Scott Knight knightsc

## DataTypes.h
/* include/llvm/Support/DataTypes.h.  Generated from DataTypes.h.in by configure.  */
/*===-- include/Support/DataTypes.h - Define fixed size types -----*- C -*-===*\
|*                                                                            *|
|*                     The LLVM Compiler Infrastructure                       *|
|*                                                                            *|
|* This file is distributed under the University of Illinois Open Source      *|
|* License. See LICENSE.TXT for details.                                      *|
|*                                                                            *|
|*===----------------------------------------------------------------------===*|
|*                                                                            *|

## PointerLikeTypeTraits.h
//===- llvm/Support/PointerLikeTypeTraits.h - Pointer Traits ----*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines the PointerLikeTypeTraits class.  This allows data
// structures to reason about pointers and other things that are pointer sized.

## XProtect_2112_hashes.txt
XProtect_MACOS_60a3d68:0007f3ac26579c5c519f88e9b3bb0e64155f0fa43c2db7645a767e633136a33f
XProtect_MACOS_60a3d68:0065e1f7389913cf81aed29bddfbf1d0c31715d602f5ee9bd73af09b79b64e71
XProtect_MACOS_60a3d68:009f23221bc4fc907dabf5e85c496d2be2e94dbf206d878fa4c0557c2cd4044d
XProtect_MACOS_60a3d68:00a0215fd96eb4b217de3498a02188759a6aaaca0c97854141e6970e7ed3a5ff
XProtect_MACOS_60a3d68:015a012379ba3b4a570e72d97673757aa7ed6233e5899ed76ed69392f6c4a189
XProtect_MACOS_60a3d68:0179c39f2ae4a90f3786aeb9e7fa4ce1bf6258fd362909eb7f9940035eb124d6
XProtect_MACOS_60a3d68:019522b4ff2082b448e21b4455d95cbfc307672260dc1c786cb91560be0c86d3
XProtect_MACOS_60a3d68:01fca671c27dc89e35a919d18958f1384f7b43e7b92008d5e1510536d48a6d45
XProtect_MACOS_60a3d68:022046d1111b6839b3f748bc08c04dfc22e4cdffb64ff49683668ecdf0263a6c
XProtect_MACOS_60a3d68:02495af390bcb5c028204e211fdf9531d0631780b644e5d36cc5c20be3b86509

## XProtect_2111_hashes.txt
XProtect_MACOS_03b5cbe:1276b53d7e4614297295c29a658406ff090140041dc3691eadc61f705a405292
XProtect_MACOS_03b5cbe:94322c09a282692d521d02fa4c30e497963690f477b860e1feb9b48fd1f6cafe
XProtect_MACOS_03b5cbe:ca0db652de6e0e1e3d9b287d1e3e3ca996e283c9bf229d8feb5bc8b41d9b641b
XProtect_MACOS_5af1486:202242485088d66357f34bb6172e58eaa88c007c6263e273e3e71ad33529f2ba
XProtect_MACOS_5af1486:300c60df1cf023340ecf55da31ed5aae1c2d58caf0f76736479fcddc7d9006cd
XProtect_MACOS_5af1486:325a3669a2103094e09c125411e5635f47ca027e56c259a1658505fc0a7328ad
XProtect_MACOS_5af1486:34ded42dcb9a554f601079af0a467932384c8b0e55861d2aa208c87099cff339
XProtect_MACOS_5af1486:3620531484b0cbebd4b5360d18c9225fba7df70b4725556742f717fb605a3b8c
XProtect_MACOS_5af1486:42fef43a56a76820eab80d8afa1828fb12a4988af071eb501fcb7b1c46dc4f7f
XProtect_MACOS_5af1486:4c640459463b49b814744d71504b0804ac45ea518d4d26f8d3464bf64d10a2de

## CoreServicesUIAgentClient.m
//
//  main.m
//
//  Created by Scott Knight on 12/12/19.
//  Copyright © 2019 Scott Knight. All rights reserved.
//

