Skip to content

Instantly share code, notes, and snippets.

@jmpews

jmpews/amfi_debug.md

Created October 20, 2019 12:48
Show Gist options
  • Save jmpews/4de0feba40008362d1dafd0678fe2838 to your computer and use it in GitHub Desktop.
Save jmpews/4de0feba40008362d1dafd0678fe2838 to your computer and use it in GitHub Desktop.
Download ZIP
debug the amfi
Raw
amfi_debug.md

kernel invoke the com.apple.driver.AppleMobileFileIntegrity :: _cred_label_update_execve

(lldb) bt
* thread #5, name = '0xffffff8023f43d90', queue = 'cpu-0', stop reason = breakpoint 4.2
  * frame #0: 0xffffff80174d0f79 kernel`mac_cred_label_update_execve(ctx=0xffffff807219bd50, new=0xffffff807219b848, vp=0xffffff801ea98aa8, offset=0, scriptvp=0x0000000000000000, scriptvnodelabel=0x0000000000000000, execl=0x0000000000000000, csflags=0xffffff801dd51dd0, macextensions=0x0000000000000000, disjoint=0xffffff807219b9b8, labelupdateerror=0xffffff807219b9bc) at mac_vfs.c:655:12 [opt]
    frame #1: 0xffffff801728fd1f kernel`kauth_proc_label_update_execve [inlined] kauth_cred_label_update_execve(cred=0xffffff801e31e560, ctx=0xffffff807219bd50, offset=0, scriptl=0x0000000000000000, execl=<unavailable>, csflags=<unavailable>, macextensions=<unavailable>, disjointp=<unavailable>, labelupdateerror=<unavailable>) at kern_credential.c:4554:2 [opt]
    frame #2: 0xffffff801728fccc kernel`kauth_proc_label_update_execve(p=0xffffff8024e3d9b0, ctx=0xffffff807219bd50, vp=0xffffff801ea98aa8, offset=0, scriptvp=0x0000000000000000, scriptl=0x0000000000000000, execl=0x0000000000000000, csflags=0xffffff801dd51dd0, macextensions=0x0000000000000000, disjoint=0xffffff807219b9b8, update_return=0xffffff807219b9bc) at kern_credential.c:4672 [opt]
    frame #3: 0xffffff80172afac4 kernel`exec_mach_imgact at kern_exec.c:4831:4 [opt]
    frame #4: 0xffffff80172af567 kernel`exec_mach_imgact(imgp=0xffffff801dd51b00) at kern_exec.c:1088 [opt]
    frame #5: 0xffffff80172b54d1 kernel`exec_activate_image(imgp=0xffffff801dd51b00) at kern_exec.c:1531:11 [opt]
    frame #6: 0xffffff80172b48c7 kernel`posix_spawn(ap=0xffffff8024e3d9b0, uap=<unavailable>, retval=0xffffff801feba178) at kern_exec.c:2864:10 [opt]
    frame #7: 0xffffff80173b5b7b kernel`unix_syscall64(state=<unavailable>) at systemcalls.c:381:10 [opt]
    frame #8: 0xffffff8016d5a466 kernel`hndl_unix_scall64 + 22
(lldb) breakpoint list
Current breakpoints:
4: regex = '.*_cred_label_update_execve', locations = 2, resolved = 2, hit count = 1
  4.1: where = kernel`kauth_proc_label_update_execve + 124 [inlined] kauth_cred_label_update_execve at kern_credential.c:4672, address = 0xffffff801728fccc, resolved, hit count = 0
  4.2: where = kernel`mac_cred_label_update_execve + 41 at mac_vfs.c:655:12, address = 0xffffff80174d0f79, resolved, hit count = 1

(lldb)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment