Skip to content

Instantly share code, notes, and snippets.

Scott Knight knightsc

Block or report user

Report or block knightsc

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@knightsc
knightsc / TeslaClient.m
Created Jun 11, 2019
Quick XPC client for the teslad daemon which exposes CCDServiceInterface protocol
View TeslaClient.m
//
// main.m
// TeslaClient
//
// Created by Scott Knight on 6/11/19.
// Copyright © 2019 Scott Knight. All rights reserved.
//
#import <Foundation/Foundation.h>
@knightsc
knightsc / main.m
Last active Oct 19, 2019
An example of using the libEndpointSecurity.dylib in Catalina
View main.m
#import <Foundation/Foundation.h>
#import <EndpointSecurity/EndpointSecurity.h>
#import <os/log.h>
#import <bsm/libbsm.h>
/*
In the beta 1 seed it's not straight forward to create an EndpointSecurity extension.
You can use libEndpointSecurity.dylib directly as long as you set the following things:
1. Disable SIP
@knightsc
knightsc / step.py
Last active May 23, 2019
LLDB scripted step example. Steps from call instruction to call instruction
View step.py
from __future__ import print_function
import lldb
# This class will single step until the next call assembly instruction
# and then print out all the arguement registers
class Call:
def __init__(self, thread_plan, dict):
self.thread_plan = thread_plan
@knightsc
knightsc / psx.c
Last active Jul 11, 2019
Loops through all running processes and prints out ones that have had threads injected or hijacked
View psx.c
#include <stdio.h>
#include <stdlib.h>
#include <libproc.h>
#include <mach/mach.h>
bool
has_modifications(struct task_extmod_info *info)
{
if ((info->extmod_statistics.thread_creation_count > 0) ||
(info->extmod_statistics.thread_set_state_count > 0)) {
@knightsc
knightsc / hijack.c
Created Feb 26, 2019
Example of how to hijack a thread on macOS to run code in a remote process
View hijack.c
#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <unistd.h>
#include <mach/mach.h>
#include <mach/mach_vm.h>
#include <dlfcn.h>
#include <objc/runtime.h>
@knightsc
knightsc / inject.c
Last active Dec 3, 2019
An example of how to inject code to call dlopen and load a dylib into a remote mach task. Tested on 10.13.6 and 10.14.3
View inject.c
#include <dlfcn.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <mach/mach.h>
#include <mach/error.h>
#include <errno.h>
#include <stdlib.h>
#include <sys/sysctl.h>
#include <sys/mman.h>
@knightsc
knightsc / spxpc.m
Created Feb 20, 2019
Example of how the Security.framework calls into `syspolicyd` for Gatekeeper functionality
View spxpc.m
#import <Foundation/Foundation.h>
#import <Security/Security.h>
#import <xpc/xpc.h>
#include <CoreFoundation/CoreFoundation.h>
#include <stdint.h>
typedef uint64_t SecAssessmentFlags;
enum {
kSecAssessmentDefaultFlags = 0, // default behavior
@knightsc
knightsc / aspmig.c
Created Feb 14, 2019
Example of sedning notify_32bit_exec MIG message to syspolicyd
View aspmig.c
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <mach/mach.h>
/*
This allows you to write to /var/db/SystemPolicyConfiguration/ExecPolicy
even with SIP on. Basically before syspolicyd determines if the values
you pass can be checked or not it will save them to the ExecPolicy
database.
@knightsc
knightsc / kext_deps.py
Created Feb 12, 2019
Scans all kexts in /System/Library/Extensions and generates a graphml graph representation of the dependencies.
View kext_deps.py
import plistlib
import subprocess
import os
def main():
output = subprocess.check_output(['find', '/System/Library/Extensions', '-name', '*.kext', '-print'])
print('<?xml version="1.0" encoding="UTF-8"?>')
print('<graphml xmlns="http://graphml.graphdrawing.org/xmlns">')
print(' <graph id="G" edgedefault="undirected">')
View debugger.c
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/wait.h>
#include <mach/mach.h>
/*
You can’t perform that action at this time.