Skip to content

Instantly share code, notes, and snippets.

@knightsc
knightsc / execve.log
Created Jun 29, 2021
dtrace log of execve call with all MACF kexts running
View execve.log
This file has been truncated, but you can view the full file.
CPU FUNCTION
3 -> execve ffffff802b71b320 ffffff802f6e39b8 ffffff802f6e39f8
3 -> __mac_execve ffffff802b71b320 ffffff80b1a7be68 ffffff802f6e39f8
3 -> kauth_cred_proc_ref ffffff802b71b320 ffffff80b1a7be68 ffffff802f6e39f8
3 <- kauth_cred_proc_ref 4f ffffff802ee1bc70 0
3 -> __MALLOC 690 50 4
3 -> kalloc_canblock ffffff80b1a7bd90 1 ffffff801f07d598
3 -> gzalloc_alloc ffffff801f0a5b20 1 0
3 <- gzalloc_alloc 5c 0 0
@knightsc
knightsc / ApplicationWhitelist.mobileconfig
Created Jun 29, 2021
macOS example profile to whitelist application which in turn makes use of mcxalr.kext
View ApplicationWhitelist.mobileconfig
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>Parental Controls: Application Access #1</string>
<key>PayloadIdentifier</key>
View gist:758783181e41a986fceea6901b8853e3
//
// AKNativeAnisetteService.m
// akd
//
// Created by Scott Knight on 5/10/19.
// Copyright © 2019 Scott Knight. All rights reserved.
//
#import <AuthKit/AuthKit.h>
#import "AKNativeAnisetteService.h"
View XProtect_2121_hashes.txt
XProtect_MACOS_51f7dde:27999b460b19fa7a32c2adf9a1b47642f4c7272883785f140683de04ab66db82
XProtect_MACOS_51f7dde:6771e7b084fbe7fb59fc47129ff946df31dd341b2267aa7f3fa34d51a8419588
XProtect_MACOS_51f7dde:aa8a4948afe706d1eeb217b6b0564793d1cf3a1914f44a487bd8b23f693e2e4f
XProtect_MACOS_51f7dde:88dbc53ea3f19a234f80979bae2a496c9c71be0c0b9ea001157511ff37f725f7
XProtect_MACOS_51f7dde:b214427c509bb68c8fa74f392d695c44443ffa8bf41f608de70d6743842dc440
XProtect_MACOS_51f7dde:e4408c80559b44dacf76400236dc2b094fc7ced8208eb0ae575c0d2299a6e3a4
@knightsc
knightsc / build-xnu-4903.270.47.sh
Created Apr 11, 2020
A script to build XNU version 4903.241.1 (macOS Mojave 10.14.3).
View build-xnu-4903.270.47.sh
#! /bin/bash
#
# build-xnu-4903.270.47.sh
# Scott Knight
#
# Based on the script by Brandon Azad
# https://gist.github.com/bazad/654959120a423b226dc564073b435453
#
# A script showing how to build XNU version 4903.270.47 on macOS Mojave
# 10.14.6 with Xcode 10.3
@knightsc
knightsc / dtrace-338.40.5-PointerLikeTypeTraits.h
Created Apr 4, 2020
PointerLikeTypeTraits.h from dtrace-338.40.5
View dtrace-338.40.5-PointerLikeTypeTraits.h
//===- llvm/Support/PointerLikeTypeTraits.h - Pointer Traits ----*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines the PointerLikeTypeTraits class. This allows data
// structures to reason about pointers and other things that are pointer sized.
@knightsc
knightsc / llvmCore-3425.0.36-DataTypes.h
Created Apr 4, 2020
DataTypes.h from llvmCore-3425.0.36
View llvmCore-3425.0.36-DataTypes.h
/* include/llvm/Support/DataTypes.h. Generated from DataTypes.h.in by configure. */
/*===-- include/Support/DataTypes.h - Define fixed size types -----*- C -*-===*\
|* *|
|* The LLVM Compiler Infrastructure *|
|* *|
|* This file is distributed under the University of Illinois Open Source *|
|* License. See LICENSE.TXT for details. *|
|* *|
|*===----------------------------------------------------------------------===*|
|* *|
@knightsc
knightsc / XProtect_2116_hashes.txt
Created Mar 20, 2020
Hashes matching yara rules from XProtect 2116
View XProtect_2116_hashes.txt
XProtect_MACOS_c592675:060bd0a09a691faa3067a12fbcde5f451b16bd7315cd238a86c9c8b9a333c477
XProtect_MACOS_c592675:08c8d9abe018454a183bfb0728a13f636f03fde01d01ab0ef5d4b6d1a4f8b42a
XProtect_MACOS_c592675:3def33ba228d576e67d09b6190fd5f58af469f81a4a705649535d362fd2e3300
XProtect_MACOS_c592675:89e5969a9afecb010748b085256e1759e633cf002639b4ac48a2e7dc0bc523ed
XProtect_MACOS_c592675:a609bd94f385cbe30bffa47c32bc6033775d2101824c4c434eb118482809c065
XProtect_MACOS_c592675:b4738580705c0d7fd1eaeeff1868abd2d5f613183df198e62feca5bd05979911
XProtect_MACOS_c592675:f8abf262193194089906623461957c308be579cfb542f4658b31cc35bc3979fc
@knightsc
knightsc / build-xnu-4903.241.1.sh
Created Feb 19, 2020
A script to build XNU version 4903.241.1 (macOS Mojave 10.14.3).
View build-xnu-4903.241.1.sh
#! /bin/bash
#
# build-xnu-4903.241.1.sh
# Scott Knight
#
# Based on the script by Brandon Azad
# https://gist.github.com/bazad/654959120a423b226dc564073b435453
#
# A script showing how to build XNU version 4903.241.1 on macOS Mojave
# 10.14.6 with Xcode 10.3
@knightsc
knightsc / build-xnu-6153.11.26.sh
Created Feb 18, 2020
A script to build XNU version 6153.11.26 (macOS Catalina 10.15).
View build-xnu-6153.11.26.sh
#! /bin/bash
#
# build-xnu-6153.11.26.sh
# Scott Knight
#
# Based on the script by Brandon Azad
# https://gist.github.com/bazad/654959120a423b226dc564073b435453
#
# A script showing how to build XNU version 6153.11.26 on macOS Catalina
# 10.15 with Xcode 11.13.1.