=v2%2F8116bf86-e0a7-42be-ada9-5348447c01fd)
## TOOLS
[CrimsonUroboros](#crimsonuroboros) • [MachOFileFinder](#machofilefinder) • [TrustCacheParser](#trustcacheparser) • [SignatureReader](#signaturereader) • [extract_cms.sh](#extract_cmssh) • [ModifyMachOFlags](#modifymachoflags) • [LCFinder](#lcfinder)
[CrimsonUroboros](#crimsonuroboros) • [MachOFileFinder](#machofilefinder) • [TrustCacheParser](#trustcacheparser) • [SignatureReader](#signaturereader) • [extract_cms.sh](#extract_cmssh) • [ModifyMachOFlags](#modifymachoflags) • [LCFinder](#lcfinder) • [MachODylibLoadCommandsFinder](#machodylibloadcommandsfinder)
***
### [CrimsonUroboros](IV.%20Dylibs/python/CrimsonUroboros.py)
### [CrimsonUroboros](tests/CrimsonUroboros.py)
![alt](img/CrimsonUroboros.jpg)
Core program resulting from the Snake&Apple article series for binary analysis. You may find older versions of this script in each article directory in this repository.
* Usage
```console
usage: CrimsonUroboros [-h] -p PATH [--file_type] [--header_flags] [--endian] [--header] [--load_commands] [--segments]
[--sections] [--symbols] [--chained_fixups] [--exports_trie] [--uuid] [--main]
[--encryption_info [(optional) save_path.bytes]] [--strings_section] [--all_strings]
[--save_strings all_strings.txt] [--info] [--verify_signature] [--cd_info] [--cd_requirements]
[--entitlements [human|xml|var]] [--extract_cms cms_signature.der]
[--extract_certificates certificate_name] [--remove_sig unsigned_binary]
[--sign_binary [adhoc|identity_number]] [--has_pie] [--has_arc] [--is_stripped] [--has_canary]
[--has_nx_stack] [--has_nx_heap] [--has_xn] [--is_notarized] [--is_encrypted] [--has_restrict]
[--is_hr] [--is_as] [--is_fort] [--has_rpath] [--checksec] [--dylibs] [--rpaths] [--rpaths_u]
[--dylibs_paths] [--dylibs_paths_u] [--broken_relative_paths]
[--dylibtree [cache_path,output_path,is_extracted]] [--dylib_id] [--reexport_paths] [--hijack_sec]
[--dylib_hijacking [cache_path]] [--prepare_dylib [target_dylib_path]]
usage: CrimsonUroboros [-h] -p PATH [--file_type] [--header_flags] [--endian]
[--header] [--load_commands] [--has_cmd LC_MAIN]
[--segments] [--has_segment __SEGMENT] [--sections]
[--has_section __SEGMENT,__section] [--symbols]
[--imports] [--exports] [--imported_symbols]
[--chained_fixups] [--exports_trie] [--uuid] [--main]
[--encryption_info [(optional) save_path.bytes]]
[--strings_section] [--all_strings]
[--save_strings all_strings.txt] [--info]
[--dump_data [offset,size,output_path]]
[--calc_offset vm_offset] [--constructors]
[--verify_signature] [--cd_info] [--cd_requirements]
[--entitlements [human|xml|var]]
[--extract_cms cms_signature.der]
[--extract_certificates certificate_name]
[--remove_sig unsigned_binary]
[--sign_binary [adhoc|identity]] [--cs_offset]
[--cs_flags] [--has_pie] [--has_arc] [--is_stripped]
[--has_canary] [--has_nx_stack] [--has_nx_heap]
[--has_xn] [--is_notarized] [--is_encrypted]
[--is_restricted] [--is_hr] [--is_as] [--is_fort]
[--has_rpath] [--has_lv] [--checksec] [--dylibs]
[--rpaths] [--rpaths_u] [--dylibs_paths]
[--dylibs_paths_u] [--broken_relative_paths]
[--dylibtree [cache_path,output_path,is_extracted]]
[--dylib_id] [--reexport_paths] [--hijack_sec]
[--dylib_hijacking [(optional) cache_path]]
[--dylib_hijacking_a [cache_path]]
[--prepare_dylib [(optional) target_dylib_name]]
[--is_built_for_sim] [--get_dyld_env]
[--compiled_with_dyld_env] [--has_interposing]
[--interposing_symbols]
[--dump_prelink_info [(optional) out_name]]
[--dump_prelink_text [(optional) out_name]]
[--dump_prelink_kext [kext_name]]
[--kext_prelinkinfo [kext_name]]
[--kmod_info kext_name] [--kext_entry kext_name]
[--kext_exit kext_name] [--mig] [--has_suid]
[--has_sgid] [--has_sticky] [--injectable_dyld]
[--test_insert_dylib] [--test_prune_dyld]
[--test_dyld_print_to_file]
Mach-O files parser for binary analysis
@@ -48,84 +87,188 @@ MACH-O ARGS:
--endian Print binary endianess
--header Print binary header
--load_commands Print binary load commands names
--has_cmd LC_MAIN Check of binary has given load command
--segments Print binary segments in human-friendly form
--has_segment __SEGMENT
Check if binary has given '__SEGMENT'
--sections Print binary sections in human-friendly form
--has_section __SEGMENT,__section
Check if binary has given '__SEGMENT,__section'
--symbols Print all binary symbols
--imports Print imported symbols
--exports Print exported symbols
--imported_symbols Print symbols imported from external libraries with
dylib names
--chained_fixups Print Chained Fixups information
--exports_trie Print Export Trie information
--uuid Print UUID
--main Print entry point and stack size
--encryption_info [(optional) save_path.bytes]
Print encryption info if any. Optionally specify an output path to dump the encrypted data (if
cryptid=0, data will be in plain text)
Print encryption info if any. Optionally specify an
output path to dump the encrypted data (if cryptid=0,
data will be in plain text)
--strings_section Print strings from __cstring section
--all_strings Print strings from all sections
--save_strings all_strings.txt
Parse all sections, detect strings, and save them to a file
--info Print header, load commands, segments, sections, symbols, and strings
Parse all sections, detect strings, and save them to a
file
--info Print header, load commands, segments, sections,
symbols, and strings
--dump_data [offset,size,output_path]
Dump {size} bytes starting from {offset} to a given
{filename} (e.g. '0x1234,0x1000,out.bin')
--calc_offset vm_offset
Calculate the real address (file on disk) of the given
Virtual Memory {vm_offset} (e.g. 0xfffffe000748f580)
--constructors Print binary constructors
CODE SIGNING ARGS:
--verify_signature Code Signature verification (if the contents of the binary have been modified)
--verify_signature Code Signature verification (if the contents of the
binary have been modified)
--cd_info Print Code Signature information
--cd_requirements Print Code Signature Requirements
--entitlements [human|xml|var]
Print Entitlements in a human-readable, XML, or DER format (default: human)
Print Entitlements in a human-readable, XML, or DER
format (default: human)
--extract_cms cms_signature.der
Extract CMS Signature from the Code Signature and save it to a given file
Extract CMS Signature from the Code Signature and save
it to a given file
--extract_certificates certificate_name
Extract Certificates and save them to a given file. To each filename will be added an index at
the end: _0 for signing, _1 for intermediate, and _2 for root CA certificate
Extract Certificates and save them to a given file. To
each filename will be added an index at the end: _0
for signing, _1 for intermediate, and _2 for root CA
certificate
--remove_sig unsigned_binary
Save the new file on a disk with removed signature
--sign_binary [adhoc|identity_number]
Sign binary using specified identity - use : 'security find-identity -v -p codesigning' to get
the identity (default: adhoc)
--sign_binary [adhoc|identity]
Sign binary using specified identity - use : 'security
find-identity -v -p codesigning' to get the identity
(default: adhoc)
--cs_offset Print Code Signature file offset
--cs_flags Print Code Signature flags
CHECKSEC ARGS:
--has_pie Check if Position-Independent Executable (PIE) is set
--has_arc Check if Automatic Reference Counting (ARC) is in use (can be false positive)
--has_arc Check if Automatic Reference Counting (ARC) is in use
(can be false positive)
--is_stripped Check if binary is stripped
--has_canary Check if Stack Canary is in use (can be false positive)
--has_canary Check if Stack Canary is in use (can be false
positive)
--has_nx_stack Check if stack is non-executable (NX stack)
--has_nx_heap Check if heap is non-executable (NX heap)
--has_xn Check if binary is protected by eXecute Never (XN) ARM protection
--is_notarized Check if the application is notarized and can pass the Gatekeeper verification
--is_encrypted Check if the application is encrypted (has LC_ENCRYPTION_INFO(_64) and cryptid set to 1)
--has_restrict Check if binary has __RESTRICT segment
--has_xn Check if binary is protected by eXecute Never (XN) ARM
protection
--is_notarized Check if the application is notarized and can pass the
Gatekeeper verification
--is_encrypted Check if the application is encrypted (has
LC_ENCRYPTION_INFO(_64) and cryptid set to 1)
--is_restricted Check if binary has __RESTRICT segment or CS_RESTRICT
flag set
--is_hr Check if the Hardened Runtime is in use
--is_as Check if the App Sandbox is in use
--is_fort Check if the binary is fortified
--has_rpath Check if the binary utilise any @rpath variables
--has_lv Check if the binary has Library Validation (protection
against Dylib Hijacking)
--checksec Run all checksec module options on the binary
DYLIBS ARGS:
--dylibs Print shared libraries used by specified binary with compatibility and the current version
(loading paths unresolved, like @rpath/example.dylib)
--rpaths Print all paths (resolved) that @rpath can be resolved to
--rpaths_u Print all paths (unresolved) that @rpath can be resolved to
--dylibs_paths Print absolute dylib loading paths (resolved @rpath|@executable_path|@loader_path) in order they
--dylibs Print shared libraries used by specified binary with
compatibility and the current version (loading paths
unresolved, like @rpath/example.dylib)
--rpaths Print all paths (resolved) that @rpath can be resolved
to
--rpaths_u Print all paths (unresolved) that @rpath can be
resolved to
--dylibs_paths Print absolute dylib loading paths (resolved
@rpath|@executable_path|@loader_path) in order they
are searched for
--dylibs_paths_u Print unresolved dylib loading paths.
--broken_relative_paths
Print 'broken' relative paths from the binary (cases where the dylib source is specified for an
executable directory without @executable_path)
Print 'broken' relative paths from the binary (cases
where the dylib source is specified for an executable
directory without @executable_path)
--dylibtree [cache_path,output_path,is_extracted]
Print the dynamic dependencies of a Mach-O binary recursively. You can specify the Dyld Shared
Cache path in the first argument, the output directory as the 2nd argument, and if you have
already extracted DSC in the 3rd argument (0 or 1). The output_path will be used as a base for
dylibtree. For example, to not extract DSC, use: --dylibs ",,1", or to extract from default to
default use just --dylibs or --dylibs ",,0" which will extract DSC to extracted_dyld_share_cache/
Print the dynamic dependencies of a Mach-O binary
recursively. You can specify the Dyld Shared Cache
path in the first argument, the output directory as
the 2nd argument, and if you have already extracted
DSC in the 3rd argument (0 or 1). The output_path will
be used as a base for dylibtree. For example, to not
extract DSC, use: --dylibs ",,1", or to extract from
default to default use just --dylibs or --dylibs ",,0"
which will extract DSC to extracted_dyld_share_cache/
in the current directory
--dylib_id Print path from LC_ID_DYLIB
--reexport_paths Print paths from LC_REEXPORT_DLIB
--hijack_sec Check if binary is protected against Dylib Hijacking
--dylib_hijacking [cache_path]
Check for possible Direct and Indirect Dylib Hijacking loading paths. (optional) Specify the path
to the Dyld Shared Cache
--prepare_dylib [target_dylib_path]
Compile rogue dylib. (optional) Specify target_dylib_path, it will search for the imported
symbols from it in the dylib specified in the --path argument and automatically add it to the
source code of the rogue lib. Example: --path lib1.dylib --prepare_dylib /path/to/lib2.dylib
--dylib_hijacking [(optional) cache_path]
Check for possible Direct and Indirect Dylib Hijacking
loading paths. The output is printed to console and
saved in JSON format to
/tmp/dylib_hijacking_log.json(append mode).
Optionally, specify the path to the Dyld Shared Cache
--dylib_hijacking_a [cache_path]
Like --dylib_hijacking, but shows only possible
vectors (without protected binaries)
--prepare_dylib [(optional) target_dylib_name]
Compile rogue dylib. Optionally, specify
target_dylib_path, it will search for the imported
symbols from it in the dylib specified in the --path
argument and automatically add it to the source code
of the rogue lib. Example: --path lib1.dylib
--prepare_dylib /path/to/lib2.dylib
DYLD ARGS:
--is_built_for_sim Check if binary is built for simulator platform.
--get_dyld_env Extract Dyld environment variables from the loader
binary.
--compiled_with_dyld_env
Check if binary was compiled with -dyld_env flag and
print the environment variables and its values.
--has_interposing Check if binary has interposing sections.
--interposing_symbols
Print interposing symbols if any.
AMFI ARGS:
--dump_prelink_info [(optional) out_name]
Dump "__PRELINK_INFO,__info" to a given file (default:
"PRELINK_info.txt")
--dump_prelink_text [(optional) out_name]
Dump "__PRELINK_TEXT,__text" to a given file (default:
"PRELINK_text.txt")
--dump_prelink_kext [kext_name]
Dump prelinked KEXT {kext_name} from decompressed
Kernel Cache PRELINK_TEXT segment to a file named:
prelinked_{kext_name}.bin
--kext_prelinkinfo [kext_name]
Print _Prelink properties from PRELINK_INFO,__info for
a give {kext_name}
--kmod_info kext_name
Parse kmod_info structure for the given {kext_name}
from Kernel Cache
--kext_entry kext_name
Calculate the virtual memory address of the __start
(entrpoint) for the given {kext_name} Kernel Extension
--kext_exit kext_name
Calculate the virtual memory address of the __stop
(exitpoint) for the given {kext_name} Kernel Extension
--mig Search for MIG subsystem and prints message handlers
--has_suid Check if the file has SetUID bit set
--has_sgid Check if the file has SetGID bit set
--has_sticky Check if the file has sticky bit set
--injectable_dyld Check if the binary is injectable using
DYLD_INSERT_LIBRARIES
--test_insert_dylib Check if it is possible to inject dylib using
DYLD_INSERT_LIBRARIES (INVASIVE - the binary is
executed)
--test_prune_dyld Check if Dyld Environment Variables are cleared (using
DYLD_PRINT_INITIALIZERS=1) (INVASIVE - the binary is
executed)
--test_dyld_print_to_file
Check if YLD_PRINT_TO_FILE Dyld Environment Variables
works (INVASIVE - the binary is executed)
```
* Example:
```bash
@@ -265,10 +408,18 @@ Print the total Mach-O files analyzed and how many DYLIB-related LCs existed
```console
MachODylibLoadCommandsFinder 2>/dev/null
```
***
### [check_amfi](VI.%20AMFI/python/check_amfi.py)
Simple script for calculating `amfiFlags` (described [here](https://karol-mazurek.medium.com/dyld-do-you-like-death-vi-1013a69118ff) in `ProcessConfig — AMFI properties`)
* Usage:
```console
python3 check_amfi.py 0x1df
```
## INSTALL
```
pip -r requirements.txt
pip3 install -r requirements.txt
wget https://github.com/CRKatri/trustcache/releases/download/v2.0/trustcache_macos_arm64 -O /usr/local/bin/trustcache
chmod +x /usr/local/bin/trustcache
xattr -d com.apple.quarantine /usr/local/bin/trustcache
@@ -281,9 +432,9 @@ brew install blacktop/tap/ipsw
* `--dylib_hijacking` needs [ipsw](https://github.com/blacktop/ipsw) to be installed.
* `--dylibtree` needs the [dyld-shared-cache-extractor](https://github.com/keith/dyld-shared-cache-extractor) to be installed.
## WHY UROBOROS?
I will write the code for each article as a class SnakeX, where X will be the article number. To make it easier for the audience to follow. Each Snake class will be a child of the previous one and infinitely "eat itself" (inherit methods of the previous class), like Uroboros.
I will write the code for each article as a class SnakeX, where X will be the article number, to make it easier for the audience to follow.
Each Snake class will be a child of the previous one and infinitely "eat itself" (inherit methods of the previous class), like Uroboros.
## ADDITIONAL LINKS
* [Apple Open Source](https://opensource.apple.com/releases/)
@@ -297,5 +448,11 @@ I will write the code for each article as a class SnakeX, where X will be the ar
* Every method in the Snake class that use Entitlements should parse first XML > DER (currently, only XML parser exists)
* After making a SuperBlob parser and CodeDirectory blob parser, modify hasHardenedRuntime to check Runtime flag by using bitmask, instead of string.
* Build Dyld Shared Cache parser and extractor to make SnakeIV independant of dyld-shared-cache-extractor.
* Add check for `CS_RESTRICT` (`0x800`) in --`checksec` to `RESTRICTED`
* Add check for `DYLIB HIJACKING` to --`checksec`
* Create `RottenApple.app` in another repository and use it for testing.
* Add Dyld Closure chapter to Snake&Apple V - Dyld
* Move `kext_prelinkinfo`, `dumpPrelink_info` and `dumpPrelink_text` to Snake & Apple chapter about Kernel Extensions when ready.
* Add kernelcache parser.
* Add `LC_FILESET_ENTRY` method to `dumpKernelExtension`.
* Consider moving methods like `removeNullBytesAlignment`, `calcTwoComplement64` etc. to `Utils` class.
* Move `--mig` option to Snake & Apple chapter about Mach Kernel when ready.
* Make Thread manager class and improve the Threading.thread with tracing methods and `kill()`.

