Skip to content

Instantly share code, notes, and snippets.

@Proteas
Proteas / diff-xnu-8020.140.20.0.4.md
Created May 20, 2022
diff xnu-8020.140.20.0.4~14
View diff-xnu-8020.140.20.0.4.md

kernel

  • xnu-8020.140.20.0.4~14

My Conclusion

  1. kernel heap hardening: tag, type hash
    • kmem_alloc_guard
    • kmem_apply_security_policy
  2. codesign, protecting the members with DA Key
    • csfg_get_*
View Quirks of C.md

Here's a list of mildly interesting things about the C language that I learned mostly by consuming Clang's ASTs. Although surprises are getting sparser, I might continue to update this document over time.

There are many more mildly interesting features of C++, but the language is literally known for being weird, whereas C is usually considered smaller and simpler, so this is (almost) only about C.

1. Combined type and variable/field declaration, inside a struct scope [https://godbolt.org/g/Rh94Go]

struct foo {
   struct bar {
 int x;
@Proteas
Proteas / com.apple.private.allow-explicit-graphics-priority.txt
Created Jul 28, 2021
com.apple.private.allow-explicit-graphics-priority, iOS-v15.0-19A5261w-iPhone13,2
View com.apple.private.allow-explicit-graphics-priority.txt
/usr/libexec/backboardd
/usr/sbin/mediaserverd
/System/Library/Frameworks/WebKit.framework/XPCServices/com.apple.WebKit.GPU.xpc/com.apple.WebKit.GPU
/System/Library/Frameworks/WebKit.framework/XPCServices/com.apple.WebKit.WebContent.xpc/com.apple.WebKit.WebContent
/System/Library/Frameworks/AssetsLibrary.framework/Support/assetsd
/System/Library/PrivateFrameworks/NanoTimeKitCompanion.framework/nanotimekitcompaniond
/System/Library/PrivateFrameworks/NanoTimeKitCompanion.framework/XPCServices/NTKFaceSnapshotService.xpc/NTKFaceSnapshotService
/System/Library/PrivateFrameworks/IMTranscoding.framework/XPCServices/IMTranscoderAgent.xpc/IMTranscoderAgent
/System/Library/PrivateFrameworks/CoreSuggestions.framework/suggestd
/private/var/staged_system_apps/Maps.app/Maps
@Proteas
Proteas / blastdoor-ids-mach.txt
Created Jun 15, 2021
iOS-v15.0-19A5261w-blastdoor-mig-mach-unix-rules
View blastdoor-ids-mach.txt
MSC__kernelrpc_mach_vm_allocate_trap
MSC__kernelrpc_mach_vm_purgable_control_trap
MSC__kernelrpc_mach_vm_deallocate_trap
MSC__kernelrpc_mach_vm_protect_trap
MSC__kernelrpc_mach_vm_map_trap
MSC__kernelrpc_mach_port_allocate_trap
MSC__kernelrpc_mach_port_deallocate_trap
MSC__kernelrpc_mach_port_mod_refs_trap
MSC__kernelrpc_mach_port_insert_right_trap
MSC__kernelrpc_mach_port_insert_member_trap
View blastdoor-messages-unix-syscall-whitelist-v14.4-18D52.txt
SYS_exit
SYS_read
SYS_write
SYS_open
SYS_close
SYS_unlink
SYS_chmod
SYS_chown
SYS_getfsstat
SYS_getuid
@Proteas
Proteas / mac_policy_ops-19E287_vs_20A5343i.diff
Last active Aug 11, 2020
mac_policy_ops diff: macOS-v10.15.4-19E287 vs. macOS-v11.0-B4-20A5343i
View mac_policy_ops-19E287_vs_20A5343i.diff
diff --git a/mac_policy_ops.c b/mac_policy_ops.c
index 798bd29..bb3c425 100644
--- a/mac_policy_ops.c
+++ b/mac_policy_ops.c
@@ -2,10 +2,10 @@ struct mac_policy_ops
{
mpo_audit_check_postselect_t *mpo_audit_check_postselect;
mpo_audit_check_preselect_t *mpo_audit_check_preselect;
- mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate;
- mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy;
@Proteas
Proteas / iOS-v14.0-18A5301v-WebContent-Unix-Mach-MIG.md
Last active Jul 8, 2020
WebContent's sandbox rules of syscall-unix, syscall-mach, mig-kernel in iOS-v14.0-18A5301v
View iOS-v14.0-18A5301v-WebContent-Unix-Mach-MIG.md

iOS-v14.0-18A5301v-WebContent-Unix-Mach-MIG

Syscall-Unix

SYS_exit
SYS_read
SYS_write
SYS_open
SYS_close
SYS_link
@Proteas
Proteas / ent-diff-iPhone11,2-17E262-vs-17F75.diff
Created May 25, 2020
ent diff of ios: 17E262-iPhone11,2 vs. 17F75-iPhone11,2
View ent-diff-iPhone11,2-17E262-vs-17F75.diff
*** ent-list-17E262-iPhone11,2.json 2020-05-25 11:16:14.000000000 +0800
--- ent-list-17F75-iPhone11,2.json 2020-05-25 11:02:29.000000000 +0800
***************
*** 389,394 ****
--- 389,395 ----
"com.apple.developer.default-data-protection",
+ "com.apple.developer.exposure-notification",
"com.apple.developer.extension-host.photo-editing",
***************
*** 820,826 ****
View inject_trusts-iOS-v12.1.2-16C104-iPhone11,x.c
void inject_trusts(int pathc, const char *paths[])
{
printf("[+] injecting into trust cache...\n");
extern uint64_t g_kern_base;
static uint64_t tc = 0;
if (tc == 0) {
/* loaded_trust_caches
iPhone11,2-4-6: 0xFFFFFFF008F702C8
View pac-set-key.md

iOS-v12.0-16A366-iPhone11,6

instructions about setting pac key

__text:FFFFFFF007A0834C                 LDR             X0, =0xFEEDFACEFEEDFACF ; LDR X0, #348, 0xFFFFFFF007A084A8
__text:FFFFFFF007A08350                 MSR             #0, c2, c1, #2, X0 ; APIBKeyLo_EL1
__text:FFFFFFF007A08354                 MSR             #0, c2, c1, #3, X0 ; APIBKeyHi_EL1
__text:FFFFFFF007A08358                 ADD             X0, X0, #1
__text:FFFFFFF007A0835C                 MSR             #0, c2, c2, #2, X0 ; APDBKeyLo_EL1
__text:FFFFFFF007A08360                 MSR             #0, c2, c2, #3, X0 ; APDBKeyHi_EL1