Skip to content

Instantly share code, notes, and snippets.

@PsychoTea

PsychoTea/amfid.c

Created Feb 18, 2019
Embed
What would you like to do?
amfid_payload w/ task_for_pid-allow patch
{
COPY_RESOURCE("amfid_payload.dylib", "/jb/amfid_payload.dylib");
inject_trust("/jb/amfid_payload.dylib");
uint32_t amfid_pid = get_pid_for_name("amfid");
uint64_t osbool_val = rk64(offs.data.osboolean_true + kernel_slide);
VAL_CHECK(osbool_val);
uint64_t our_ucred = rk64(myproc + 0x100);
VAL_CHECK(our_ucred);
uint64_t our_cr_label = rk64(our_ucred + 0x78);
VAL_CHECK(our_cr_label);
uint64_t our_ents = rk64(our_cr_label + 0x8);
VAL_CHECK(our_ents);
uint64_t OSDictionary_vtab = rk64(our_ents);
VAL_CHECK(OSDictionary_vtab);
// OSDictionary::SetObject = vtable->0xf8
uint64_t OSDictionary_SetItem = rk64(OSDictionary_vtab + 0xf8);
VAL_CHECK(OSDictionary_SetItem);
const char *str_to_patch = "task_for_pid-allow";
int str_len = strlen(str_to_patch) + 1;
uint64_t str_alloc = kalloc(str_len);
kwrite(str_alloc, (void *)str_to_patch, str_len);
LOG("str_alloc: %llx", str_alloc);
// kexecute automatically adds kernel_slide, however this vtab entry is already slid
LOG("OSDict::SetItem return: %llx", kexecute(OSDictionary_SetItem - kernel_slide, 3, our_ents, str_alloc, osbool_val));
kfree(str_alloc, str_len);
ret = inject_library(amfid_pid, "/jb/amfid_payload.dylib");
if (ret != KERN_SUCCESS)
{
LOG("failed to inject amfid payload");
goto out;
}
LOG("amfid patched?!");
int tries = 0;
while (access("/var/tmp/amfid.alive", F_OK) != 0 && tries < 100)
{
LOG("waiting for amfid...");
usleep(500000);
tries++;
}
if (tries >= 100)
{
LOG("failed to patch amfid :(");
ret = KERN_FAILURE;
goto out;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.