Proteas

kernel

• xnu-8020.140.20.0.4~14

My Conclusion

1. kernel heap hardening: tag, type hash
   • kmem_alloc_guard
   • kmem_apply_security_policy
2. codesign, protecting the members with DA Key
   • csfg_get_*

Proteas

Here's a list of mildly interesting things about the C language that I learned mostly by consuming Clang's ASTs. Although surprises are getting sparser, I might continue to update this document over time.

There are many more mildly interesting features of C++, but the language is literally known for being weird, whereas C is usually considered smaller and simpler, so this is (almost) only about C.

1. Combined type and variable/field declaration, inside a struct scope [https://godbolt.org/g/Rh94Go]

struct foo {
   struct bar {
 int x;

Proteas

/usr/libexec/backboardd
/usr/sbin/mediaserverd
/System/Library/Frameworks/WebKit.framework/XPCServices/com.apple.WebKit.GPU.xpc/com.apple.WebKit.GPU
/System/Library/Frameworks/WebKit.framework/XPCServices/com.apple.WebKit.WebContent.xpc/com.apple.WebKit.WebContent
/System/Library/Frameworks/AssetsLibrary.framework/Support/assetsd
/System/Library/PrivateFrameworks/NanoTimeKitCompanion.framework/nanotimekitcompaniond
/System/Library/PrivateFrameworks/NanoTimeKitCompanion.framework/XPCServices/NTKFaceSnapshotService.xpc/NTKFaceSnapshotService
/System/Library/PrivateFrameworks/IMTranscoding.framework/XPCServices/IMTranscoderAgent.xpc/IMTranscoderAgent
/System/Library/PrivateFrameworks/CoreSuggestions.framework/suggestd
/private/var/staged_system_apps/Maps.app/Maps

Proteas

MSC__kernelrpc_mach_vm_allocate_trap
MSC__kernelrpc_mach_vm_purgable_control_trap
MSC__kernelrpc_mach_vm_deallocate_trap
MSC__kernelrpc_mach_vm_protect_trap
MSC__kernelrpc_mach_vm_map_trap
MSC__kernelrpc_mach_port_allocate_trap
MSC__kernelrpc_mach_port_deallocate_trap
MSC__kernelrpc_mach_port_mod_refs_trap
MSC__kernelrpc_mach_port_insert_right_trap
MSC__kernelrpc_mach_port_insert_member_trap

Proteas

SYS_exit
SYS_read
SYS_write
SYS_open
SYS_close
SYS_unlink
SYS_chmod
SYS_chown
SYS_getfsstat
SYS_getuid

Proteas

diff --git a/mac_policy_ops.c b/mac_policy_ops.c
index 798bd29..bb3c425 100644
--- a/mac_policy_ops.c
+++ b/mac_policy_ops.c
@@ -2,10 +2,10 @@ struct mac_policy_ops
 {
   mpo_audit_check_postselect_t *mpo_audit_check_postselect;
   mpo_audit_check_preselect_t *mpo_audit_check_preselect;
-  mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate;
-  mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy;

Proteas

iOS-v14.0-18A5301v-WebContent-Unix-Mach-MIG

Syscall-Unix

SYS_exit
SYS_read
SYS_write
SYS_open
SYS_close
SYS_link

Proteas

*** ent-list-17E262-iPhone11,2.json	2020-05-25 11:16:14.000000000 +0800
--- ent-list-17F75-iPhone11,2.json	2020-05-25 11:02:29.000000000 +0800
***************
*** 389,394 ****
--- 389,395 ----
      "com.apple.developer.default-data-protection", 
+     "com.apple.developer.exposure-notification", 
      "com.apple.developer.extension-host.photo-editing", 
***************
*** 820,826 ****

Proteas

void inject_trusts(int pathc, const char *paths[])
{
    printf("[+] injecting into trust cache...\n");
    
    extern uint64_t g_kern_base;
    
    static uint64_t tc = 0;
    if (tc == 0) {
        /* loaded_trust_caches
         iPhone11,2-4-6: 0xFFFFFFF008F702C8

Proteas

iOS-v12.0-16A366-iPhone11,6

instructions about setting pac key

__text:FFFFFFF007A0834C                 LDR             X0, =0xFEEDFACEFEEDFACF ; LDR X0, #348, 0xFFFFFFF007A084A8
__text:FFFFFFF007A08350                 MSR             #0, c2, c1, #2, X0 ; APIBKeyLo_EL1
__text:FFFFFFF007A08354                 MSR             #0, c2, c1, #3, X0 ; APIBKeyHi_EL1
__text:FFFFFFF007A08358                 ADD             X0, X0, #1
__text:FFFFFFF007A0835C                 MSR             #0, c2, c2, #2, X0 ; APDBKeyLo_EL1
__text:FFFFFFF007A08360                 MSR             #0, c2, c2, #3, X0 ; APDBKeyHi_EL1