22
V. Dyld/custom/arg_printer.c Normal file
View File

@@ -0,0 +1,22 @@
#include <stdio.h>
int main(int argc, char *argv[], char *envp[], char *apple[]) {
printf("Argument count: %d\n", argc);
printf("Standard arguments:\n");
for (int i = 0; i < argc; i++) {
printf("Argument %d: %s\n", i, argv[i]);
}
printf("Environment variables:\n");
for (int i = 0; envp[i] != NULL; i++) {
printf("Environment Variable %d: %s\n", i, envp[i]);
}
printf("Apple-specific arguments:\n");
for (int i = 0; apple[i] != NULL; i++) {
printf("Apple Argument %d: %s\n", i, apple[i]);
}
return 0;
}

15
V. Dyld/custom/con_des.c Normal file
View File

@@ -0,0 +1,15 @@
#include <stdio.h>
#include <stdlib.h>
#include <syslog.h>
// Constructor
__attribute__((constructor)) void crimson_constructor() {
syslog(LOG_ERR, "[+] crimson_constructor called\n");
printf("[+] crimson_constructor called\n");
}
// Destructor
__attribute__((destructor)) void crimson_destructor() {
syslog(LOG_ERR, "[+] crimson_destructor called\n");
printf("[+] crimson_destructor called\n");
}

8
V. Dyld/custom/hello.c Normal file
View File

@@ -0,0 +1,8 @@
// clang -o hello hello.c
#include <stdio.h>
int main() {
printf("Hello!\n");
return 0;
}

22
V. Dyld/custom/interpose.c Normal file
View File

@@ -0,0 +1,22 @@
// clang -dynamiclib -o libinterpose.dylib interpose.c
#include <stdio.h>
// Define the interpose macro
#define DYLD_INTERPOSE(_replacement,_replacee) \
__attribute__((used)) static struct { \
const void* replacement; \
const void* replacee; \
} \
_interpose_##_replacee \
__attribute__ ((section ("__DATA,__interpose,interposing"))) = { \
(const void*)(unsigned long)&_replacement, \
(const void*)(unsigned long)&_replacee };
// Define the replacement function
int my_printf(const char *format, ...) {
int ret = printf("Hello from my_printf!\n");
return ret;
}
// Apply the interposing macro to replace printf with my_printf
DYLD_INTERPOSE(my_printf, printf)

63
V. Dyld/custom/lambda_capture_example.cpp Normal file
View File

@@ -0,0 +1,63 @@
//g++ -std=c++11 lambda_capture_example.cpp -o lambda_capture_example
/*
This example demonstrates how lambda capture by reference [&] allows the lambda function to access and modify variables from the outer scope directly.
1. We have a function withWritableMemory that simulates the process of making memory writable, executing some work, and then restoring memory protection.
2. In the main function, we have variables x and y.
3. We define a lambda function lambda capturing all variables by reference [&]().
4. Inside the lambda, we modify the values of x and y.
5. We call withWritableMemory and pass the lambda as an argument.
6. The lambda is executed within the withWritableMemory function.
7. After the lambda execution, we print the values of x and y to see the changes made inside the lambda.
*/
#include <iostream>
void withWritableMemory(std::function<void()> work) {
std::cout << "Entering withWritableMemory function" << std::endl;
// Simulating the setup before making memory writable
std::cout << "Setting up memory..." << std::endl;
// Make memory writable
// Execute the provided work function
work();
// Restore memory protection
std::cout << "Restoring memory protection..." << std::endl;
std::cout << "Exiting withWritableMemory function" << std::endl;
}
int main() {
int x = 5;
int y = 3;
// Lambda function capturing all variables by reference
auto lambda = [&]() {
// Access and modify variables from the outer scope
x = x + 10;
y = y * 2;
std::cout << "Inside lambda: x = " << x << ", y = " << y << std::endl;
};
// Call the function with the lambda as an argument
withWritableMemory(lambda);
// After the lambda is executed
std::cout << "After lambda: x = " << x << ", y = " << y << std::endl;
return 0;
}
/*
./lambda_capture_example
Entering withWritableMemory function
Setting up memory...
Inside lambda: x = 15, y = 6
Restoring memory protection...
Exiting withWritableMemory function
After lambda: x = 15, y = 6
*/

26
V. Dyld/custom/rosetta_dyld_is_translated_pointer_example.c Normal file
View File

@@ -0,0 +1,26 @@
#include <stdbool.h>
#include <stdio.h>
int rosetta_dyld_is_translated(bool *is_translated);
// Pseudo implementation of SyscallDelegate::isTranslated
bool isTranslated() {
bool is_translated = false;
if (rosetta_dyld_is_translated(&is_translated) == 0) {
return is_translated;
}
return false;
}
// Mock implementation of rosetta_dyld_is_translated for demonstration purposes
// This function always sets is_translated to true using pointer - for the sake of the example
int rosetta_dyld_is_translated(bool *is_translated) {
*is_translated = true; // Simulated behavior: always set is_translated to true
return 0; // Return success
}
int main() {
bool translated = isTranslated();
printf("Is translated: %s\n", translated ? "true" : "false");
return 0;
}

1686
V. Dyld/python/CrimsonUroboros.py Executable file
View File

File diff suppressed because it is too large Load Diff

10
VI. AMFI/custom/entitlements.plist Normal file
View File

@@ -0,0 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
</plist>

BIN
VI. AMFI/mac/AMFI_RE/AMFI_STARTUP.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 181 KiB

7
VI. AMFI/mac/AMFI_RE/AppleMagicDirectories.txt Normal file
View File

@@ -0,0 +1,7 @@
/System/Library/dyld/
/System/DriverKit/System/Library/dyld/
/System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/
/System/Volumes/Preboot/Cryptexes/Incoming/OS/System/Library/dyld/
/System/Volumes/Preboot/Cryptexes/OS/System/DriverKit/System/Library/dyld/
/System/Cryptexes/OS/System/Library/dyld/
/System/Cryptexes/OS/System/DriverKit/System/Library/dyld/

