kernel
- xnu-8020.140.20.0.4~14
My Conclusion
- kernel heap hardening:
tag
,type hash
kmem_alloc_guard
kmem_apply_security_policy
- codesign, protecting the members with
DA Key
- csfg_get_*
tag
, type hash
kmem_alloc_guard
kmem_apply_security_policy
DA Key
Here's a list of mildly interesting things about the C language that I learned mostly by consuming Clang's ASTs. Although surprises are getting sparser, I might continue to update this document over time.
There are many more mildly interesting features of C++, but the language is literally known for being weird, whereas C is usually considered smaller and simpler, so this is (almost) only about C.
struct foo {
struct bar {
int x;
/usr/libexec/backboardd | |
/usr/sbin/mediaserverd | |
/System/Library/Frameworks/WebKit.framework/XPCServices/com.apple.WebKit.GPU.xpc/com.apple.WebKit.GPU | |
/System/Library/Frameworks/WebKit.framework/XPCServices/com.apple.WebKit.WebContent.xpc/com.apple.WebKit.WebContent | |
/System/Library/Frameworks/AssetsLibrary.framework/Support/assetsd | |
/System/Library/PrivateFrameworks/NanoTimeKitCompanion.framework/nanotimekitcompaniond | |
/System/Library/PrivateFrameworks/NanoTimeKitCompanion.framework/XPCServices/NTKFaceSnapshotService.xpc/NTKFaceSnapshotService | |
/System/Library/PrivateFrameworks/IMTranscoding.framework/XPCServices/IMTranscoderAgent.xpc/IMTranscoderAgent | |
/System/Library/PrivateFrameworks/CoreSuggestions.framework/suggestd | |
/private/var/staged_system_apps/Maps.app/Maps |
MSC__kernelrpc_mach_vm_allocate_trap | |
MSC__kernelrpc_mach_vm_purgable_control_trap | |
MSC__kernelrpc_mach_vm_deallocate_trap | |
MSC__kernelrpc_mach_vm_protect_trap | |
MSC__kernelrpc_mach_vm_map_trap | |
MSC__kernelrpc_mach_port_allocate_trap | |
MSC__kernelrpc_mach_port_deallocate_trap | |
MSC__kernelrpc_mach_port_mod_refs_trap | |
MSC__kernelrpc_mach_port_insert_right_trap | |
MSC__kernelrpc_mach_port_insert_member_trap |
SYS_exit | |
SYS_read | |
SYS_write | |
SYS_open | |
SYS_close | |
SYS_unlink | |
SYS_chmod | |
SYS_chown | |
SYS_getfsstat | |
SYS_getuid |
diff --git a/mac_policy_ops.c b/mac_policy_ops.c | |
index 798bd29..bb3c425 100644 | |
--- a/mac_policy_ops.c | |
+++ b/mac_policy_ops.c | |
@@ -2,10 +2,10 @@ struct mac_policy_ops | |
{ | |
mpo_audit_check_postselect_t *mpo_audit_check_postselect; | |
mpo_audit_check_preselect_t *mpo_audit_check_preselect; | |
- mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate; | |
- mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy; |
SYS_exit
SYS_read
SYS_write
SYS_open
SYS_close
SYS_link
*** ent-list-17E262-iPhone11,2.json 2020-05-25 11:16:14.000000000 +0800 | |
--- ent-list-17F75-iPhone11,2.json 2020-05-25 11:02:29.000000000 +0800 | |
*************** | |
*** 389,394 **** | |
--- 389,395 ---- | |
"com.apple.developer.default-data-protection", | |
+ "com.apple.developer.exposure-notification", | |
"com.apple.developer.extension-host.photo-editing", | |
*************** | |
*** 820,826 **** |
void inject_trusts(int pathc, const char *paths[]) | |
{ | |
printf("[+] injecting into trust cache...\n"); | |
extern uint64_t g_kern_base; | |
static uint64_t tc = 0; | |
if (tc == 0) { | |
/* loaded_trust_caches | |
iPhone11,2-4-6: 0xFFFFFFF008F702C8 |
instructions about setting pac key
__text:FFFFFFF007A0834C LDR X0, =0xFEEDFACEFEEDFACF ; LDR X0, #348, 0xFFFFFFF007A084A8
__text:FFFFFFF007A08350 MSR #0, c2, c1, #2, X0 ; APIBKeyLo_EL1
__text:FFFFFFF007A08354 MSR #0, c2, c1, #3, X0 ; APIBKeyHi_EL1
__text:FFFFFFF007A08358 ADD X0, X0, #1
__text:FFFFFFF007A0835C MSR #0, c2, c2, #2, X0 ; APDBKeyLo_EL1
__text:FFFFFFF007A08360 MSR #0, c2, c2, #3, X0 ; APDBKeyHi_EL1