#import <Foundation/Foundation.h>
#import <os/log.h>

## XProtect_2109_hashes.txt
XProtect_MACOS_0dd569a:02f81a2a23efac96f3d25d39d13d30abc67425611ee053e5b958c3358a507ecb
XProtect_MACOS_0dd569a:05362d0fd814fad075b220f33d7019db46c08caf7bb39492f6eae90be836e9c4
XProtect_MACOS_0dd569a:05536448fe3312d1c4e8dbdf4512752e1483ae84ec3c5cce8dcb1dce2b175311
XProtect_MACOS_0dd569a:066b26b76ccc444bd75994f7d8e1461093567e10fd64ba0fa2daa6406f031dd7
XProtect_MACOS_0dd569a:08f71ef6ec870c4c70c861b77456bd18a04a8113de518639e7335e133473c9db
XProtect_MACOS_0dd569a:0c529ca177c4525783a0a0675cb597fd6d9ffb6beba7bce9c3b4555229c35c9d
XProtect_MACOS_0dd569a:0d214ee00e05ba873ff6755f55c668e39421ed390302a0a795c176ff41eca6f6
XProtect_MACOS_0dd569a:188e0aadb2a67772bb41a1a7f071bbfa883c37483fe1b4462bb5865a5c4e10b9
XProtect_MACOS_0dd569a:218a90e405170ea20588eb677b279d0f2a78817bb971d383d7fc742b0997f8e0
XProtect_MACOS_0dd569a:2764a8e9edfc43da3c7a85364255e384a35719e516c18083f77334faa89ec05d

## TeslaClient.m
//
//  main.m
//  TeslaClient
//
//  Created by Scott Knight on 6/11/19.
//  Copyright © 2019 Scott Knight. All rights reserved.
//

#import <Foundation/Foundation.h>

## main.m
#import <Foundation/Foundation.h>
#import <EndpointSecurity/EndpointSecurity.h>
#import <os/log.h>
#import <bsm/libbsm.h>

/*
 In the beta 1 seed it's not straight forward to create an EndpointSecurity extension.
 You can use libEndpointSecurity.dylib directly as long as you set the following things:

 1. Disable SIP

## step.py
from __future__ import print_function

import lldb

# This class will single step until the next call assembly instruction
# and then print out all the arguement registers
class Call:
    def __init__(self, thread_plan, dict):
        self.thread_plan = thread_plan

## psx.c
#include <stdio.h>
#include <stdlib.h>
#include <libproc.h>
#include <mach/mach.h>

bool
has_modifications(struct task_extmod_info *info)
{
    if ((info->extmod_statistics.thread_creation_count > 0) ||
        (info->extmod_statistics.thread_set_state_count > 0)) {
	/* include/llvm/Support/DataTypes.h. Generated from DataTypes.h.in by configure. */
	/===-- include/Support/DataTypes.h - Define fixed size types ------ C --===\
	\|* *\|
	\|* The LLVM Compiler Infrastructure *\|
	\|* *\|
	\|* This file is distributed under the University of Illinois Open Source *\|
	\|* License. See LICENSE.TXT for details. *\|
	\|* *\|
	\|===----------------------------------------------------------------------===\|
	\|* *\|
	//===- llvm/Support/PointerLikeTypeTraits.h - Pointer Traits ----- C++ --===//
	//
	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
	// See https://llvm.org/LICENSE.txt for license information.
	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
	//
	//===----------------------------------------------------------------------===//
	//
	// This file defines the PointerLikeTypeTraits class. This allows data
	// structures to reason about pointers and other things that are pointer sized.
	XProtect_MACOS_60a3d68:0007f3ac26579c5c519f88e9b3bb0e64155f0fa43c2db7645a767e633136a33f
	XProtect_MACOS_60a3d68:0065e1f7389913cf81aed29bddfbf1d0c31715d602f5ee9bd73af09b79b64e71
	XProtect_MACOS_60a3d68:009f23221bc4fc907dabf5e85c496d2be2e94dbf206d878fa4c0557c2cd4044d
	XProtect_MACOS_60a3d68:00a0215fd96eb4b217de3498a02188759a6aaaca0c97854141e6970e7ed3a5ff
	XProtect_MACOS_60a3d68:015a012379ba3b4a570e72d97673757aa7ed6233e5899ed76ed69392f6c4a189
	XProtect_MACOS_60a3d68:0179c39f2ae4a90f3786aeb9e7fa4ce1bf6258fd362909eb7f9940035eb124d6
	XProtect_MACOS_60a3d68:019522b4ff2082b448e21b4455d95cbfc307672260dc1c786cb91560be0c86d3
	XProtect_MACOS_60a3d68:01fca671c27dc89e35a919d18958f1384f7b43e7b92008d5e1510536d48a6d45
	XProtect_MACOS_60a3d68:022046d1111b6839b3f748bc08c04dfc22e4cdffb64ff49683668ecdf0263a6c
	XProtect_MACOS_60a3d68:02495af390bcb5c028204e211fdf9531d0631780b644e5d36cc5c20be3b86509
	XProtect_MACOS_03b5cbe:1276b53d7e4614297295c29a658406ff090140041dc3691eadc61f705a405292
	XProtect_MACOS_03b5cbe:94322c09a282692d521d02fa4c30e497963690f477b860e1feb9b48fd1f6cafe
	XProtect_MACOS_03b5cbe:ca0db652de6e0e1e3d9b287d1e3e3ca996e283c9bf229d8feb5bc8b41d9b641b
	XProtect_MACOS_5af1486:202242485088d66357f34bb6172e58eaa88c007c6263e273e3e71ad33529f2ba
	XProtect_MACOS_5af1486:300c60df1cf023340ecf55da31ed5aae1c2d58caf0f76736479fcddc7d9006cd
	XProtect_MACOS_5af1486:325a3669a2103094e09c125411e5635f47ca027e56c259a1658505fc0a7328ad
	XProtect_MACOS_5af1486:34ded42dcb9a554f601079af0a467932384c8b0e55861d2aa208c87099cff339
	XProtect_MACOS_5af1486:3620531484b0cbebd4b5360d18c9225fba7df70b4725556742f717fb605a3b8c
	XProtect_MACOS_5af1486:42fef43a56a76820eab80d8afa1828fb12a4988af071eb501fcb7b1c46dc4f7f
	XProtect_MACOS_5af1486:4c640459463b49b814744d71504b0804ac45ea518d4d26f8d3464bf64d10a2de
	//
	// main.m
	//
	// Created by Scott Knight on 12/12/19.
	// Copyright © 2019 Scott Knight. All rights reserved.
	//