215
VI. AMFI/mac/AMFI_RE/GHIDRA_initializeAppleMobileFileIntegrity.c Normal file
View File

@@ -0,0 +1,215 @@
void _initializeAppleMobileFileIntegrity(void)
{
bool bVar1;
int iVar2;
int iVar3;
undefined8 uVar4;
ulong uVar5;
long *plVar6;
long lVar7;
uint local_d4;
ulong local_d0;
undefined8 uStack_c8;
undefined8 uStack_c0;
undefined8 uStack_b8;
undefined8 local_b0;
undefined8 uStack_a8;
undefined8 uStack_a0;
undefined8 local_98;
undefined8 local_90;
undefined8 uStack_88;
undefined8 uStack_80;
undefined8 uStack_78;
undefined8 local_70;
undefined8 uStack_68;
undefined8 uStack_60;
undefined8 uStack_58;
undefined8 local_50;
undefined8 uStack_48;
undefined8 local_38;
local_38 = *(undefined8 *)PTR_DAT_fffffe0007e6ba68;
uVar4 = func_0xfffffe0008c3cf30();
func_0xfffffe00085a8e38();
uVar5 = func_0xfffffe0008bbcd34(0,uVar4,&_driverLock);
if ((uVar5 & 1) == 0) {
return;
}
_AMFILockGroup = func_0xfffffe00085a8478("AMFI",0);
initLibraryConstraints();
_overrideUnrestrictedDebugging = 0;
func_0xfffffe0008aa1474(&_sysctl__hw_features_allows_security_research);
_allows_security_research = 0;
uStack_48 = 0;
local_50 = 0;
uStack_68 = 0;
local_70 = 0;
uStack_58 = 0;
uStack_60 = 0;
uStack_88 = 0;
local_90 = 0;
uStack_78 = 0;
uStack_80 = 0;
uStack_a8 = 0;
local_b0 = 0;
local_98 = 0;
uStack_a0 = 0;
uStack_c8 = 0;
local_d0 = 0;
uStack_b8 = 0;
uStack_c0 = 0;
uVar4 = func_0xfffffe0009915f8c();
iVar2 = func_0xfffffe0009910330(uVar4,&local_d0);
if (iVar2 != 0) {
func_0xfffffe0008da4510("\"AMFI: No chip from IMG4? errno: %d\" @%s:%d");
return;
}
if ((uStack_a0._5_1_ != '\0') || ((int)local_98 == 1)) {
_allows_security_research = 1;
}
local_d4 = 0;
iVar2 = func_0xfffffe0008d70830("amfi_allow_research",&local_d4,4);
if ((iVar2 != 0) && (local_d4 != 0)) {
func_0xfffffe0008c3c908("AMFI: Allowing research due to amfi_allow_research boot arg");
_allows_security_research = 1;
}
local_d0 = local_d0 & 0xffffffff00000000;
iVar2 = func_0xfffffe0008a49ecc(8);
if (iVar2 == 0) {
local_d4 = 0;
func_0xfffffe0008d70830("amfi",&local_d4,4);
iVar2 = func_0xfffffe0008d70830("amfi_unrestrict_task_for_pid",&local_d0,4);
if (((iVar2 != 0) && ((int)local_d0 != 0)) || ((local_d4 & 1) != 0)) {
func_0xfffffe0008c3c908("%s: unrestricted task_for_pid enabled by boot-arg\n");
_overrideUnrestrictedDebugging = 1;
_BootedDevice = 1;
}
iVar2 = func_0xfffffe0008d70830("amfi_dev_mode_policy",&local_d0,4);
if ((iVar2 != 0) && ((int)local_d0 != 0)) {
func_0xfffffe0008c3c908("%s: developer mode internal policy disabled by boot-arg\n");
DAT_fffffe0007e74790 = 1;
}
iVar2 = func_0xfffffe0008d70830("amfi_allow_any_signature",&local_d0,4);
if (((iVar2 != 0) && ((int)local_d0 != 0)) || (((byte)local_d4 >> 1 & 1) != 0)) {
func_0xfffffe0008c3c908("%s: signature enforcement disabled by boot-arg\n");
/* WARNING: Read-only address (ram,0xfffffe0007e7478b) is written */
_DAT_fffffe0007e7478a = CONCAT11(DAT_fffffe0007e7478b,1);
}
iVar2 = func_0xfffffe0008d70830("amfi_get_out_of_my_way",&local_d0,4);
if (((iVar2 != 0) && ((int)local_d0 != 0)) || ((local_d4 >> 7 & 1) != 0)) {
func_0xfffffe0008c3c908("%s: signature enforcement disabled by boot-arg\n");
_DAT_fffffe0007e7478a = 0x101;
}
if ((local_d4 >> 2 & 1) != 0) {
func_0xfffffe0008c3c908
("%s: library validation will not mark external binaries as platform\n");
DAT_fffffe0007e7478f = 1;
}
iVar2 = func_0xfffffe0008d70830("amfi_unrestricted_local_signing",&local_d0,4);
if ((iVar2 != 0) && ((int)local_d0 != 0)) {
func_0xfffffe0008c3c908("%s: unrestricted AMFI local signing enabled by boot-arg\n");
DAT_fffffe0007e7478c = 1;
}
}
iVar2 = func_0xfffffe0008d70830("amfi_ready_to_roll",&local_d0,4);
if ((iVar2 != 0) && ((int)local_d0 != 0)) {
func_0xfffffe0008c3c908("%s: practice a key roll\n");
_readyToRoll = 1;
}
iVar2 = func_0xfffffe0008d70830("cs_enforcement_disable",&local_d0,4);
bVar1 = (int)local_d0 != 0;
if (iVar2 != 0 && bVar1) {
func_0xfffffe0008c3c908("%s: cs_enforcement disabled by boot-arg\n");
iVar3 = func_0xfffffe0008a49ecc(8);
if (iVar3 != 0) goto LAB_fffffe0009ac1ba8;
}
DAT_fffffe0007e7478e = iVar2 != 0 && bVar1;
InitializeDenylist();
_initializeCoreEntitlementsSupport(1);
precookExemptionProfile();
numJitHashCacheEntries = 0;
jitHashCache = 0;
jitHashCacheLock = func_0xfffffe0008c3cf30();
dyldSimCacheLock = func_0xfffffe0008c3cf30();
supplementalSigningInit();
_swiftPlaygroundsJIT = '\x01';
plVar6 = (long *)func_0xfffffe0008c45154("/",*(undefined8 *)PTR_DAT_fffffe0007e6bb00,0,0,0);
if (plVar6 == (long *)0x0) {
_initializeAppleMobileFileIntegrity();
LAB_fffffe0009ac1ba0:
_initializeAppleMobileFileIntegrity();
}
else {
uVar4 = (**(code **)(*plVar6 + 0x2d8))(plVar6,"model");
plVar6 = (long *)func_0xfffffe0008bbdca0(uVar4,*(undefined8 *)PTR_DAT_fffffe0007e6ba08);
if (plVar6 == (long *)0x0) goto LAB_fffffe0009ac1ba0;
uVar4 = (**(code **)(*plVar6 + 0x198))();
func_0xfffffe0008c3c908("AMFI: queried model name from device tree: %s\n");
lVar7 = func_0xfffffe00086ac444(uVar4,"iPhone",6);
if (lVar7 == 0) {
if (_swiftPlaygroundsJIT == '\0') goto LAB_fffffe0009ac17f4;
}
else {
func_0xfffffe0008c3c908("AMFI: disabling Swift Playgrounds JIT services on iPhone devices\n");
_swiftPlaygroundsJIT = '\0';
LAB_fffffe0009ac17f4:
func_0xfffffe0008ab4fe8(0x10000000);
func_0xfffffe0008ab4fe8(0x20000000);
}
_unrestrictedCDHashLock = func_0xfffffe0008c3cf30();
initTrustCacheAccess();
DAT_fffffe0007e747d0 = _cred_check_label_update_execve;
DAT_fffffe0007e747f8 = _cred_label_associate;
DAT_fffffe0007e74808 = _cred_label_destroy;
DAT_fffffe0007e74820 = _cred_label_init;
DAT_fffffe0007e74830 = _cred_label_update_execve;
DAT_fffffe0007e74b58 = _proc_check_inherit_ipc_ports;
DAT_fffffe0007e75120 = _vnode_check_signature;
DAT_fffffe0007e749a0 = _file_check_library_validation;
DAT_fffffe0007e74b40 = _policy_initbsd;
DAT_fffffe0007e74b48 = _policy_syscall;
DAT_fffffe0007e74ab8 = _task_id_token_get_task;
DAT_fffffe0007e747f0 = _cred_label_associate_kernel;
DAT_fffffe0007e748f8 = _proc_check_launch_constraints;
DAT_fffffe0007e74ba0 = amfi_exc_action_check_exception_send;
DAT_fffffe0007e74ba8 = amfi_exc_action_label_associate;
DAT_fffffe0007e74bb0 = amfi_exc_action_label_populate;
DAT_fffffe0007e74bb8 = amfi_exc_action_label_destroy;
DAT_fffffe0007e74bc0 = amfi_exc_action_label_init;
DAT_fffffe0007e74bc8 = amfi_exc_action_label_update;
DAT_fffffe0007e74d88 = macos_task_get_movable_control_port;
DAT_fffffe0007e75178 = hsp_proc_check_map_anon;
DAT_fffffe0007e74aa8 = macos_task_policy;
DAT_fffffe0007e74ab0 = macos_task_policy;
DAT_fffffe0007e74c88 = macos_task_control_policy;
DAT_fffffe0007e75138 = macos_proc_check_run_cs_invalid;
DAT_fffffe0007e75040 = hook_vnode_check_setextattr;
DAT_fffffe0007e74fc0 = hook_vnode_check_getextattr;
DAT_fffffe0007e748c0 = _file_check_mmap;
DAT_fffffe0007e751c0 = _vnode_notify_open;
DAT_fffffe0007e74cf8 = core_dump_policy;
DAT_fffffe0007e75158 = supplementalVnodeCheckSignature;
mac_policy = "AMFI";
DAT_fffffe0007e75220 = "Apple Mobile File Integrity";
DAT_fffffe0007e75228 = &_initializeAppleMobileFileIntegrity()::labelnamespaces;
DAT_fffffe0007e75230 = 1;
DAT_fffffe0007e75238 = &mac_ops;
DAT_fffffe0007e75240 = 0;
DAT_fffffe0007e75248 = &_amfi_mac_slot;
DAT_fffffe0007e75250 = 0;
iVar2 = func_0xfffffe0008d75b64(&mac_policy,&amfiPolicyHandle,0);
if (iVar2 == 0) {
configurationSettingsInit();
hardeningInit();
/* WARNING: Bad instruction - Truncating control flow here */
halt_baddata();
}
}
_initializeAppleMobileFileIntegrity();
LAB_fffffe0009ac1ba8:
_initializeAppleMobileFileIntegrity();
func_0xfffffe0008c3c908("%s\n");
func_0xfffffe0008da4510("\"Cannot unload AMFI - policy is not dynamic\\n\" @%s:%d");
return;
}

41
VI. AMFI/mac/AMFI_RE/GHIDRA_macos_dyld_policy_at_path.c Normal file
View File

@@ -0,0 +1,41 @@
/* macos_dyld_policy_at_path(proc*, amfi_dyld_policy_state_t*) */
undefined8 macos_dyld_policy_at_path(proc *process,amfi_dyld_policy_state_t *policy_state)
{
int is_restricted_fp;
undefined8 allowAtPaths;
char *log_message;
uint flags;
if ((*(uint *)policy_state & 0x10800) == 0) {
is_restricted_fp = procIsDyldsRestricted(policy_state);
if (is_restricted_fp == 0) {
check_CS_FORCED_LV:
is_restricted_fp = procIsDyldsRestricted(policy_state);
if ((is_restricted_fp == 0) || (((byte)*policy_state >> 4 & 1) != 0))
goto set_allowAtPaths_to_1;
log_message = "process is not hardened, restricted and does not use Library Validation";
}
else {
flags = *(uint *)policy_state;
if ((flags >> 6 & 1) == 0) goto check_CS_FORCED_LV;
if ((flags >> 5 & 1) == 0) {
if ((flags >> 4 & 1) != 0) goto set_allowAtPaths_to_1;
log_message = "platform process is restricted and does not use Library Validation";
}
else {
log_message = "platform process is restricted and is not signed with Library Validation";
}
}
logDyldPolicyRejection(process,"relative path loading disallowed",log_message);
allowAtPaths = 0;
}
else {
set_allowAtPaths_to_1:
allowAtPaths = 1;
}
return allowAtPaths;
}

