Snake & Apple

The code repository for the Snake&Apple article series, which documents my research about macOS security.

PATRONS

ARTICLES

THE LINKS BELOW PROVIDE FREE ACCESS TO MY MEDIUM ARTICLES — NO PAYWALL OR SUBSCRIPTION REQUIRED!

Each article directory contains three subdirectories:

• mac - source code of macOS for references and copy of presentations.
• custom - code, for example, programs written for articles.
• python - contains the latest CrimsonUroboros and other Python scripts created during research.

The short introduction is written in Snake&Apple Intro
The tags for each article are in the Article_tags.md.
The table of contents showing links to all articles is below:

• ☑ App Bundle Extension
  • ☑ Cracking macOS apps
  • ☑ Cracking Electron Integrity
  • ☑ XPC Programming on macOS
• ☑ I. Mach-O
  • ☑ Optimizing Mach-O Detection
• ☑ II. Code Signing
• ☑ III. Checksec
• ☑ IV. Dylibs
• ☑ V. Dyld
  • ☑ DYLD — Do You Like Death? (I)
  • ☑ DYLD — Do You Like Death? (II)
  • ☑ DYLD — Do You Like Death? (III)
  • ☑ DYLD — Do You Like Death? (IV)
  • ☑ DYLD — Do You Like Death? (V)
  • ☑ DYLD — Do You Like Death? (VI)
  • ☑ DYLD — Do You Like Death? (VII)
  • ☑ DYLD — Do You Like Death? (VIII)
  • ☑ DYLD — Do You Like Death? (IX)
  • ☑ DYLD — Do You Like Death? (X)
  • ☑ DYLD — Do You Like Death? (XI)
• ☑ VI. AMFI
  • ☑ Unexpected but expected behavior
• ☑ VII. Antivirus
  • ☑ Apple Gatekeeper Bypass
• ☑ VIII. Sandbox
  • ☑ SBPL Compilator
  • ☑ Sandbox Detector
  • ☑ Sandbox Validator
  • ☑ App Sandbox startup
  • ☑ System Intigrity Protection
• ☑ IX. TCC
  • ☑ Apple UUID Finder
• ☑ X. NU
  • ☑ Kernel Debugging Setup on MacOS
  • ☑ Fixing an Infinite Loop
  • ☑ Exceptions on macOS
  • ☑ MACF on macOS
  • ☑ Kernel Extensions on macOS
  • ☑ Mach IPC Security on macOS
    • ☑ Task Injection on macOS
  • ☑ Drivers on macOS
    • ☑ Case Study: Analyzing macOS IONVMeFamily NS_01 Driver Denial of Service Issue
  • ☑ SLAP & FLOP: Apple Silicon’s Data Speculation Vulnerabilities

CrimsonUroboros

The main tool created during the writing of the Snake & Apple series is called CrimsonUroboros.
Its description along with instructions for other tools from this repository are in Tools.md.

WHY UROBOROS?

I wrote the code for each article as a class, SnakeX, where X was the article number, to make it easier for the audience to follow.
Each Snake class is a child of the previous one and infinitely "eats itself" (inherits methods of the last class), like Uroboros.

INSTALLATION

pip3 install -r requirements.txt
wget https://github.com/CRKatri/trustcache/releases/download/v2.0/trustcache_macos_arm64 -O /usr/local/bin/trustcache
chmod +x /usr/local/bin/trustcache
xattr -d com.apple.quarantine /usr/local/bin/trustcache
brew install keith/formulae/dyld-shared-cache-extractor
brew install blacktop/tap/ipsw
brew install tree

LIMITATIONS

• Codesigning module(codesign wrapper) works only on macOS.
• --dylib_hijacking needs ipsw to be installed.
• --dylibtree needs the dyld-shared-cache-extractor to be installed.

ADDITIONAL LINKS

• Apple Open Source
• XNU
• dyld

CONTRIBUTE

In case of any questions or ideas for improvements, please open a new issue to discuss.
For any changes related to the tools codebase:

• Fork the repository.
• Create a dedicated branch for your changes.
• Make your modifications or additions.
• Open a pull request describing your changes.
• I will review and merge if everything looks good.