Skip to content

Instantly share code, notes, and snippets.

View Brandon7CC's full-sized avatar
🌉

Brandon Dalton Brandon7CC

🌉
37 followers · 26 following
View GitHub Profile
@Brandon7CC
Brandon7CC / x2p.c
Created April 10, 2024 23:53
Given an XPC service name return the program's path using the mach bootstrap port to talk to `launchd` over an XPC pipe.
//
// x2p.c
// MachXPC
//
// Created by Brandon Dalton on 04/09/2024.
//
#include <xpc/xpc.h>
#include <stdio.h>
#include <stdlib.h>
@Brandon7CC
Brandon7CC / lzfse_compress.swift
Created April 8, 2024 16:53
Compress a string with LZFSE
import Foundation
import Compression
import OSLog
// Compress JSON representation with the Apple recommended compression algo LZFSE
// https://developer.apple.com/documentation/compression/algorithm/lzfse
public func getCompressedJSON(from jsonString: String) -> Data {
var sourceBuffer = Array(jsonString.utf8)
let destinationBuffer = UnsafeMutablePointer<UInt8>.allocate(capacity: jsonString.count)
let algorithm = COMPRESSION_LZFSE
@Brandon7CC
Brandon7CC / SystemConfigurationHelpers.swift
Created April 8, 2024 04:07
What SIP flags are enabled / disabled on macOS using the csr_get_active_config and csr_check syscalls?
//
// csr_check.swift
// csr_check
//
// Created by Brandon Dalton on 01/11/24.
//
// Compile: `swiftc -import-objc-header SystemConfig-Bridging-Header.h csr_check.swift -o csr_check.o`
//
import Foundation
@Brandon7CC
Brandon7CC / FileMetadataHelpers.swift
Created April 6, 2024 04:40
Given a file path is this file quarantined? To do this we use `getxattr` and look for `com.apple.quarantine` which is applied by File Quarantine-aware applications.
//
// FileMetadataHelpers.swift
// FileMetadataHelpers
//
// Created by Brandon Dalton on 10/7/23.
//
import Foundation
/// Helper functions for working with file metadata.
@Brandon7CC
Brandon7CC / chrome_page_save.zsh
Created March 24, 2024 23:33
Google Chrome page save after JS
#!/bin/zsh
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
--headless --incognito --dump-dom https://github.com > /tmp/github.html
@Brandon7CC
Brandon7CC / gcloud_install.sh
Created January 4, 2024 03:01
Install Google Cloud Command Line Interface (gcloud CLI)
#!/bin/sh
# Set up `gcloud` cli on macOS and Linux
# Check which OS we're on
if [[ "$OSTYPE" == "linux-gnu" ]]; then
OS="linux"
elif [[ "$OSTYPE" == "darwin"* ]]; then
OS="darwin"
else
echo "Unsupported OS: $OSTYPE"
@Brandon7CC
Brandon7CC / speak_ollama.sh
Created December 29, 2023 23:38
📣 Giving Ollama a voice with the macOS `say` command! NOTE: Change to Siri in `System Settings.app` for the best results.
function speak_ollama() {
if ! command -v ollama &> /dev/null; then
echo "Error: ollama is not installed."
return 1
fi
if [ "$#" -ne 2 ]; then
echo "Usage: speak_ollama <file_path> <model>"
return 1
fi
@Brandon7CC
Brandon7CC / enumerate_es_client_subscriptions.js
Created December 16, 2023 01:29
Enumerate Endpoint Security event subscription requests made by an arbitrary client (e.g. an EDR sensor's System Extension)
/*
Author: Brandon Dalton (Red Canary Threat Research)
Date: 2023-12-07
Summary: This script enumerates the event subscriptions requested by an arbitrary client
by hooking the `es_subscribe` function.
Target: Any arbitrary ES client like an EDR sensor's System Extension
Usage: `sudo frida -p $(TARGET_CLIENT) -l event_subscription_interceptor.js`
*/
@Brandon7CC
Brandon7CC / es_coreanalytics_event_subs.js
Last active February 14, 2024 02:13
Hook the CoreAnalytics sendEvent function call made by endpointsecurityd to uncover event subscriptions.
/*
Author: Brandon Dalton (Red Canary Threat Research)
Date: 2023-12-07
Summary: This script attempts to instrument the `sendEvent:event:` method of the ESCoreAnalytics class.
- Download this script
- Target: You're targeting `endpointsecurityd`, so grab its PID: `sudo launchctl list | grep endpointsecurityd`
- To run: `sudo frida -p $PID -l es_coreanalytics_event_subs.js`
*/
const eventTypeMapping = {