123
VI. AMFI/mac/AMFI_RE/GHIDRA_macos_dyld_policy_collect_state.c Normal file
View File

@@ -0,0 +1,123 @@
/* macos_dyld_policy_collect_state(proc*, unsigned long long, amfi_dyld_policy_state_t*) */
void macos_dyld_policy_collect_state
(proc *param_1,ulonglong param_2,amfi_dyld_policy_state_t *param_3)
{
code *UNRECOVERED_JUMPTABLE;
int iVar1;
uint uVar2;
undefined4 uVar3;
long lVar4;
uint uVar5;
ulong unaff_x30;
iVar1 = func_0xfffffe0008a49ecc(2);
*(uint *)param_3 = *(uint *)param_3 & 0xfffffffe | (uint)(iVar1 != 0);
uVar2 = func_0xfffffe0008a49850(param_1);
uVar5 = (uint)param_2;
*(uint *)param_3 = (uVar5 & 2 | uVar2 & 1) << 1 | *(uint *)param_3 & 0xfffffff9;
uVar2 = func_0xfffffe0008a8d2a0(param_1);
*(uint *)param_3 = *(uint *)param_3 & 0xfffffff0 | *(uint *)param_3 & 7 | (uVar2 & 1) << 3;
uVar2 = func_0xfffffe0008a474c8(param_1);
*(uint *)param_3 = *(uint *)param_3 & 0xffffffe0 | *(uint *)param_3 & 0xf | (uVar2 & 1) << 4;
uVar2 = func_0xfffffe0008a47520(param_1);
*(uint *)param_3 = *(uint *)param_3 & 0xffffffc0 | *(uint *)param_3 & 0x1f | (uVar2 & 1) << 5;
uVar2 = func_0xfffffe0008a47fb0(param_1);
*(uint *)param_3 = *(uint *)param_3 & 0xffffff80 | *(uint *)param_3 & 0x3f | (uVar2 & 1) << 6;
iVar1 = func_0xfffffe0008a4986c(param_1);
if (iVar1 == 0) {
uVar2 = 0;
}
else {
iVar1 = macOSPolicyConfig::hardeningEnabled();
uVar2 = 0x80;
if (iVar1 == 0) {
uVar2 = 0;
}
}
*(uint *)param_3 = *(uint *)param_3 & 0xffffff7f | uVar2;
iVar1 = proc_has_entitlement(param_1,"com.apple.security.cs.allow-relative-library-loads");
uVar2 = 0x100;
if (iVar1 == 0) {
uVar2 = 0;
}
*(uint *)param_3 = *(uint *)param_3 & 0xfffffeff | uVar2;
iVar1 = proc_has_entitlement(param_1,"com.apple.security.cs.allow-dyld-environment-variables");
uVar2 = 0x200;
if (iVar1 == 0) {
uVar2 = 0;
}
*(uint *)param_3 = *(uint *)param_3 & 0xfffffdff | uVar2;
iVar1 = proc_has_get_task_allow(param_1);
uVar2 = 0x400;
if (iVar1 == 0) {
uVar2 = 0;
}
*(uint *)param_3 = uVar2 | (uVar5 & 1) << 0xb | *(uint *)param_3 & 0xfffff3ff;
iVar1 = func_0xfffffe0008a49ecc(0x10);
*(uint *)param_3 = (uVar5 & 4) << 0xb | (uint)(iVar1 == 0) << 0xc | *(uint *)param_3 & 0xffffcfff;
iVar1 = proc_has_entitlement(param_1,"com.apple.security.app-sandbox");
uVar2 = 0x4000;
if (iVar1 == 0) {
uVar2 = 0;
}
*(uint *)param_3 = *(uint *)param_3 & 0xffffbfff | uVar2;
lVar4 = func_0xfffffe0008a478e4(param_1);
if (lVar4 == 0) {
uVar2 = 0;
}
else {
iVar1 = func_0xfffffe0008a47a28();
uVar2 = (uint)(iVar1 == 6) << 0xf;
}
*(uint *)param_3 = *(uint *)param_3 & 0xffff7fff | uVar2;
iVar1 = func_0xfffffe0008a84714(param_1);
*(uint *)param_3 =
*(uint *)param_3 & 0xfffc0000 | *(uint *)param_3 & 0xffff | (uint)(iVar1 == 2) << 0x10;
uVar2 = func_0xfffffe0008a473e4(param_1);
*(uint *)param_3 =
*(uint *)param_3 & 0xfff80000 | *(uint *)param_3 & 0x3ffff | (uVar2 & 1) << 0x12;
iVar1 = func_0xfffffe0008a49ecc(4);
*(uint *)param_3 =
*(uint *)param_3 & 0xfff00000 | *(uint *)param_3 & 0x7ffff | (uint)(iVar1 == 0) << 0x13;
lVar4 = func_0xfffffe0008a478e4(param_1);
if (lVar4 == 0) {
uVar2 = *(uint *)param_3 & 0xffefffff;
*(uint *)param_3 = uVar2;
uVar3 = 0;
}
else {
*(uint *)param_3 = *(uint *)param_3 | 0x100000;
uVar3 = func_0xfffffe0008a47ac8();
uVar2 = *(uint *)param_3;
}
*(undefined4 *)(param_3 + 4) = uVar3;
if ((uVar2 >> 0xc & 1) != 0) {
iVar1 = proc_has_entitlement(param_1,"com.apple.security.amfi.test.mac-app-store-test");
if (iVar1 != 0) {
func_0xfffffe0008c3c908
(
"dyldPolicy: AppleInternal and com.apple.security.amfi.test.mac_app_store_test, masq uerading as app store\n"
);
*(uint *)param_3 = *(uint *)param_3 | 0x8000;
}
if (_BootedDevice != '\0') {
*(uint *)param_3 = *(uint *)param_3 | 0x80000;
}
}
if (((unaff_x30 ^ unaff_x30 << 1) >> 0x3e & 1) == 0) {
logDyldPolicyData(param_1,param_2,param_3);
return;
}
/* WARNING: Treating indirect jump as call */
UNRECOVERED_JUMPTABLE = (code *)SoftwareBreakpoint(0xc471,0xfffffe0009aca2c0);
(*UNRECOVERED_JUMPTABLE)();
return;
}
/*
logDyldPolicyData():
"dyldPolicy: (%d) (%s) in(%08llx) sip(%d) cs_restrict(%d) restrict_segment(%d) setugid (%d) lv(%d) forced_lv(%d) platform(%d) hardened(%d) arl(%d) aev(%d) gta(%d) sim(%d) ai (%d) fp(%d) request_sandbox(%d) is_mac_app_store(%d) is_ios_app(%d) unrestrict_task_for_pid(%d)\n");
*/

143
VI. AMFI/mac/AMFI_RE/GHIDRA_verify_code_directory.c Normal file
View File

@@ -0,0 +1,143 @@
ulong _verify_code_directory
(undefined8 param_1,undefined8 param_2,undefined8 param_3,undefined4 param_4,
undefined4 param_5,undefined4 param_6,undefined4 param_7,undefined4 *param_8,
undefined4 *param_9,undefined4 *param_10,undefined4 *param_11,undefined4 *param_12,
undefined4 *param_13_00,undefined4 *param_13,undefined8 param_15_00,
undefined8 *param_14,undefined8 *param_17,undefined4 *param_15,undefined8 *param_19)
{
ulong uVar1;
ulong uVar2;
ulong uVar3;
uint uVar4;
undefined8 uVar5;
undefined8 uVar6;
undefined8 uVar7;
undefined auVar8 [16];
int local_1128 [2];
long local_1120;
undefined local_1118 [8];
undefined local_1110 [8];
int local_1108;
undefined4 uStack_1104;
uint local_1100;
undefined4 uStack_10fc;
undefined8 local_10f8;
undefined4 auStack_10f0 [7];
undefined4 local_10d4;
uint local_10cc;
undefined8 auStack_10c8 [2];
int aiStack_10b8 [1044];
long local_68;
auVar8 = (*DAT_fffffe0007e6bb38)();
local_68 = *(long *)PTR_DAT_fffffe0007e6ba68;
func_0xfffffe0008538b60(local_1128,0x10bc);
local_1108 = (int)*(undefined8 *)PTR_DAT_fffffe0007e6b9d8;
uStack_1104 = (undefined4)((ulong)*(undefined8 *)PTR_DAT_fffffe0007e6b9d8 >> 0x20);
if (DAT_fffffe0007e6bb40 == 0) {
uStack_10fc = func_0xfffffe0008599ccc(&local_10f8,auVar8._8_8_,0x400);
}
else {
uStack_10fc = func_0xfffffe0008599d30(&local_10f8,auVar8._8_8_,0x400);
}
local_1100 = 0;
uVar4 = uStack_10fc + 3U & 0xfffffffc;
uVar2 = (ulong)uVar4;
*(undefined8 *)((long)&local_10f8 + uVar2) = param_3;
*(undefined4 *)((long)auStack_10f0 + uVar2) = param_4;
*(undefined4 *)((long)auStack_10f0 + uVar2 + 4) = param_5;
*(undefined4 *)((long)auStack_10f0 + uVar2 + 8) = param_6;
*(undefined4 *)((long)auStack_10f0 + uVar2 + 0xc) = param_7;
local_1118 = (undefined [8])func_0xfffffe0008599cb0();
local_1128[0] = 0x1513;
local_1110 = (undefined [8])0x3e800000000;
local_1120 = auVar8._0_8_;
uVar2 = func_0xfffffe0008599758(local_1128,uVar4 + 0x48,0x10bc);
uVar4 = (int)uVar2 + 0xeffffffe;
if ((uVar4 < 0xf) && ((1 << (ulong)(uVar4 & 0x1f) & 0x4003U) != 0)) {
func_0xfffffe0008599cc4(local_1118);
goto LAB_fffffe0009acbbc8;
}
if ((int)uVar2 != 0) {
func_0xfffffe0008599cbc(local_1118);
goto LAB_fffffe0009acbbc8;
}
if (local_1110._4_4_ == 0x47) {
uVar2 = 0xfffffecc;
}
else if (local_1110._4_4_ == 0x44c) {
if (local_1128[0] < 0) {
uVar2 = 0xfffffed4;
if ((((local_1108 == 1) && (0x77 < (uint)local_1128[1])) && ((uint)local_1128[1] < 0x1079)) &&
(local_1120 == 0)) {
if ((uStack_10fc._3_1_ == '\x01') && (local_10cc < 0x1001)) {
uVar2 = 0xfffffed4;
if ((local_1128[1] - 0x78U < local_10cc) ||
(uVar4 = local_10cc + 3 & 0xfffffffc, local_1128[1] != uVar4 + 0x78))
goto LAB_fffffe0009acbbc0;
uVar1 = (ulong)uVar4;
if ((int)local_10f8 == *(int *)((long)aiStack_10b8 + uVar1 + 4)) {
uVar3 = (ulong)(uint)local_1128[1] + 3 & 0x1fffffffc;
if ((*(int *)((long)local_1128 + uVar3) == 0) &&
(0x1f < *(uint *)((long)local_1128 + uVar3 + 4))) {
*param_8 = auStack_10f0[1];
*param_9 = auStack_10f0[2];
*param_10 = auStack_10f0[3];
*param_11 = auStack_10f0[4];
*param_12 = auStack_10f0[5];
*param_13_00 = auStack_10f0[6];
*param_13 = local_10d4;
func_0xfffffe0008599ccc(param_15_00,auStack_10c8,0x1000);
uVar2 = 0;
uVar6 = *(undefined8 *)((long)auStack_10c8 + uVar1 + 8);
uVar5 = *(undefined8 *)((long)auStack_10c8 + uVar1);
*(undefined4 *)(param_14 + 2) = *(undefined4 *)((long)aiStack_10b8 + uVar1);
param_14[1] = uVar6;
*param_14 = uVar5;
*param_17 = CONCAT44(local_1100,uStack_1104);
*param_15 = *(undefined4 *)((long)aiStack_10b8 + uVar1 + 4);
uVar6 = *(undefined8 *)((long)&uStack_10fc + uVar3);
uVar5 = *(undefined8 *)((long)&uStack_1104 + uVar3);
uVar7 = *(undefined8 *)(local_1118 + uVar3 + 4);
param_19[1] = *(undefined8 *)(local_1110 + uVar3 + 4);
*param_19 = uVar7;
param_19[3] = uVar6;
param_19[2] = uVar5;
}
else {
uVar2 = 0xfffffecb;
}
goto LAB_fffffe0009acbbc8;
}
}
LAB_fffffe0009acbbbc:
uVar2 = 0xfffffed4;
}
}
else {
if (local_1128[1] != 0x2c) goto LAB_fffffe0009acbbbc;
uVar2 = 0xfffffed4;
if (local_1100 != 0) {
uVar4 = local_1100;
if (local_1120 != 0) {
uVar4 = 0xfffffed4;
}
uVar2 = (ulong)uVar4;
}
}
}
else {
uVar2 = 0xfffffed3;
}
LAB_fffffe0009acbbc0:
func_0xfffffe0008599b4c(local_1128);
LAB_fffffe0009acbbc8:
if (*(long *)PTR_DAT_fffffe0007e6ba68 == local_68) {
return uVar2;
}
uVar2 = func_0xfffffe000854c1ec();
return uVar2;
}

2326
VI. AMFI/mac/AMFI_RE/GHIDRA_vnode_check_signature.c Normal file
View File

File diff suppressed because it is too large Load Diff

6
VI. AMFI/mac/AMFI_RE/IOKitPersonalities.txt Normal file
View File

@@ -0,0 +1,6 @@
CFBundleIdentifier com.apple.driver.AppleMobileFileIntegrity
IOClass AppleMobileFileIntegrity
IOMatchCategory AppleMobileFileIntegrity
IOProviderClass IOResources
IOResourceMatch IOBSD
IOUserClientClass AppleMobileFileIntegrityUserClient