	#import <Foundation/Foundation.h>
	#import <os/log.h>
	XProtect_MACOS_0dd569a:02f81a2a23efac96f3d25d39d13d30abc67425611ee053e5b958c3358a507ecb
	XProtect_MACOS_0dd569a:05362d0fd814fad075b220f33d7019db46c08caf7bb39492f6eae90be836e9c4
	XProtect_MACOS_0dd569a:05536448fe3312d1c4e8dbdf4512752e1483ae84ec3c5cce8dcb1dce2b175311
	XProtect_MACOS_0dd569a:066b26b76ccc444bd75994f7d8e1461093567e10fd64ba0fa2daa6406f031dd7
	XProtect_MACOS_0dd569a:08f71ef6ec870c4c70c861b77456bd18a04a8113de518639e7335e133473c9db
	XProtect_MACOS_0dd569a:0c529ca177c4525783a0a0675cb597fd6d9ffb6beba7bce9c3b4555229c35c9d
	XProtect_MACOS_0dd569a:0d214ee00e05ba873ff6755f55c668e39421ed390302a0a795c176ff41eca6f6
	XProtect_MACOS_0dd569a:188e0aadb2a67772bb41a1a7f071bbfa883c37483fe1b4462bb5865a5c4e10b9
	XProtect_MACOS_0dd569a:218a90e405170ea20588eb677b279d0f2a78817bb971d383d7fc742b0997f8e0
	XProtect_MACOS_0dd569a:2764a8e9edfc43da3c7a85364255e384a35719e516c18083f77334faa89ec05d
	//
	// main.m
	// TeslaClient
	//
	// Created by Scott Knight on 6/11/19.
	// Copyright © 2019 Scott Knight. All rights reserved.
	//

	#import <Foundation/Foundation.h>
	#import <Foundation/Foundation.h>
	#import <EndpointSecurity/EndpointSecurity.h>
	#import <os/log.h>
	#import <bsm/libbsm.h>

	/*
	In the beta 1 seed it's not straight forward to create an EndpointSecurity extension.
	You can use libEndpointSecurity.dylib directly as long as you set the following things:

	1. Disable SIP
	from __future__ import print_function

	import lldb

	# This class will single step until the next call assembly instruction
	# and then print out all the arguement registers
	class Call:
	def __init__(self, thread_plan, dict):
	self.thread_plan = thread_plan
	#include <stdio.h>
	#include <stdlib.h>
	#include <libproc.h>
	#include <mach/mach.h>

	bool
	has_modifications(struct task_extmod_info *info)
	{
	if ((info->extmod_statistics.thread_creation_count > 0) \|\|
	(info->extmod_statistics.thread_set_state_count > 0)) {