imbushuo

// simplevm.c: demonstrates Hypervisor.Framework usage in Apple Silicon
// Based on the work by @zhuowei
// @imbushuo - Nov 2020

// To build:
// Prepare the entitlement with BOTH com.apple.security.hypervisor and com.apple.vm.networking WHEN SIP IS OFF
// Prepare the entitlement com.apple.security.hypervisor and NO com.apple.vm.networking WHEN SIP IS ON
// ^ Per @never_released, tested on 11.0.1, idk why
// clang -o simplevm -O2 -framework Hypervisor -mmacosx-version-min=11.0 simplevm.c
// codesign --entitlements simplevm.entitlements --force -s - simplevm             

saagarjha

#!/bin/sh

set -eu

create_iconset() {
	mkdir -p Ghidra.iconset
	cat << EOF > Ghidra.iconset/Contents.json
{
	"images":
	[

jakeajames

//
//  exploit.c
//  extra_time
//
//  Created by Jake James on 2/8/20.
//  Copyright © 2020 Jake James. All rights reserved.
//

#include "exploit.h"
#include "IOAccelerator_stuff.h"

knightsc

#include <dlfcn.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <mach/mach.h>
#include <mach/error.h>
#include <errno.h>
#include <stdlib.h>
#include <sys/sysctl.h>
#include <sys/mman.h>

Siguza

// Moved here: https://github.com/Siguza/misc/blob/master/dsc_syms.c

pedramamini

import "hash"

private rule Macho
{
    meta:
        description = "private rule to match Mach-O binaries"
    condition:
        uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca

}

alexprivalov

Title : Revisiting Mac OS X Kernel Rootkits
Author : fG!
Date : April 18, 2014

|=----------------------------------------------------------------------------=|
|=----------------=[ Revisiting Mac OS X Kernel Rootkits ]=-------------------=|
|=----------------------------------------------------------------------------=|
|=------------------------=[ fG! <phrack@put.as> ]=---------------------------=|
|=----------------------------------------------------------------------------=|