134
VI. AMFI/mac/AMFI_RE/PSEUDO_initializeAppleMobileFileIntegrity.c Normal file
View File

@@ -0,0 +1,134 @@
// Initialization function for Apple's Mobile File Integrity (AMFI) system
initializeAppleMobileFileIntegrity() {
// Allocating and locking mutex for thread safety
lock = IOLockAlloc();
lck_mtx_lock(lock);
// Checking if driver lock is not already set
if (OSCompareAndSwapPtr(0, lock, &driverLock))
// Initializing AMFI lock group
AMFILockGroup = lck_grp_alloc_init("AMFI", 0);
// Initializing library constraints
initLibraryConstraints();
// Registering system control variable
sysctl_register_oid(&sysctl__hw_features_allows_security_research);
// Selecting personalized chip(pointer to img4_chip_t)
chip = img4_chip_select_personalized_ap();
// Instantiating chip and checking for errors
chip_error = img4_chip_instantiate(chip);
if (chip_error)
panic("AMFI: No chip from IMG4? errno" + chip_error);
// Checking chip properties to enable security research (Apple Security Research Device Program - https://security.apple.com/research-device/?)
if (allow_security_reserach(chip))
allows_security_research = 1;
// Checking for boot-arg, e.g.:
// sudo nvram boot-args="amfi_get_out_of_my_way=1"
if (PE_parse_boot_argn("amfi_allow_research"))
IOLog("AMFI: Allowing research due to amfi_allow_research boot-arg");
allows_security_research = 1;
// Without this boor-arg, the entitlements get-task-allow and task_for_pid-allow are required to use task_for_pid if binary is signed
if (PE_parse_boot_argn("amfi_unrestrict_task_for_pid"))
IOLog("unrestricted task_for_pid enabled by boot-arg");
unrestricted_debugging = 1;
boot_device = 1;
if (PE_parse_boot_argn("amfi_dev_mode_policy"))
IOLog("developer mode internal policy disabled by boot-arg");
dev_mode = 1
if (PE_parse_boot_argn("amfi_allow_any_signature" | "amfi_get_out_of_my_way"))
IOLog("signature enforcement disabled by boot-arg");
IOLog("library validation will not mark external binaries as platform"); // NOT SURE
if (PE_parse_boot_argn("amfi_unrestricted_local_signing"))
IOLog("unrestricted AMFI local signing enabled by boot-arg");
if (PE_parse_boot_argn("amfi_ready_to_roll"))
IOLog("practice a key roll");
readyToRoll = true;
// Disabling code signing enforcement based on the boot-arg
if (PE_parse_boot_argn("cs_enforcement_disable"))
IOLog("cs_enforcement disabled by boot-arg")
// Finalizing initialization
InitializeDenylist();
_initializeCoreEntitlementsSupport(1); // Initialize support for entitlements and AMFI trust cache interface
// Initialize UDID enforcement the exemption profile (define components allowed to execute despite AMFI
precookExemptionProfile();
jitHashCacheLock = IOLockAlloc()
dyldSimCacheLock = IOLockAlloc()
supplementalSigningInit(); // Another lock
// Access device tree to get model name
model_name = IORegistryEntry::fromPath("/")
model_name = OSMetaClassBase::safeMetaCast(OSData::gMetaClass)
IOLog("AMFI: queried model name from device tree:" + model_name);
// Check if the model is iPhone
// If true disable Swift Playgrounds JIT services && some CS features
if (model_name == 'iPhone')
IOLog("AMFI: disabling Swift Playgrounds JIT services on iPhone devices");
_swiftPlaygroundsJIT == 0
disable_code_signing_feature(0x10000000);
disable_code_signing_feature(0x20000000);
// For not iPhones - initialize function pointers to AMFI handlers for various security checks
if (_swiftPlaygroundsJIT)
pointers_list = {
_cred_check_label_update_execve
_cred_label_associate
_cred_label_destroy
_cred_label_init
_cred_label_update_execve
_proc_check_inherit_ipc_ports
_vnode_check_signature // Code Signature validation handler
_file_check_library_validation // Library validation handler
_policy_initbsd
_policy_syscall // MAC policy-multiplexed system call (mpo_policy_syscall_t) handler
_task_id_token_get_task
_cred_label_associate_kernel
_proc_check_launch_constraints // Check launch constraints for a process
amfi_exc_action_check_exception_send
amfi_exc_action_label_associate
amfi_exc_action_label_populate
amfi_exc_action_label_destroy
amfi_exc_action_label_init
amfi_exc_action_label_update
macos_task_get_movable_control_port
hsp_proc_check_map_anon
macos_task_policy
macos_task_control_policy
macos_proc_check_run_cs_invalid
hook_vnode_check_setextattr
hook_vnode_check_getextattr
_file_check_mmap
_vnode_notify_open
core_dump_policy
}
// Register MAC policy
mac_policy_register("AMFI", amfiPolicyHandle, 0)
// Set security policies and constraints for AMFI
configurationSettingsInit();
// Initialize a lock for exception list
hardeningInit()
// Unlocking driver lock
lck_mtx_unlock(driverLock);
// Unlocking mutex and freeing memory
lck_mtx_unlock(lock);
IOLockFree(lock);
lck_mtx_lock(driverLock);
}

41
VI. AMFI/mac/AMFI_RE/PSEUDO_macos_dyld_policy_at_path.c Normal file
View File

@@ -0,0 +1,41 @@
// Set amfiFlags->allowEnvVarsPrint (AMFI_DYLD_OUTPUT_ALLOW_PRINT_VARS)
// RPL == Relative Path Loading
// HR == Hardening Runtime
// LV == Library Validation
// RP == Restricted Process
// RPP == Restricted Platform Process
macos_dyld_policy_at_path(proc *process, amfi_dyld_policy_state_t *policy_state) {
uint flags = policy_state->flags;
// Check if process is not restricted (CS_RUNTIME == 0x10000 and CS_RESTRICT == 0x800):
if ((flags & 0x10800) == 0) {
// Check if the process is not forcibly restricted
int is_restricted = procIsDyldsRestricted(policy_state);
if (is_restricted == 0) {
// Check if the process does not use Library Validation (CS_FORCED_LV == 0x10):
if ((flags & 0x10) == 0) {
log("RPL: 0, HR: 0, RP: 0, LV: 0");
}
} else {
// Check if 0x40 == CS_EXECSEG_JIT is used ?? (not sure about it)
if ((flags & 0x40) != 0) {
// Check if (macOS Only) Page invalidation allowed by task port policy (CS_INVALID_ALLOWED == 0x20) is not used
if ((flags & 0x20) == 0) {
// Check if process does not use Library Validation
if ((flags & 0x10) == 0) {
log("RPL: 0, PPR: 1, LV: 0");
}
} else {
log("RPL: 0, PPR: 1, LV: 0");
}
}
}
allowAtPaths == 0;
}
allowAtPaths == 1;
}

77
VI. AMFI/mac/AMFI_RE/PSEUDO_macos_dyld_policy_collect_state.c Normal file
View File

@@ -0,0 +1,77 @@
// Function to collect macOS dynamic linker (dyld) policy state
macos_dyld_policy_collect_state(calling_process, param_2, amfi_dyld_policy_state) {
// Get process name & PID
process_name = get_process_name(calling_process);
process_ID = get_process_ID(calling_process);
// Check if system integrity protection is enabled
SIP_enabled = check_system_integrity_protection();
// Check if CS_RESTRICT bit is ON
has_CS_RESTRICT = check_cs_restrict_flag(calling_process);
// Check if process has restrict segment
has_RESTRICT_segment = check_restricted_segment(calling_process);
// Check if setuid/setgid behavior is enabled
is_setUGid = check_setuid_setgid(calling_process);
// Check if library validation is enabled
has_LV = !has_entitlement(calling_process, "com.apple.security.cs.disable-library-validation");
// Check if forced library validation is enabled (required by Hardened System Policy)
has_CS_FORCED_LV = check_forced_library_validation(calling_process);
// Check if binary is inside trust cache (CS_PLATFORM_BINARY == 0x4000000 | CS_DYLD_PLATFORM == 0x2000000)
platform = is_platform_binary();
// Check if Hardened Runtime is enabled
has_HR = check_hardened_runtime(calling_process);
// Check entitlement for Allowing Relative Library loads
has_ARL = has_entitlement(calling_process, "com.apple.security.cs.allow-relative-library-loads");
// Check entitlement for allowing Dyld Environment Variables
has_AEV = has_entitlement(calling_process, "com.apple.security.cs.allow-dyld-environment-variables");
// Check entitlement for Getting Task Allow
has_GTA = has_entitlement(calling_process, "com.apple.security.get-task-allow");
// Check if the binary is built for simulator
is_SIM = is_built_for_sim(calling_process);
// Check if it is AppleInternal app
is_AI = check_internal_test_app(calling_process);
// Check if the application is masquerading mac App Store?
is_mac_app_store = has_entitlement(calling_process,"com.apple.security.amfi.test.mac-app-store-test") && is_AI;
// Not sure - checking Force Policy? (macOSPolicyConfig::forceDefaultDyldEnvVarsPolicy())
is_fp = is_policy_forced()
// Check if sandbox entitlement is present
request_sandbox = has_entitlement(calling_process, "com.apple.security.app-sandbox");
// Check if process is an iOS app:
is_ios_app = is_iOS_app(calling_process);
// Check if any of the below boot-args was used or process has GTA:
is_AMFI_disabled = has_nvram_boot_arg('PE_i_can_has_debugger',
'amfi_unrestrict_task_for_pid',
'amfi_allow_any_signature',
'amfi_get_out_of_my_way',
'cs_enforcement_disable',
'cs_debug')
unrestrict_task_for_pid = is_AMFI_disabled || has_GTA
// Set the collected state according to the above functions.
amfi_dyld_policy_state(process_name, process_ID, SIP_enabled, has_CS_RESTRICT, has_RESTRICT_segment, is_setUGid, \
has_LV, has_CS_FORCED_LV, platform, has_HR, has_ARL, has_AEV, has_GTA, is_SIM, is_AI, is_mac_app_store, is_fp, \
request_sandbox, is_ios_app, unrestrict_task_for_pid);
// Log collected data
log_dyld_policy_data(calling_process, param_2, amfi_dyld_policy_state);
}

24
VI. AMFI/mac/AMFI_RE/boot_args.txt Normal file
View File

@@ -0,0 +1,24 @@
-restore
BATS_TESTPLAN_ID
amfi
amfi_allow_3p_launch_constraints
amfi_allow_any_signature
amfi_allow_non_platform
amfi_allow_only_tc
amfi_allow_only_tc_override
amfi_allow_research
amfi_block_unsigned_code
amfi_dev_mode_policy
amfi_enforce_cc_types
amfi_enforce_launch_constraints
amfi_enforce_tcc_hardening
amfi_force_cs_kill
amfi_get_out_of_my_way
amfi_hsp_disable
amfi_hsp_logging
amfi_no_aot_tc
amfi_prevent_old_entitled_platform_binaries
amfi_ready_to_roll
amfi_unrestrict_task_for_pid
amfi_unrestricted_local_signing
cs_enforcement_disable

11
VI. AMFI/mac/AMFI_RE/dependencies.txt Normal file
View File

@@ -0,0 +1,11 @@
com.apple.iokit.CoreAnalyticsFamily
com.apple.kec.corecrypto
com.apple.kext.CoreTrust
com.apple.kpi.bsd
com.apple.kpi.dsep
com.apple.kpi.iokit
com.apple.kpi.libkern
com.apple.kpi.mach
com.apple.kpi.private
com.apple.kpi.unsupported
com.apple.security.AppleImage4

