Scott Knight knightsc
knightsc
/ kext_deps.py
Created
February 12, 2019 17:30
Scans all kexts in /System/Library/Extensions and generates a graphml graph representation of the dependencies.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import plistlib | |
| import subprocess | |
| import os | |
| def main(): | |
| output = subprocess.check_output(['find', '/System/Library/Extensions', '-name', '*.kext', '-print']) | |
| print('<?xml version="1.0" encoding="UTF-8"?>') | |
| print('<graphml xmlns="http://graphml.graphdrawing.org/xmlns">') | |
| print(' <graph id="G" edgedefault="undirected">') |
knightsc
/ kexts.graphml
Created
January 15, 2019 18:40
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <graphml xmlns="http://graphml.graphdrawing.org/xmlns"> | |
| <graph id="G" edgedefault="undirected"> | |
| <node id="Kernel"/> | |
| <node id="AppleEmbeddedOSSupportHost"/> | |
| <node id="AppleSMCLMU"/> | |
| <node id="AppleIntelLpssSpiController"/> | |
| <node id="IOSkywalkFamily"/> | |
| <node id="BridgeAudioCommunication"/> | |
| <node id="ntfs"/> |
knightsc
/ execve.log
Created
June 29, 2021 15:27
dtrace log of execve call with all MACF kexts running
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CPU FUNCTION | |
| 3 -> execve ffffff802b71b320 ffffff802f6e39b8 ffffff802f6e39f8 | |
| 3 -> __mac_execve ffffff802b71b320 ffffff80b1a7be68 ffffff802f6e39f8 | |
| 3 -> kauth_cred_proc_ref ffffff802b71b320 ffffff80b1a7be68 ffffff802f6e39f8 | |
| 3 <- kauth_cred_proc_ref 4f ffffff802ee1bc70 0 | |
| 3 -> __MALLOC 690 50 4 | |
| 3 -> kalloc_canblock ffffff80b1a7bd90 1 ffffff801f07d598 | |
| 3 -> gzalloc_alloc ffffff801f0a5b20 1 0 | |
| 3 <- gzalloc_alloc 5c 0 0 | |
| 3 -> zcache_alloc_from_cpu_cache ffffff801f0a5b20 0 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* Debug boot-args */ | |
| #define DB_HALT 0x1 | |
| //#define DB_PRT 0x2 -- obsolete | |
| #define DB_NMI 0x4 | |
| #define DB_KPRT 0x8 | |
| #define DB_KDB 0x10 | |
| #define DB_ARP 0x40 | |
| #define DB_KDP_BP_DIS 0x80 | |
| //#define DB_LOG_PI_SCRN 0x100 -- obsolete | |
| #define DB_KDP_GETC_ENA 0x200 |
knightsc
/ build-xnu-4903.270.47.sh
Created
April 11, 2020 19:03
A script to build XNU version 4903.241.1 (macOS Mojave 10.14.3).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| # | |
| # build-xnu-4903.270.47.sh | |
| # Scott Knight | |
| # | |
| # Based on the script by Brandon Azad | |
| # https://gist.github.com/bazad/654959120a423b226dc564073b435453 | |
| # | |
| # A script showing how to build XNU version 4903.270.47 on macOS Mojave | |
| # 10.14.6 with Xcode 10.3 |
knightsc
/ DataTypes.h
Created
February 18, 2020 15:02
dtrace-338.0.1 missing DataTypes.h file from llvmCore-3425.0.36
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* include/llvm/Support/DataTypes.h. Generated from DataTypes.h.in by configure. */ | |
| /*===-- include/Support/DataTypes.h - Define fixed size types -----*- C -*-===*\ | |
| |* *| | |
| |* The LLVM Compiler Infrastructure *| | |
| |* *| | |
| |* This file is distributed under the University of Illinois Open Source *| | |
| |* License. See LICENSE.TXT for details. *| | |
| |* *| | |
| |*===----------------------------------------------------------------------===*| | |
| |* *| |
knightsc
/ XProtect_2121_hashes.txt
Created
May 15, 2020 17:08
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| XProtect_MACOS_51f7dde:27999b460b19fa7a32c2adf9a1b47642f4c7272883785f140683de04ab66db82 | |
| XProtect_MACOS_51f7dde:6771e7b084fbe7fb59fc47129ff946df31dd341b2267aa7f3fa34d51a8419588 | |
| XProtect_MACOS_51f7dde:aa8a4948afe706d1eeb217b6b0564793d1cf3a1914f44a487bd8b23f693e2e4f | |
| XProtect_MACOS_51f7dde:88dbc53ea3f19a234f80979bae2a496c9c71be0c0b9ea001157511ff37f725f7 | |
| XProtect_MACOS_51f7dde:b214427c509bb68c8fa74f392d695c44443ffa8bf41f608de70d6743842dc440 | |
| XProtect_MACOS_51f7dde:e4408c80559b44dacf76400236dc2b094fc7ced8208eb0ae575c0d2299a6e3a4 |
knightsc
/ dtrace-338.40.5-PointerLikeTypeTraits.h
Created
April 4, 2020 12:21
PointerLikeTypeTraits.h from dtrace-338.40.5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //===- llvm/Support/PointerLikeTypeTraits.h - Pointer Traits ----*- C++ -*-===// | |
| // | |
| // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. | |
| // See https://llvm.org/LICENSE.txt for license information. | |
| // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception | |
| // | |
| //===----------------------------------------------------------------------===// | |
| // | |
| // This file defines the PointerLikeTypeTraits class. This allows data | |
| // structures to reason about pointers and other things that are pointer sized. |
knightsc
/ llvmCore-3425.0.36-DataTypes.h
Created
April 4, 2020 12:19
DataTypes.h from llvmCore-3425.0.36
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* include/llvm/Support/DataTypes.h. Generated from DataTypes.h.in by configure. */ | |
| /*===-- include/Support/DataTypes.h - Define fixed size types -----*- C -*-===*\ | |
| |* *| | |
| |* The LLVM Compiler Infrastructure *| | |
| |* *| | |
| |* This file is distributed under the University of Illinois Open Source *| | |
| |* License. See LICENSE.TXT for details. *| | |
| |* *| | |
| |*===----------------------------------------------------------------------===*| | |
| |* *| |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #import <Foundation/Foundation.h> | |
| #import <EndpointSecurity/EndpointSecurity.h> | |
| #import <os/log.h> | |
| #import <bsm/libbsm.h> | |
| /* | |
| In the beta 1 seed it's not straight forward to create an EndpointSecurity extension. | |
| You can use libEndpointSecurity.dylib directly as long as you set the following things: | |
| 1. Disable SIP |