Skip to content

Instantly share code, notes, and snippets.

View nikolay-n's full-sized avatar

nikolay-n

9 followers · 2 following
View GitHub Profile
@nikolay-n
nikolay-n / keycodes.txt
Created December 11, 2020 16:52
CGKeyCode values
a = 0
s = 1
d = 2
f = 3
h = 4
g = 5
z = 6
x = 7
c = 8
v = 9
@nikolay-n
nikolay-n / syscalls.txt
Last active February 14, 2024 21:17
macOS syscall
syscall = 0
exit = 1
fork = 2
read = 3
write = 4
open = 5
close = 6
wait4 = 7
link = 9
unlink = 10
@nikolay-n
nikolay-n / defsmon.py
Last active October 29, 2022 14:26
Defaults Monitor - tool to sniff defaults keys and values using unified log
#!/usr/bin/python2.7
# -*- coding: utf-8 -*-
'''
Defaults Monitor - tool to sniff defaults keys and values using unified log
to launch use standard python 2.7, eg python2.7 ./defsmon.py
'''
import os
@nikolay-n
nikolay-n / scanner.py
Created December 4, 2020 17:19
Wiggle permissions error fix "wiggle/agent/scanner.py"
import os
import pathlib
import logging
from agent.importer import add
class Scanner(object):
def __init__(self, directories, model, sysroot='/', block_list=None):
self.directories = map(pathlib.Path, directories)
@nikolay-n
nikolay-n / brightness.py
Created November 7, 2020 16:20
Get/Set brightness macOS 10.13+
#!/usr/bin/python
from ctypes import CDLL, c_int, c_double
from Quartz import CGMainDisplayID
main_display_id = CGMainDisplayID()
CoreDisplay = CDLL("/System/Library/Frameworks/CoreDisplay.framework/CoreDisplay")
CoreDisplay.CoreDisplay_Display_SetUserBrightness.argtypes = [c_int, c_double]
CoreDisplay.CoreDisplay_Display_GetUserBrightness.argtypes = [c_int]
@nikolay-n
nikolay-n / lock-status.py
Last active November 7, 2020 14:30
Checks lock screen status
from Foundation import NSBundle
import objc
BIT_WIDTH = 32
INT_MAX = 2**(BIT_WIDTH-1)-1
MobileKeyBag = NSBundle.bundleWithPath_('/System/Library/PrivateFrameworks/MobileKeyBag.framework')
objc.loadBundleFunctions(MobileKeyBag, globals(), [('MKBDeviceGetGracePeriod', '@@')])
grace = MKBDeviceGetGracePeriod({});
@nikolay-n
nikolay-n / glitch.py
Created November 5, 2020 18:10
Screen glitch example
#!/usr/bin/python2.7
# -*- coding: utf-8 -*-
import Foundation
import AppKit
import WebKit
import Quartz
import ctypes
from PyObjCTools import AppHelper
from objc import _objc, nil, super, pyobjc_unicode, registerMetaDataForSelector
@nikolay-n
nikolay-n / mbam-fake-auth.py
Created October 13, 2020 18:36
Fake privileged helper auth
#!/usr/bin/python2.7
# -*- coding: utf-8 -*-
import os
import sys
import subprocess
import shutil
import time
python_bin = "/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python"
last_bundle_path = subprocess.check_output(['mdfind', "kMDItemCFBundleIdentifier == com.malwarebytes.mbam.frontend.launcher"]).strip("\n")
@nikolay-n
nikolay-n / files_born.pl
Created October 5, 2020 18:23
#!/usr/bin/env perl
# Files that was born at the near same time
# Usage: perl files_born.pl file_path [5s|m|h|d]
use IPC::Open2;
my $file = shift;
my $interval = shift // "1m";
my $attr = "kMDItemFSCreationDate";
my $c_date = `mdls -raw -name $attr "$file"`;
@nikolay-n
nikolay-n / gatekeeper_events.sh
Last active October 26, 2021 23:14
Gatekeeper events quering from unified logs
#!/usr/bin/env bash
# doesn't requires private data on
log show --style syslog --predicate 'process == "taskgated" && eventMessage CONTAINS[c] "no system signature"' --info --debug --last 1d
log show --style syslog --predicate 'eventMessage CONTAINS[c] "MalwareFileNameFullOrPart"' --info --debug --last 1d
log show --style syslog --predicate 'process == "kernel" && eventMessage CONTAINS[c] "Security policy would not allow process"' --info --debug --last 1d
# requires private data on
log show --style syslog --predicate 'process == "CoreServicesUIAgent" && eventMessage CONTAINS[c] "bundle="' --info --debug --last 1d
log show --style syslog --predicate 'subsystem == "com.apple.launchservices" && category == "code-evaluation"' --info --debug --last 1d