30
VI. AMFI/mac/AMFI_RE/exports.txt Normal file
View File

@@ -0,0 +1,30 @@
__ZN24AppleMobileFileIntegrity15copyEntitlementEP4procPKc
__ZN24AppleMobileFileIntegrity15copyEntitlementEP5ucredPKc
__ZN24AppleMobileFileIntegrity15getEntitlementsEP5ucred
__ZN24AppleMobileFileIntegrity16copyEntitlementsEP4proc
__ZN24AppleMobileFileIntegrity16copyEntitlementsEP5ucred
__ZN24AppleMobileFileIntegrity18copyEntitlementKeyEP4procP17__opaque_amfi_key
__ZN24AppleMobileFileIntegrity18copyEntitlementKeyEP5ucredP17__opaque_amfi_key
__ZN24AppleMobileFileIntegrity18isHardeningEnabledEv
__ZN24AppleMobileFileIntegrity19AMFIGetQueryContextEP4procPP14CEQueryContext
__ZN24AppleMobileFileIntegrity19AMFIGetQueryContextEP5ucredPP14CEQueryContext
__ZN24AppleMobileFileIntegrity21AMFIEntitlementGetKeyEPKc
__ZN24AppleMobileFileIntegrity21copySigningIdentifierEP5ucred
__ZN24AppleMobileFileIntegrity22AMFIEntitlementGetBoolEP4procPKcPb
__ZN24AppleMobileFileIntegrity22AMFIEntitlementGetBoolEP5ucredPKcPb
__ZN24AppleMobileFileIntegrity22AMFIEntitlementPresentEP4procPKcPb
__ZN24AppleMobileFileIntegrity22AMFIEntitlementPresentEP5ucredPKcPb
__ZN24AppleMobileFileIntegrity25AMFIEntitlementReleaseKeyEP17__opaque_amfi_key
__ZN24AppleMobileFileIntegrity26AMFIEntitlementGetConstKeyEPKc
__ZN24AppleMobileFileIntegrity27AMFIEntitlementKeyIsPresentEP4procP17__opaque_amfi_keyPb
__ZN24AppleMobileFileIntegrity27AMFIEntitlementKeyIsPresentEP5ucredP17__opaque_amfi_keyPb
__ZN24AppleMobileFileIntegrity28AMFIEntitlementKeyIsBoolTrueEP4procP17__opaque_amfi_keyPb
__ZN24AppleMobileFileIntegrity28AMFIEntitlementKeyIsBoolTrueEP5ucredP17__opaque_amfi_keyPb
__ZN24AppleMobileFileIntegrity29isCodeDirectoryHashInJitCacheEP4procPKh
__ZN24AppleMobileFileIntegrity9metaClassE
_amfi_register_mac_policy
_kmod_info
InitFunc_1
InitFunc_2
InitFunc_3
InitFunc_4

