Use AMFI to check AMFI dynamic cache and clean up kern_funcs

author: Sam Bingner <sam@bingner.com> 2018-12-21 14:57:51 -1000
committer: Sam Bingner <sam@bingner.com> 2018-12-21 14:57:51 -1000
commit: ae8077efe69311b8eee2846affebd6194b7b29c4 (patch)
tree: 15f39189fd0031e93f32e96e510604d6b92fb5ec
parent: ee8a0cfb5148f3376fbfe7103354811c6b69c64f (diff)
4 files changed, 35 insertions, 112 deletions
diff --git a/Makefile b/Makefile
index cf1826f..598ca50 100644
--- a/Makefile
+++ b/Makefile
@@ -6,6 +6,7 @@ TOOL_NAME = inject
 inject_CODESIGN_FLAGS = -Hsha256 -Hsha1 -Sentitlements.xml
 inject_FRAMEWORKS = IOKit Security
 inject_CFLAGS = -Wno-error=unused-function -Wno-error=unused-variable -Wno-error=missing-braces -Iinclude
+inject_LIBRARIES = mis
 inject_FILES = inject.m patchfinder64.c kern_funcs.c
 
 include $(THEOS_MAKE_PATH)/tool.mk
diff --git a/control b/control
index 99d91ee..d2e93b2 100644
--- a/control
+++ b/control
@@ -1,6 +1,6 @@
 Package: trustinjector
 Name: Trust Cache Injector
-Version: 0.1
+Version: 0.2
 Architecture: iphoneos-arm
 Description: Inject files to kernel trust cache
 Maintainer: Sam Bingner <maintainer@sbdhi.com>
diff --git a/inject.m b/inject.m
index b6e2b21..c332d9e 100644
--- a/inject.m
+++ b/inject.m
@@ -16,6 +16,14 @@
 OSStatus SecStaticCodeCreateWithPathAndAttributes(CFURLRef path, SecCSFlags flags, CFDictionaryRef attributes, SecStaticCodeRef  _Nullable *staticCode);
 OSStatus SecCodeCopySigningInformation(SecStaticCodeRef code, SecCSFlags flags, CFDictionaryRef  _Nullable *information);
 CFStringRef (*_SecCopyErrorMessageString)(OSStatus status, void * __nullable reserved) = NULL;
+extern int MISValidateSignatureAndCopyInfo(NSString *file, NSDictionary *options, NSDictionary **info);
+
+extern NSString *MISCopyErrorStringForErrorCode(int err);
+extern NSString *kMISValidationOptionRespectUppTrustAndAuthorization;
+extern NSString *kMISValidationOptionValidateSignatureOnly;
+extern NSString *kMISValidationOptionUniversalFileOffset;
+extern NSString *kMISValidationOptionAllowAdHocSigning;
+extern NSString *kMISValidationOptionOnlineAuthorization;
  
 mach_port_t tfp0 = MACH_PORT_NULL;
 
@@ -38,9 +46,6 @@ struct hash_entry_t {
     uint16_t start;
 } __attribute__((packed));
 
-struct hash_entry_t amfiIndex[0x100];
-char *amfiData = NULL;
-
 typedef uint8_t hash_t[TRUST_CDHASH_LEN];
 
 mach_port_t try_restore_port() {
@@ -57,62 +62,21 @@ mach_port_t try_restore_port() {
     return MACH_PORT_NULL;
 }
 
-void free_amfitab() {
-    if (amfiData != NULL) {
-        free(amfiData);
-        amfiData = NULL;
-    }
-}
-
-bool init_amfitab(uint64_t amfitab) {
-    if (amfitab == 0)
-        return false;
-
-    int rv = kread(amfitab, &amfiIndex, sizeof(amfiIndex));
-    size_t len = 0;
-
-    for(int i=0; i<0x100; i++) {
-        len += amfiIndex[i].num * 19;
-    }
-    free_amfitab();
-    amfiData = malloc(len);
-    rv = kread(amfitab + sizeof(amfiIndex), amfiData, len);
-    return true;
-}
-
-bool check_amfi(uint64_t amfitab, NSData *hashData) {
-    const char *hash = [hashData bytes];
-    unsigned char idx = hash[0];
-    hash++;
-    if (amfiData == NULL && !init_amfitab(amfitab)) {
-        return false;
-    }
-    if (amfiIndex[idx].num == 0 || amfiIndex[idx].start == 0) {
-        fprintf(stderr, "Nothing found to check in amficache (wrong?)\n");
-        return false;
-    }
-
-    char *amfiNext = amfiData + (amfiIndex[idx].start + amfiIndex[idx].num) * 19;
-    for (char *amfi = amfiData + amfiIndex[idx].start * 19; amfi < amfiNext; amfi += 19) {
-        if (memcmp(hash, amfi, 19) == 0) {
-            return true;
-        }
-    }
-
-    return false;
+bool check_amfi(NSString *path) {
+    return MISValidateSignatureAndCopyInfo(path, @{kMISValidationOptionAllowAdHocSigning: @YES, kMISValidationOptionRespectUppTrustAndAuthorization: @YES}, NULL) == 0;
 }
 
