Skip to content

Instantly share code, notes, and snippets.

View knightsc's full-sized avatar

Scott Knight knightsc

146 followers · 0 following
View GitHub Profile
@knightsc
knightsc / hijack.c
Created February 26, 2019 21:20
Example of how to hijack a thread on macOS to run code in a remote process
#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <unistd.h>
#include <mach/mach.h>
#include <mach/mach_vm.h>
#include <dlfcn.h>
#include <objc/runtime.h>
@knightsc
knightsc / inject.c
Last active March 19, 2024 01:14
An example of how to inject code to call dlopen and load a dylib into a remote mach task. Tested on 10.13.6 and 10.14.3
#include <dlfcn.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <mach/mach.h>
#include <mach/error.h>
#include <errno.h>
#include <stdlib.h>
#include <sys/sysctl.h>
#include <sys/mman.h>
@knightsc
knightsc / spxpc.m
Created February 20, 2019 19:45
Example of how the Security.framework calls into `syspolicyd` for Gatekeeper functionality
#import <Foundation/Foundation.h>
#import <Security/Security.h>
#import <xpc/xpc.h>
#include <CoreFoundation/CoreFoundation.h>
#include <stdint.h>
typedef uint64_t SecAssessmentFlags;
enum {
kSecAssessmentDefaultFlags = 0, // default behavior
@knightsc
knightsc / aspmig.c
Created February 14, 2019 16:18
Example of sedning notify_32bit_exec MIG message to syspolicyd
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <mach/mach.h>
/*
This allows you to write to /var/db/SystemPolicyConfiguration/ExecPolicy
even with SIP on. Basically before syspolicyd determines if the values
you pass can be checked or not it will save them to the ExecPolicy
database.
@knightsc
knightsc / kext_deps.py
Created February 12, 2019 17:30
Scans all kexts in /System/Library/Extensions and generates a graphml graph representation of the dependencies.
import plistlib
import subprocess
import os
def main():
output = subprocess.check_output(['find', '/System/Library/Extensions', '-name', '*.kext', '-print'])
print('<?xml version="1.0" encoding="UTF-8"?>')
print('<graphml xmlns="http://graphml.graphdrawing.org/xmlns">')
print(' <graph id="G" edgedefault="undirected">')
@knightsc
knightsc / debugger.c
Created February 7, 2019 18:08
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/wait.h>
#include <mach/mach.h>
/*
@knightsc
knightsc / hollow.c
Created February 7, 2019 18:06
#include <spawn.h>
#include <string.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <mach/mach.h>
#define MACH_ERR(str, err) do { \
if (err != KERN_SUCCESS) { \
@knightsc
knightsc / kexts.graphml
Created January 15, 2019 18:40
<?xml version="1.0" encoding="UTF-8"?>
<graphml xmlns="http://graphml.graphdrawing.org/xmlns">
<graph id="G" edgedefault="undirected">
<node id="Kernel"/>
<node id="AppleEmbeddedOSSupportHost"/>
<node id="AppleSMCLMU"/>
<node id="AppleIntelLpssSpiController"/>
<node id="IOSkywalkFamily"/>
<node id="BridgeAudioCommunication"/>
<node id="ntfs"/>
@knightsc
knightsc / build-xnu-4903.221.2.sh
Last active August 25, 2019 12:07
A script to build XNU version 4903.221.2 (macOS Mojave 10.14.1).
#! /bin/bash
#
# build-xnu-4903.221.2.sh
# Scott Knight
#
# Based on the script by Brandon Azad
# https://gist.github.com/bazad/654959120a423b226dc564073b435453
#
# A script showing how to build XNU version 4903.221.2 on macOS Mojave
# 10.14 with Xcode 10.1.
@knightsc
knightsc / dmg_rom.asm
Created November 19, 2018 21:43
Game Boy boot rom disassembly
/*
--------------------------------------------------------------------------------
File: dmg_rom.bin
File created with Hopper 4.4.7
Analysis version 55
Loader: RAW
CPU: Sharp/LR35902
64 bits (Little Endian)