652
VI. AMFI/mac/AMFI_RE/imports.txt Normal file
View File

@@ -0,0 +1,652 @@
_Assert
_CTEvaluateAMFICodeSignatureCMS
_CTEvaluateAMFICodeSignatureCMSPubKey
_CTEvaluateProvisioningProfile
_IOCurrentTaskHasEntitlement
_IOFreeData
_IOFreeTypeImpl
_IOFreeTypeVarImpl
_IOLockAlloc
_IOLockFree
_IOLockLock
_IOLockUnlock
_IOLog
_IOLogv
_IOMallocData
_IOMallocTypeImpl
_IOMallocTypeVarImpl
_IOMallocZeroData
_IORWLockAlloc
_IORWLockRead
_IORWLockUnlock
_IORWLockWrite
_NDR_record
_OSCompareAndSwapPtr
_OSIncrementAtomic
_OSObject_typed_operator_delete
_OSObject_typed_operator_new
_PAGE_SHIFT_CONST
_PE_parse_boot_argn
_SecureDTGetProperty
_SecureDTLookupEntry
_VNOP_IOCTL
__Block_object_assign
__Block_object_dispose
__NSConcreteStackBlock
__Z16OSUnserializeXMLPKcmPP8OSString
__ZN11OSMetaClass21_RESERVEDOSMetaClass0Ev
__ZN11OSMetaClass21_RESERVEDOSMetaClass1Ev
__ZN11OSMetaClass21_RESERVEDOSMetaClass2Ev
__ZN11OSMetaClass21_RESERVEDOSMetaClass3Ev
__ZN11OSMetaClass21_RESERVEDOSMetaClass4Ev
__ZN11OSMetaClass21_RESERVEDOSMetaClass5Ev
__ZN11OSMetaClass21_RESERVEDOSMetaClass6Ev
__ZN11OSMetaClass21_RESERVEDOSMetaClass7Ev
__ZN11OSMetaClassC2EPKcPKS_j
__ZN11OSMetaClassC2EPKcPKS_jPP4zoneS1_19zone_create_flags_t
__ZN11OSMetaClassD2Ev
__ZN12IOUserClient10clientDiedEv
__ZN12IOUserClient10gMetaClassE
__ZN12IOUserClient10getServiceEv
__ZN12IOUserClient12initWithTaskEP4taskPvj
__ZN12IOUserClient13connectClientEPS_
__ZN12IOUserClient18clientHasPrivilegeEPvPKc
__ZN12IOUserClient19clientMemoryForTypeEjPjPP18IOMemoryDescriptor
__ZN12IOUserClient20exportObjectToClientEP4taskP8OSObjectPS3_
__ZN12IOUserClient22_RESERVEDIOUserClient0Ev
__ZN12IOUserClient22_RESERVEDIOUserClient1Ev
__ZN12IOUserClient22_RESERVEDIOUserClient2Ev
__ZN12IOUserClient22_RESERVEDIOUserClient3Ev
__ZN12IOUserClient22_RESERVEDIOUserClient4Ev
__ZN12IOUserClient22_RESERVEDIOUserClient5Ev
__ZN12IOUserClient22_RESERVEDIOUserClient6Ev
__ZN12IOUserClient22_RESERVEDIOUserClient7Ev
__ZN12IOUserClient22_RESERVEDIOUserClient8Ev
__ZN12IOUserClient22_RESERVEDIOUserClient9Ev
__ZN12IOUserClient23_RESERVEDIOUserClient10Ev
__ZN12IOUserClient23_RESERVEDIOUserClient11Ev
__ZN12IOUserClient23_RESERVEDIOUserClient12Ev
__ZN12IOUserClient23_RESERVEDIOUserClient13Ev
__ZN12IOUserClient23_RESERVEDIOUserClient14Ev
__ZN12IOUserClient23_RESERVEDIOUserClient15Ev
__ZN12IOUserClient23getExternalTrapForIndexEj
__ZN12IOUserClient24getNotificationSemaphoreEjPP9semaphore
__ZN12IOUserClient24getTargetAndTrapForIndexEPP9IOServicej
__ZN12IOUserClient24registerNotificationPortEP8ipc_portjj
__ZN12IOUserClient24registerNotificationPortEP8ipc_portjy
__ZN12IOUserClient25getExternalMethodForIndexEj
__ZN12IOUserClient26getTargetAndMethodForIndexEPP9IOServicej
__ZN12IOUserClient30getExternalAsyncMethodForIndexEj
__ZN12IOUserClient31getAsyncTargetAndMethodForIndexEPP9IOServicej
__ZN12IOUserClient4freeEv
__ZN12IOUserClient4initEP12OSDictionary
__ZN12IOUserClient4initEv
__ZN12IOUserClient8DispatchE5IORPC
__ZN12IOUserClientC2EPK11OSMetaClass
__ZN12IOUserClientD2Ev
__ZN12OSDictionary12withCapacityEj
__ZN12OSDictionary9metaClassE
__ZN12OSDictionary9setObjectEPKcRK11OSSharedPtrIK15OSMetaClassBaseE
__ZN12OSDictionary9setObjectERK11OSSharedPtrIK8OSSymbolERKS0_IK15OSMetaClassBaseE
__ZN15IORegistryEntry11detachAboveEPK15IORegistryPlane
__ZN15IORegistryEntry11setLocationEPK8OSSymbolPK15IORegistryPlane
__ZN15IORegistryEntry11setLocationEPKcPK15IORegistryPlane
__ZN15IORegistryEntry11setPropertyEPK8OSStringP8OSObject
__ZN15IORegistryEntry11setPropertyEPK8OSSymbolP8OSObject
__ZN15IORegistryEntry11setPropertyEPKcP8OSObject
__ZN15IORegistryEntry11setPropertyEPKcPvj
__ZN15IORegistryEntry11setPropertyEPKcS1_
__ZN15IORegistryEntry11setPropertyEPKcb
__ZN15IORegistryEntry11setPropertyEPKcyj
__ZN15IORegistryEntry13attachToChildEPS_PK15IORegistryPlane
__ZN15IORegistryEntry13childFromPathEPKcPK15IORegistryPlanePcPi
__ZN15IORegistryEntry13setPropertiesEP8OSObject
__ZN15IORegistryEntry14attachToParentEPS_PK15IORegistryPlane
__ZN15IORegistryEntry14removePropertyEPK8OSString
__ZN15IORegistryEntry14removePropertyEPK8OSSymbol
__ZN15IORegistryEntry14removePropertyEPKc
__ZN15IORegistryEntry15detachFromChildEPS_PK15IORegistryPlane
__ZN15IORegistryEntry16detachFromParentEPS_PK15IORegistryPlane
__ZN15IORegistryEntry16setPropertyTableEP12OSDictionary
__ZN15IORegistryEntry17runPropertyActionEPFiP8OSObjectPvS2_S2_S2_ES1_S2_S2_S2_S2_
__ZN15IORegistryEntry25_RESERVEDIORegistryEntry0Ev
__ZN15IORegistryEntry25_RESERVEDIORegistryEntry1Ev
__ZN15IORegistryEntry25_RESERVEDIORegistryEntry2Ev
__ZN15IORegistryEntry25_RESERVEDIORegistryEntry3Ev
__ZN15IORegistryEntry25_RESERVEDIORegistryEntry4Ev
__ZN15IORegistryEntry25_RESERVEDIORegistryEntry5Ev
__ZN15IORegistryEntry25_RESERVEDIORegistryEntry6Ev
__ZN15IORegistryEntry25_RESERVEDIORegistryEntry7Ev
__ZN15IORegistryEntry25_RESERVEDIORegistryEntry8Ev
__ZN15IORegistryEntry25_RESERVEDIORegistryEntry9Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry10Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry11Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry12Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry13Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry14Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry15Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry16Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry17Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry18Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry19Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry20Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry21Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry22Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry23Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry24Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry25Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry26Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry27Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry28Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry29Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry30Ev
__ZN15IORegistryEntry26_RESERVEDIORegistryEntry31Ev
__ZN15IORegistryEntry7setNameEPK8OSSymbolPK15IORegistryPlane
__ZN15IORegistryEntry7setNameEPKcPK15IORegistryPlane
__ZN15IORegistryEntry8fromPathEPKcPK15IORegistryPlanePcPiPS_
__ZN15IORegistryEntry9detachAllEPK15IORegistryPlane
__ZN15OSMetaClassBase12safeMetaCastEPKS_PK11OSMetaClass
__ZN15OSMetaClassBase25_RESERVEDOSMetaClassBase0Ev
__ZN15OSMetaClassBase25_RESERVEDOSMetaClassBase1Ev
__ZN15OSMetaClassBase25_RESERVEDOSMetaClassBase2Ev
__ZN15OSMetaClassBase25_RESERVEDOSMetaClassBase3Ev
__ZN15OSMetaClassBase25_RESERVEDOSMetaClassBase4Ev
__ZN15OSMetaClassBase25_RESERVEDOSMetaClassBase5Ev
__ZN15OSMetaClassBase25_RESERVEDOSMetaClassBase6Ev
__ZN15OSMetaClassBase25_RESERVEDOSMetaClassBase7Ev
__ZN15OSMetaClassBase8DispatchE5IORPC
__ZN16CoreAnalyticsHub22analyticsSendEventLazyEP8OSStringP8OSObject
__ZN16CoreAnalyticsHub9metaClassE
__ZN18IOMemoryDescriptor11withAddressEPvyj
__ZN20OSCollectionIterator14withCollectionEPK12OSCollection
__ZN6OSData9metaClassE
__ZN6OSData9withBytesEPKvj
__ZN7OSArray12withCapacityEj
__ZN7OSArray9metaClassE
__ZN7OSArray9setObjectERK11OSSharedPtrIK15OSMetaClassBaseE
__ZN8OSNumber10withNumberEyj
__ZN8OSNumber9metaClassE
__ZN8OSObject10gMetaClassE
__ZN8OSObject18_RESERVEDOSObject0Ev
__ZN8OSObject18_RESERVEDOSObject1Ev
__ZN8OSObject18_RESERVEDOSObject2Ev
__ZN8OSObject18_RESERVEDOSObject3Ev
__ZN8OSObject18_RESERVEDOSObject4Ev
__ZN8OSObject18_RESERVEDOSObject5Ev
__ZN8OSObject18_RESERVEDOSObject6Ev
__ZN8OSObject18_RESERVEDOSObject7Ev
__ZN8OSObject18_RESERVEDOSObject8Ev
__ZN8OSObject18_RESERVEDOSObject9Ev
__ZN8OSObject19_RESERVEDOSObject10Ev
__ZN8OSObject19_RESERVEDOSObject11Ev
__ZN8OSObject19_RESERVEDOSObject12Ev
__ZN8OSObject19_RESERVEDOSObject13Ev
__ZN8OSObject19_RESERVEDOSObject14Ev
__ZN8OSObject19_RESERVEDOSObject15Ev
__ZN8OSObject4initEv
__ZN8OSObject8DispatchE5IORPC
__ZN8OSObjectC2EPK11OSMetaClass
__ZN8OSObjectD2Ev
__ZN8OSObjectdlEPvm
__ZN8OSObjectnwEm
__ZN8OSString11withCStringEPKc
__ZN8OSString11withCStringEPKcm
__ZN8OSString17withCStringNoCopyEPKc
__ZN8OSString9metaClassE
__ZN8OSSymbol10withStringEPK8OSString
__ZN8OSSymbol11withCStringEPKc
__ZN8OSSymbol17withCStringNoCopyEPKc
__ZN8OSSymbol9metaClassE
__ZN9IODTNVRAM9metaClassE
__ZN9IOService10adjustBusyEi
__ZN9IOService10gMetaClassE
__ZN9IOService10handleOpenEPS_jPv
__ZN9IOService10joinPMtreeEPS_
__ZN9IOService11getPlatformEv
__ZN9IOService11handleCloseEPS_j
__ZN9IOService12didTerminateEPS_jPb
__ZN9IOService12getBusyStateEv
__ZN9IOService12getResourcesEv
__ZN9IOService12requestProbeEj
__ZN9IOService12tellChangeUpEm
__ZN9IOService12updateReportEP19IOReportChannelListjPvS2_
__ZN9IOService13addPowerChildEPS_
__ZN9IOService13askChangeDownEm
__ZN9IOService13matchLocationEPS_
__ZN9IOService13messageClientEjP8OSObjectPvm
__ZN9IOService13newUserClientEP4taskPvjP12OSDictionaryPP12IOUserClient
__ZN9IOService13newUserClientEP4taskPvjPP12IOUserClient
__ZN9IOService13setPowerStateEmPS_
__ZN9IOService13willTerminateEPS_j
__ZN9IOService14activityTickleEmm
__ZN9IOService14applyToClientsEPFvPS_PvES1_
__ZN9IOService14causeInterruptEi
__ZN9IOService14messageClientsEjPvm
__ZN9IOService14tellChangeDownEm
__ZN9IOService14waitForServiceEP12OSDictionaryP13mach_timespec
__ZN9IOService15comparePropertyEP12OSDictionaryPK8OSString
__ZN9IOService15comparePropertyEP12OSDictionaryPKc
__ZN9IOService15configureReportEP19IOReportChannelListjPvS2_
__ZN9IOService15enableInterruptEi
__ZN9IOService15errnoFromReturnEi
__ZN9IOService15getDeviceMemoryEv
__ZN9IOService15nextIdleTimeoutEyyj
__ZN9IOService15powerChangeDoneEm
__ZN9IOService15registerServiceEj
__ZN9IOService15serviceMatchingEPKcP12OSDictionary
__ZN9IOService15setDeviceMemoryEP7OSArray
__ZN9IOService15terminateClientEPS_j
__ZN9IOService16allowPowerChangeEm
__ZN9IOService16applyToProvidersEPFvPS_PvES1_
__ZN9IOService16disableInterruptEi
__ZN9IOService16getInterruptTypeEiPi
__ZN9IOService16registerInterestEPK8OSSymbolPFiPvS3_jPS_S3_mES3_S3_
__ZN9IOService16removePowerChildEP17IOPowerConnection
__ZN9IOService16requestTerminateEPS_j
__ZN9IOService16stringFromReturnEi
__ZN9IOService16tellNoChangeDownEm
__ZN9IOService17addNeededResourceEPKc
__ZN9IOService17applyToInterestedEPK8OSSymbolPFvP8OSObjectPvES5_
__ZN9IOService17cancelPowerChangeEm
__ZN9IOService17comparePropertiesEP12OSDictionaryP12OSCollection
__ZN9IOService17getAggressivenessEmPm
__ZN9IOService17registerInterruptEiP8OSObjectPFvS1_PvPS_iES2_
__ZN9IOService17setAggressivenessEmm
__ZN9IOService18lockForArbitrationEb
__ZN9IOService18matchPropertyTableEP12OSDictionary
__ZN9IOService18matchPropertyTableEP12OSDictionaryPi
__ZN9IOService18setIdleTimerPeriodEm
__ZN9IOService18systemWillShutdownEj
__ZN9IOService19_RESERVEDIOService0Ev
__ZN9IOService19_RESERVEDIOService1Ev
__ZN9IOService19_RESERVEDIOService2Ev
__ZN9IOService19_RESERVEDIOService3Ev
__ZN9IOService19_RESERVEDIOService4Ev
__ZN9IOService19_RESERVEDIOService5Ev
__ZN9IOService19_RESERVEDIOService6Ev
__ZN9IOService19_RESERVEDIOService7Ev
__ZN9IOService19_RESERVEDIOService8Ev
__ZN9IOService19_RESERVEDIOService9Ev
__ZN9IOService19registerPowerDriverEPS_P14IOPMPowerStatem
__ZN9IOService19unregisterInterruptEi
__ZN9IOService20_RESERVEDIOService10Ev
__ZN9IOService20_RESERVEDIOService11Ev
__ZN9IOService20_RESERVEDIOService12Ev
__ZN9IOService20_RESERVEDIOService13Ev
__ZN9IOService20_RESERVEDIOService14Ev
__ZN9IOService20_RESERVEDIOService15Ev
__ZN9IOService20_RESERVEDIOService16Ev
__ZN9IOService20_RESERVEDIOService17Ev
__ZN9IOService20_RESERVEDIOService18Ev
__ZN9IOService20_RESERVEDIOService19Ev
__ZN9IOService20_RESERVEDIOService20Ev
__ZN9IOService20_RESERVEDIOService21Ev
__ZN9IOService20_RESERVEDIOService22Ev
__ZN9IOService20_RESERVEDIOService23Ev
__ZN9IOService20_RESERVEDIOService24Ev
__ZN9IOService20_RESERVEDIOService25Ev
__ZN9IOService20_RESERVEDIOService26Ev
__ZN9IOService20_RESERVEDIOService27Ev
__ZN9IOService20_RESERVEDIOService28Ev
__ZN9IOService20_RESERVEDIOService29Ev
__ZN9IOService20_RESERVEDIOService30Ev
__ZN9IOService20_RESERVEDIOService31Ev
__ZN9IOService20_RESERVEDIOService32Ev
__ZN9IOService20_RESERVEDIOService33Ev
__ZN9IOService20_RESERVEDIOService34Ev
__ZN9IOService20_RESERVEDIOService35Ev
__ZN9IOService20_RESERVEDIOService36Ev
__ZN9IOService20_RESERVEDIOService37Ev
__ZN9IOService20_RESERVEDIOService38Ev
__ZN9IOService20_RESERVEDIOService39Ev
__ZN9IOService20_RESERVEDIOService40Ev
__ZN9IOService20_RESERVEDIOService41Ev
__ZN9IOService20_RESERVEDIOService42Ev
__ZN9IOService20_RESERVEDIOService43Ev
__ZN9IOService20_RESERVEDIOService44Ev
__ZN9IOService20_RESERVEDIOService45Ev
__ZN9IOService20_RESERVEDIOService46Ev
__ZN9IOService20_RESERVEDIOService47Ev
__ZN9IOService20callPlatformFunctionEPK8OSSymbolbPvS3_S3_S3_
__ZN9IOService20callPlatformFunctionEPKcbPvS2_S2_S2_
__ZN9IOService20getDeviceMemoryCountEv
__ZN9IOService20unlockForArbitrationEv
__ZN9IOService21powerStateDidChangeToEmmPS_
__ZN9IOService22copyClientWithCategoryEPK8OSSymbol
__ZN9IOService22powerStateWillChangeToEmmPS_
__ZN9IOService22waitForMatchingServiceEP12OSDictionaryy
__ZN9IOService23acknowledgeNotificationEPvj
__ZN9IOService23addMatchingNotificationEPK8OSSymbolP12OSDictionaryPFbPvS5_PS_P10IONotifierES5_S5_i
__ZN9IOService23requestPowerDomainStateEmP17IOPowerConnectionm
__ZN9IOService24getDeviceMemoryWithIndexEj
__ZN9IOService24mapDeviceMemoryWithIndexEjj
__ZN9IOService24powerStateForDomainStateEm
__ZN9IOService27maxCapabilityForDomainStateEm
__ZN9IOService31initialPowerStateForDomainStateEm
__ZN9IOService4freeEv
__ZN9IOService4initEP12OSDictionary
__ZN9IOService4initEP15IORegistryEntryPK15IORegistryPlane
__ZN9IOService4openEPS_jPv
__ZN9IOService4stopEPS_
__ZN9IOService5closeEPS_j
__ZN9IOService5probeEPS_Pi
__ZN9IOService6PMinitEv
__ZN9IOService6PMstopEv
__ZN9IOService6attachEPS_
__ZN9IOService6detachEPS_
__ZN9IOService7messageEjPS_Pv
__ZN9IOService8DispatchE5IORPC
__ZN9IOService8finalizeEj
__ZN9IOService9terminateEj
__ZN9IOServiceC2EPK11OSMetaClass
__ZN9IOServiceD2Ev
__ZN9OSBoolean11withBooleanEb
__ZN9OSBoolean9metaClassE
__ZNK11OSMetaClass12getClassNameEv
__ZNK11OSMetaClass12getMetaClassEv
__ZNK11OSMetaClass12taggedRetainEPKv
__ZNK11OSMetaClass13taggedReleaseEPKv
__ZNK11OSMetaClass13taggedReleaseEPKvi
__ZNK11OSMetaClass14getRetainCountEv
__ZNK11OSMetaClass19instanceConstructedEv
__ZNK11OSMetaClass6retainEv
__ZNK11OSMetaClass7releaseEi
__ZNK11OSMetaClass7releaseEv
__ZNK11OSMetaClass9serializeEP11OSSerialize
__ZNK15IORegistryEntry11compareNameEP8OSStringPS1_
__ZNK15IORegistryEntry11getLocationEPK15IORegistryPlane
__ZNK15IORegistryEntry11getPropertyEPK8OSString
__ZNK15IORegistryEntry11getPropertyEPK8OSStringPK15IORegistryPlanej
__ZNK15IORegistryEntry11getPropertyEPK8OSSymbol
__ZNK15IORegistryEntry11getPropertyEPK8OSSymbolPK15IORegistryPlanej
__ZNK15IORegistryEntry11getPropertyEPKc
__ZNK15IORegistryEntry11getPropertyEPKcPK15IORegistryPlanej
__ZNK15IORegistryEntry12compareNamesEP8OSObjectPP8OSString
__ZNK15IORegistryEntry12copyLocationEPK15IORegistryPlane
__ZNK15IORegistryEntry12copyPropertyEPK8OSString
__ZNK15IORegistryEntry12copyPropertyEPK8OSStringPK15IORegistryPlanej
__ZNK15IORegistryEntry12copyPropertyEPK8OSSymbol
__ZNK15IORegistryEntry12copyPropertyEPK8OSSymbolPK15IORegistryPlanej
__ZNK15IORegistryEntry12copyPropertyEPKc
__ZNK15IORegistryEntry12copyPropertyEPKcPK15IORegistryPlanej
__ZNK15IORegistryEntry13getChildEntryEPK15IORegistryPlane
__ZNK15IORegistryEntry14applyToParentsEPFvPS_PvES1_PK15IORegistryPlane
__ZNK15IORegistryEntry14copyChildEntryEPK15IORegistryPlane
__ZNK15IORegistryEntry14getParentEntryEPK15IORegistryPlane
__ZNK15IORegistryEntry15applyToChildrenEPFvPS_PvES1_PK15IORegistryPlane
__ZNK15IORegistryEntry15copyParentEntryEPK15IORegistryPlane
__ZNK15IORegistryEntry16getChildIteratorEPK15IORegistryPlane
__ZNK15IORegistryEntry16getPathComponentEPcPiPK15IORegistryPlane
__ZNK15IORegistryEntry17getParentIteratorEPK15IORegistryPlane
__ZNK15IORegistryEntry24dictionaryWithPropertiesEv
__ZNK15IORegistryEntry7getNameEPK15IORegistryPlane
__ZNK15IORegistryEntry7getPathEPcPiPK15IORegistryPlane
__ZNK15IORegistryEntry7inPlaneEPK15IORegistryPlane
__ZNK15IORegistryEntry7isChildEPS_PK15IORegistryPlaneb
__ZNK15IORegistryEntry8copyNameEPK15IORegistryPlane
__ZNK15IORegistryEntry8getDepthEPK15IORegistryPlane
__ZNK15IORegistryEntry8isParentEPS_PK15IORegistryPlaneb
__ZNK15OSMetaClassBase9isEqualToEPKS_
__ZNK8OSObject12taggedRetainEPKv
__ZNK8OSObject13taggedReleaseEPKv
__ZNK8OSObject13taggedReleaseEPKvi
__ZNK8OSObject14getRetainCountEv
__ZNK8OSObject6retainEv
__ZNK8OSObject7releaseEi
__ZNK8OSObject7releaseEv
__ZNK8OSObject9serializeEP11OSSerialize
__ZNK9IOService11getProviderEv
__ZNK9IOService11getWorkLoopEv
__ZNK9IOService12handleIsOpenEPKS_
__ZNK9IOService17getClientIteratorEv
__ZNK9IOService19getProviderIteratorEv
__ZNK9IOService19serializePropertiesEP11OSSerialize
__ZNK9IOService21getOpenClientIteratorEv
__ZNK9IOService23getOpenProviderIteratorEv
__ZNK9IOService6isOpenEPKS_
__ZNK9IOService8getStateEv
__ZNK9IOService9getClientEv
__ZTV12IOUserClient
__ZTV8OSObject
__ZTV9IOService
__ZdlPv
___cxa_pure_virtual
___memcpy_chk
___stack_chk_fail
___stack_chk_guard
___strlcpy_chk
__img4_chip_ap_software_ff00
__img4_chip_ap_software_ff01
__img4_chip_ap_software_ff06
__img4_chip_ap_supplemental
__img4_chip_cryptex1_asset
__img4_chip_cryptex1_boot_reduced
__img4_chip_cryptex1_generic
__img4_chip_cryptex1_generic_supplemental
__img4_nonce_domain_cryptex
__img4_nonce_domain_ddi
__img4_nonce_domain_ephemeral_cryptex
__img4_nonce_domain_pdi
__img4_nonce_domain_trust_cache
__os_log_default
__os_log_internal
_amfi_interface_register
_bcmp
_bzero
_ccder_blob_decode_len
_ccder_blob_decode_range
_ccder_blob_decode_sequence_tl
_ccder_blob_decode_tag
_ccder_blob_decode_tl
_ccder_decode_rsa_pub_n
_ccder_decode_tag
_ccder_decode_tl
_ccder_decode_uint64
_ccder_encode_tl
_ccder_sizeof_len
_ccder_sizeof_tag
_ccdigest
_ccdigest_init
_ccdigest_update
_ccec_cp_256
_ccec_import_pub
_ccec_verify
_ccrsa_import_pub
_ccrsa_verify_pkcs1v15
_ccsha1_di
_ccsha224_di
_ccsha256_di
_ccsha384_di
_ccsha512_di
_cczp_bitlen
_check_trust_cache_runtime_for_uuid
_code_signing_configuration
_copyin
_copyout
_copyoutstr
_cs_blob_reset_cache
_cs_debug
_cs_debug_fail_on_unsigned_code
_cs_debug_unsigned_exec_failures
_cs_debug_unsigned_mmap_failures
_cs_entitlement_flags
_cs_identity_get
_cs_process_enforcement
_cs_require_lv
_cs_restricted
_cs_system_require_lv
_cs_valid
_cs_vm_supports_4k_translations
_csblob_find_blob_bytes
_csblob_get_addr
_csblob_get_base_offset
_csblob_get_cdhash
_csblob_get_code_directory
_csblob_get_der_entitlements
_csblob_get_entitlements
_csblob_get_flags
_csblob_get_hashtype
_csblob_get_identity
_csblob_get_platform_binary
_csblob_get_signer_type
_csblob_get_size
_csblob_get_teamid
_csblob_get_validation_category
_csblob_os_entitlements_copy
_csblob_os_entitlements_get
_csblob_os_entitlements_set
_csblob_register_profile_uuid
_csblob_set_validation_category
_csfg_get_csblob
_csfg_get_supplement_cdhash
_csfg_get_supplement_csblob
_csfg_get_supplement_linkage_cdhash
_csfg_get_supplement_teamid
_csfg_get_teamid
_csm_resolve_os_entitlements_from_proc
_csproc_check_invalid_allowed
_csproc_disable_enforcement
_csproc_forced_lv
_csproc_get_blob
_csproc_get_platform_binary
_csproc_get_teamid
_csproc_hardened_runtime
_csproc_mark_invalid_allowed
_csr_check
_csvnode_get_blob
_csvnode_invalidate_flags
_current_proc
_developer_mode_state
_disable_code_signing_feature
_enable_developer_mode
_fg_get_vnode
_gIODTPlane
_gIOPublishNotification
_garbage_collect_provisioning_profiles
_get_local_signing_public_key
_host_get_special_port
_host_priv_self
_img4_chip_instantiate
_img4_chip_select_categorized_ap
_img4_chip_select_cryptex1_boot
_img4_chip_select_cryptex1_preboot
_img4_chip_select_personalized_ap
_img4_firmware_attach_manifest
_img4_firmware_destroy
_img4_firmware_execute
_img4_firmware_init
_img4_firmware_init_from_buff
_img4_image_get_bytes
_img4_nonce_domain_copy_nonce
_ipc_kernel_map
_kalloc_data
_kalloc_type_impl
_kalloc_type_var_impl
_kauth_cred_issuser
_kauth_cred_proc_ref
_kauth_cred_unref
_kern_os_zfree
_kernel_map
_kernproc
_kfree_data
_kfree_type_impl
_kfree_type_var_impl
_kmem_alloc_kobject
_kmem_free
_launch_constraint_data_get_launch_type
_lck_grp_alloc_init
_lck_rw_destroy
_lck_rw_init
_lck_rw_lock_exclusive
_lck_rw_lock_shared
_lck_rw_unlock_exclusive
_lck_rw_unlock_shared
_load_trust_cache
_load_trust_cache_with_type
_mac_file_getxattr
_mac_label_get
_mac_label_set
_mac_policy_register
_mac_vnop_getxattr
_mach_msg_destroy_from_kernel_proper
_mach_msg_rpc_from_kernel_proper
_match_compilation_service_cdhash
_memchr
_memcmp
_memcpy
_memmove
_memset
_memset_s
_mig_dealloc_reply_port
_mig_get_reply_port
_mig_put_reply_port
_mig_strncpy
external
_os_log_create
_panic
_printf
_proc_chrooted
_proc_find
_proc_find_ident
_proc_getexecutablevnode
_proc_is_translated
_proc_isinitproc
_proc_issetugid
_proc_name
_proc_pid
_proc_pidversion
_proc_platform
_proc_rele
_proc_self
_proc_selfpid
_proc_selfppid
_proc_suser
_ptrauth_utils_auth_blob_generic
_ptrauth_utils_sign_blob_generic
_query_trust_cache
_scnprintf
_set_compilation_service_cdhash
_set_local_signing_public_key
_snprintf
_strcmp
_strlen
_strncmp
_strnlen
_strnstr
_sysctl__hw_features_children
_sysctl__security_mac_children
_sysctl_handle_int
_sysctl_register_oid
_sysctlbyname
_thread_call_allocate_with_options
_thread_call_enter1
_thread_call_free
_unrestrict_local_signing_cdhash
_vfs_context_create
_vfs_context_proc
_vfs_context_rele
_vfs_context_ucred
_vfs_flags
_vm_allocate
_vm_deallocate
_vm_map_copyin
_vm_map_copyout
_vm_map_page_mask
_vm_map_unwire
_vm_map_wire
_vn_getpath
_vn_rdwr
_vnode_close
_vnode_getattr
_vnode_isdir
_vnode_isreg
_vnode_mount
_vnode_open
_vnode_put
_vsnprintf
_zalloc_flags
_zalloc_ro
_zalloc_ro_mut
_zfree_ro
_zone_create_ro
_zone_require_ro

