Skip to content

Instantly share code, notes, and snippets.

@knightsc
knightsc / DataTypes.h
Created Feb 18, 2020
dtrace-338.0.1 missing DataTypes.h file from llvmCore-3425.0.36
View DataTypes.h
/* include/llvm/Support/DataTypes.h. Generated from DataTypes.h.in by configure. */
/*===-- include/Support/DataTypes.h - Define fixed size types -----*- C -*-===*\
|* *|
|* The LLVM Compiler Infrastructure *|
|* *|
|* This file is distributed under the University of Illinois Open Source *|
|* License. See LICENSE.TXT for details. *|
|* *|
|*===----------------------------------------------------------------------===*|
|* *|
@knightsc
knightsc / PointerLikeTypeTraits.h
Created Feb 18, 2020
dtrace-338.0.1 updated PointerLikeTypeTraits.h
View PointerLikeTypeTraits.h
//===- llvm/Support/PointerLikeTypeTraits.h - Pointer Traits ----*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines the PointerLikeTypeTraits class. This allows data
// structures to reason about pointers and other things that are pointer sized.
@knightsc
knightsc / XProtect_2112_hashes.txt
Created Jan 23, 2020
Hashes that match the new rules in XProtect 2112
View XProtect_2112_hashes.txt
XProtect_MACOS_60a3d68:0007f3ac26579c5c519f88e9b3bb0e64155f0fa43c2db7645a767e633136a33f
XProtect_MACOS_60a3d68:0065e1f7389913cf81aed29bddfbf1d0c31715d602f5ee9bd73af09b79b64e71
XProtect_MACOS_60a3d68:009f23221bc4fc907dabf5e85c496d2be2e94dbf206d878fa4c0557c2cd4044d
XProtect_MACOS_60a3d68:00a0215fd96eb4b217de3498a02188759a6aaaca0c97854141e6970e7ed3a5ff
XProtect_MACOS_60a3d68:015a012379ba3b4a570e72d97673757aa7ed6233e5899ed76ed69392f6c4a189
XProtect_MACOS_60a3d68:0179c39f2ae4a90f3786aeb9e7fa4ce1bf6258fd362909eb7f9940035eb124d6
XProtect_MACOS_60a3d68:019522b4ff2082b448e21b4455d95cbfc307672260dc1c786cb91560be0c86d3
XProtect_MACOS_60a3d68:01fca671c27dc89e35a919d18958f1384f7b43e7b92008d5e1510536d48a6d45
XProtect_MACOS_60a3d68:022046d1111b6839b3f748bc08c04dfc22e4cdffb64ff49683668ecdf0263a6c
XProtect_MACOS_60a3d68:02495af390bcb5c028204e211fdf9531d0631780b644e5d36cc5c20be3b86509
@knightsc
knightsc / XProtect_2111_hashes.txt
Created Jan 9, 2020
Hashes that match the 3 new yara rules from XProtect 2111
View XProtect_2111_hashes.txt
XProtect_MACOS_03b5cbe:1276b53d7e4614297295c29a658406ff090140041dc3691eadc61f705a405292
XProtect_MACOS_03b5cbe:94322c09a282692d521d02fa4c30e497963690f477b860e1feb9b48fd1f6cafe
XProtect_MACOS_03b5cbe:ca0db652de6e0e1e3d9b287d1e3e3ca996e283c9bf229d8feb5bc8b41d9b641b
XProtect_MACOS_5af1486:202242485088d66357f34bb6172e58eaa88c007c6263e273e3e71ad33529f2ba
XProtect_MACOS_5af1486:300c60df1cf023340ecf55da31ed5aae1c2d58caf0f76736479fcddc7d9006cd
XProtect_MACOS_5af1486:325a3669a2103094e09c125411e5635f47ca027e56c259a1658505fc0a7328ad
XProtect_MACOS_5af1486:34ded42dcb9a554f601079af0a467932384c8b0e55861d2aa208c87099cff339
XProtect_MACOS_5af1486:3620531484b0cbebd4b5360d18c9225fba7df70b4725556742f717fb605a3b8c
XProtect_MACOS_5af1486:42fef43a56a76820eab80d8afa1828fb12a4988af071eb501fcb7b1c46dc4f7f
XProtect_MACOS_5af1486:4c640459463b49b814744d71504b0804ac45ea518d4d26f8d3464bf64d10a2de
View CoreServicesUIAgentClient.m
//
// main.m
//
// Created by Scott Knight on 12/12/19.
