steven-michaud

Running Third Party Kernel Extensions on Virtualization Framework macOS Guest VMs

As of macOS 12 (Monterey), Apple's Virtualization framework has nice support for macOS guest virtual machines, but with severe limitations: For example you can't install a macOS guest on Intel Macs, install guests with newer versions of macOS than the host, copy and paste between the host and the guest, or install third party kernel extensions in the guest. As usual for Apple, the functionality they do support is nicely implemented, but they've left out so much that the result is only marginally useful -- at least compared to

zhuowei

PurpleSystemAppPort
PurpleSystemEventPort
UIASTNotificationCenter
com.apple.ABDatabaseDoctor
com.apple.AppSSO.service-xpc
com.apple.AuthenticationServicesCore.AuthenticationServicesAgent
com.apple.CARenderServer
com.apple.ClipServices.clipserviced
com.apple.CoreAuthentication.daemon
com.apple.DeviceAccess.xpc

macshome

How to Defang macOS System Protections

If you want to change things on the root drive of a Mac you will need to take some steps to disable the built in security of the system. Most of these steps are the same regardless if you are on Intel or Apple Silicon. If there is a difference it is noted.

Note that all of these things put a Mac into an unsupported and less secure state.

Make sure you either perform these steps in a VM or that you reset the protections after you are done poking around

Protections and Terms

(This list is not exahustive on the details of each. Check the links at the end for more info.)

saagarjha

for function in filter(lambda f: f.name == "_objc_msgSend", bv.functions):
	selector = function.lowest_address + 4
	selector = list(bv.get_code_refs_from(selector))[0]
	selector = list(bv.get_data_refs(selector))[0]
	selector = list(bv.get_data_refs_from(selector))[0]
	selector = bv.get_data_var_at(selector).value
	# objc_msgSend itself, probably
	if not selector:
		continue
	selector = selector[:-1].decode()

JJTech0130

// Disables SSL pinning by replacing functions with no-ops.
function unpin() {
    var SecTrustEvaluate_handle = Module.findExportByName('Security', 'SecTrustEvaluate');
    var SecTrustEvaluateWithError_handle = Module.findExportByName('Security', 'SecTrustEvaluateWithError');
    var SSL_CTX_set_custom_verify_handle = Module.findExportByName('libboringssl.dylib', 'SSL_CTX_set_custom_verify');
    var SSL_get_psk_identity_handle = Module.findExportByName('libboringssl.dylib', 'SSL_get_psk_identity');
    var boringssl_context_set_verify_mode_handle = Module.findExportByName('libboringssl.dylib', 'boringssl_context_set_verify_mode');

    if (SecTrustEvaluateWithError_handle) {
        var SecTrustEvaluateWithError = new NativeFunction(SecTrustEvaluateWithError_handle, 'int', ['pointer', 'pointer']);

JJTech0130

//
//  UIApplication+VolumeButtons.swift
//
//  Based on https://stackoverflow.com/a/70815088
//

import UIKit

// Stub protocol to allow us to call private methods
@objc private protocol UIApplicationPrivate {

JJTech0130

WARNING: BIOS modding can be dangerous. You run the risk of bricking your device. I am not responsible for broken devices.

This tutorial was created for my HP Pavilion 15 laptop. I cannot confirm that this works on any other devices.

---

Finding variable

We need to find the offset, varstore, and possible values for the DVMT pre-alloc.

Extracting BIOS

JJTech0130

import argparse, requests, urllib, os
from pyquery import PyQuery as pq

# CLI arguments
parser = argparse.ArgumentParser(description='OverDrive helper script')

parser.add_argument('--session',
                    help='manually set the session id (overrides \'OD_SESSION\' env)')

parser.add_argument('book',

rbrick

package main

import (
	"bytes"
	"context"
	"crypto/tls"
	"encoding/json"
	"fmt"
	"golang.org/x/oauth2"
	"golang.org/x/oauth2/microsoft"

knightsc

//
//  AKNativeAnisetteService.m
//  akd
//
//  Created by Scott Knight on 5/10/19.
//  Copyright © 2019 Scott Knight. All rights reserved.
//

#import <AuthKit/AuthKit.h>
#import "AKNativeAnisetteService.h"