2880
VI. AMFI/python/CrimsonUroboros.py Executable file
View File

File diff suppressed because it is too large Load Diff

81
VI. AMFI/python/MIG_detect.py Normal file
View File

@@ -0,0 +1,81 @@
# The script is not mine. Here is the source: https://github.com/knightsc/hopper/blob/master/scripts/MIG%20Detect.py
# This script attempts to identify mach_port_subsystem structures in the
# __DATA section of executables or kernels
#
# const struct mach_port_subsystem {
# mig_server_routine_t server; /* Server routine */
# mach_msg_id_t start; /* Min routine number */
# mach_msg_id_t end; /* Max routine number + 1 */
# unsigned int maxsize; /* Max msg size */
# vm_address_t reserved; /* Reserved */
# struct routine_descriptor routine[X]; /* Array of routine descriptors */
# }
#
# struct routine_descriptor {
# mig_impl_routine_t impl_routine; /* Server work func pointer */
# mig_stub_routine_t stub_routine; /* Unmarshalling func pointer */
# unsigned int argc; /* Number of argument words */
# unsigned int descr_count; /* Number complex descriptors */
# routine_arg_descriptor_t arg_descr; /* pointer to descriptor array*/
# unsigned int max_reply_msg; /* Max size for reply msg */
# };
#
# If it finds the mach_port_subsystem structure then it will label the structure as
# well as labelling each MIG msg stub function.
sections = [
('__DATA', '__const'),
('__CONST', '__constdata'),
('__DATA_CONST', '__const'),
]
doc = Document.getCurrentDocument()
for (segname, secname) in sections:
seg = doc.getSegmentByName(segname)
if seg is None:
continue
seclist = seg.getSectionsList()
for sec in seclist:
if sec.getName() != secname:
continue
# Loop through each item in the section
start = sec.getStartingAddress()
end = start + sec.getLength() - 0x28
for addr in range(start, end):
mach_port_subsystem_reserved = seg.readUInt64LE(addr + 0x18)
mach_port_subsystem_routine0_impl_routine = seg.readUInt64LE(addr + 0x20)
mach_port_subsystem_start = seg.readUInt32LE(addr + 0x8)
mach_port_subsystem_end = seg.readUInt32LE(addr + 0xc)
number_of_msgs = mach_port_subsystem_end - mach_port_subsystem_start
# Check if this looks like a mach_port_subsystem structure
if (mach_port_subsystem_reserved == 0 and
mach_port_subsystem_routine0_impl_routine == 0 and
mach_port_subsystem_start != 0 and
number_of_msgs > 0 and
number_of_msgs < 1024):
subsystem_name = "_MIG_subsystem_{0}".format(mach_port_subsystem_start)
doc.log("{0}: MIG Subsystem {1}: {2} messages".format(hex(addr), mach_port_subsystem_start, number_of_msgs))
seg.setNameAtAddress(addr, subsystem_name)
# Loop through the routine_descriptor structs
msg_num = 0
for routine_addr in range(addr + 0x20, addr+0x20+(number_of_msgs*0x28), 0x28):
stub_routine_addr = routine_addr + 0x8
stub_routine = seg.readUInt64LE(stub_routine_addr)
msg = mach_port_subsystem_start + msg_num
if stub_routine == 0:
doc.log("{0}: skip MIG msg {1}".format(hex(stub_routine_addr), msg))
else:
routine_name = "_MIG_msg_{0}".format(msg)
doc.log("{0}: MIG msg {1}".format(hex(stub_routine_addr), msg))
doc.setNameAtAddress(stub_routine, routine_name)
msg_num = msg_num + 1

20
VI. AMFI/python/check_amfi.py Normal file
View File

@@ -0,0 +1,20 @@
import sys
flags = {
"AMFI_DYLD_OUTPUT_ALLOW_AT_PATH": 1,
"AMFI_DYLD_OUTPUT_ALLOW_PATH_VARS": 2,
"AMFI_DYLD_OUTPUT_ALLOW_CUSTOM_SHARED_CACHE": 4,
"AMFI_DYLD_OUTPUT_ALLOW_FALLBACK_PATHS": 8,
"AMFI_DYLD_OUTPUT_ALLOW_PRINT_VARS": 16,
"AMFI_DYLD_OUTPUT_ALLOW_FAILED_LIBRARY_INSERTION": 32,
"AMFI_DYLD_OUTPUT_ALLOW_LIBRARY_INTERPOSING": 64,
"AMFI_DYLD_OUTPUT_ALLOW_EMBEDDED_VARS": 128
}
def check_flags(value):
return [flag_name for flag_name, flag_value in flags.items() if value & flag_value]
input_value = int(sys.argv[1], 16)
set_flags = check_flags(input_value)
if set_flags:
print("Flags set:")
print(*set_flags, sep="\n")

9
requirements.txt
View File

@@ -1,10 +1,7 @@
lief
uuid
argparse
subprocess
os
sys
asn1crypto
glob
shutil
pyimg4
pyimg4
treelib
xattr

1
tests/CrimsonUroboros.py Symbolic link
View File

@@ -0,0 +1 @@
../VI. AMFI/python/CrimsonUroboros.py

1856
tests/test_CrimsonUroboros.py Normal file
View File

File diff suppressed because it is too large Load Diff