// Copyright © 2019 Scott Knight. All rights reserved.
//
#import <Foundation/Foundation.h>
#import <os/log.h>
@knightsc
knightsc / XProtect_2109_hashes.txt
Created Dec 11, 2019
Hashes that match the yara rules from XProtect 2109
View XProtect_2109_hashes.txt
XProtect_MACOS_0dd569a:02f81a2a23efac96f3d25d39d13d30abc67425611ee053e5b958c3358a507ecb
XProtect_MACOS_0dd569a:05362d0fd814fad075b220f33d7019db46c08caf7bb39492f6eae90be836e9c4
XProtect_MACOS_0dd569a:05536448fe3312d1c4e8dbdf4512752e1483ae84ec3c5cce8dcb1dce2b175311
XProtect_MACOS_0dd569a:066b26b76ccc444bd75994f7d8e1461093567e10fd64ba0fa2daa6406f031dd7
XProtect_MACOS_0dd569a:08f71ef6ec870c4c70c861b77456bd18a04a8113de518639e7335e133473c9db
XProtect_MACOS_0dd569a:0c529ca177c4525783a0a0675cb597fd6d9ffb6beba7bce9c3b4555229c35c9d
XProtect_MACOS_0dd569a:0d214ee00e05ba873ff6755f55c668e39421ed390302a0a795c176ff41eca6f6
XProtect_MACOS_0dd569a:188e0aadb2a67772bb41a1a7f071bbfa883c37483fe1b4462bb5865a5c4e10b9
XProtect_MACOS_0dd569a:218a90e405170ea20588eb677b279d0f2a78817bb971d383d7fc742b0997f8e0
XProtect_MACOS_0dd569a:2764a8e9edfc43da3c7a85364255e384a35719e516c18083f77334faa89ec05d
@knightsc
knightsc / TeslaClient.m
Created Jun 11, 2019
Quick XPC client for the teslad daemon which exposes CCDServiceInterface protocol
View TeslaClient.m
//
// main.m
// TeslaClient
//
// Created by Scott Knight on 6/11/19.
// Copyright © 2019 Scott Knight. All rights reserved.
//
#import <Foundation/Foundation.h>
@knightsc
knightsc / main.m
Last active Mar 24, 2020
An example of using the libEndpointSecurity.dylib in Catalina
View main.m
#import <Foundation/Foundation.h>
#import <EndpointSecurity/EndpointSecurity.h>
#import <os/log.h>
#import <bsm/libbsm.h>
/*
In the beta 1 seed it's not straight forward to create an EndpointSecurity extension.
You can use libEndpointSecurity.dylib directly as long as you set the following things:
1. Disable SIP
@knightsc
knightsc / step.py
Last active May 23, 2019
LLDB scripted step example. Steps from call instruction to call instruction
View step.py
from __future__ import print_function
import lldb
# This class will single step until the next call assembly instruction
# and then print out all the arguement registers
class Call:
def __init__(self, thread_plan, dict):
self.thread_plan = thread_plan
@knightsc
knightsc / psx.c
Last active Jul 11, 2019
Loops through all running processes and prints out ones that have had threads injected or hijacked
View psx.c
#include <stdio.h>
#include <stdlib.h>
#include <libproc.h>
#include <mach/mach.h>
bool
has_modifications(struct task_extmod_info *info)
{
if ((info->extmod_statistics.thread_creation_count > 0) ||
(info->extmod_statistics.thread_set_state_count > 0)) {