-NSArray *filteredHashes(uint64_t trust_chain, NSDictionary *hashes, uint64_t amfitab) {
+NSArray *filteredHashes(uint64_t trust_chain, NSDictionary *hashes) {
   NSArray *result;
   @autoreleasepool {
     NSMutableDictionary *filtered = [hashes mutableCopy];
     for (NSData *cdhash in [filtered allKeys]) {
-        if (check_amfi(amfitab, cdhash)) {
-            printf("%s: already in amfi trustcache, not reinjecting\n", [filtered[cdhash] UTF8String]);
+        if (check_amfi(filtered[cdhash])) {
+            printf("%s: already in static trustcache, not reinjecting\n", [filtered[cdhash] UTF8String]);
             [filtered removeObjectForKey:cdhash];
         }
     }
-    free_amfitab();
+
     struct trust_mem search;
     search.next = trust_chain;
     while (search.next != 0) {
@@ -143,7 +107,7 @@ NSArray *filteredHashes(uint64_t trust_chain, NSDictionary *hashes, uint64_t amf
   return [result autorelease];
 }
 
-int injectTrustCache(int argc, char* argv[], uint64_t trust_chain, uint64_t amficache) {
+int injectTrustCache(int argc, char* argv[], uint64_t trust_chain) {
   @autoreleasepool {
     struct trust_mem mem;
     uint64_t kernel_trust = 0;
@@ -205,7 +169,7 @@ int injectTrustCache(int argc, char* argv[], uint64_t trust_chain, uint64_t amfi
     }
 
 
-    NSArray *filtered = filteredHashes(mem.next, hashes, amficache);
+    NSArray *filtered = filteredHashes(mem.next, hashes);
     int hashesToInject = [filtered count];
     printf("%d new hashes to inject\n", hashesToInject);
     if (hashesToInject < 1) {
@@ -251,11 +215,9 @@ int main(int argc, char* argv[]) {
     uint64_t kernel_base = get_kernel_base(tfp0);
     init_kernel(kernel_base, NULL);
     uint64_t trust_chain = find_trustcache();
-    uint64_t amficache = find_amficache();
     term_kernel();
-    bzero(amfiIndex, sizeof(amfiIndex));
     printf("Injecting to trust cache...\n");
-    int ninjected = injectTrustCache(argc, argv, trust_chain, amficache);
+    int ninjected = injectTrustCache(argc, argv, trust_chain);
     printf("Successfully injected [%d/%d] to trust cache.\n", ninjected, argc - 1);
     return argc - ninjected - 1;
 }
diff --git a/kern_funcs.c b/kern_funcs.c
index 09e1e4f..cd43438 100644
--- a/kern_funcs.c
+++ b/kern_funcs.c
@@ -21,75 +21,30 @@
 #include "CSCommon.h"
 
 extern mach_port_t tfp0;
+size_t kread(uint64_t where, void *p, size_t size);
+size_t kwrite(uint64_t where, const void *p, size_t size);
 
 void wk32(uint64_t kaddr, uint32_t val) {
-    if (tfp0 == MACH_PORT_NULL) {
-        printf("attempt to write to kernel memory before any kernel memory write primitives available\n");
-        sleep(3);
-        return;
-    }
-   
-    kern_return_t err;
-    err = mach_vm_write(tfp0,
-                        (mach_vm_address_t)kaddr,
-                        (vm_offset_t)&val,
-                        (mach_msg_type_number_t)sizeof(uint32_t));
-   
-    if (err != KERN_SUCCESS) {
-        printf("tfp0 write failed: %s %x\n", mach_error_string(err), err);
-        return;
-    }
+    kwrite(kaddr, &val, sizeof(uint32_t));
 }
  
 void wk64(uint64_t kaddr, uint64_t val) {
-    uint32_t lower = (uint32_t)(val & 0xffffffff);
-    uint32_t higher = (uint32_t)(val >> 32);
-    wk32(kaddr, lower);
-    wk32(kaddr+4, higher);
+    kwrite(kaddr, &val, sizeof(uint64_t));
 }
  
 uint32_t rk32(uint64_t kaddr) {
-    kern_return_t err;
     uint32_t val = 0;
-    mach_vm_size_t outsize = 0;
-    err = mach_vm_read_overwrite(tfp0,
-                                 (mach_vm_address_t)kaddr,
-                                 (mach_vm_size_t)sizeof(uint32_t),
-                                 (mach_vm_address_t)&val,
-                                 &outsize);
-    if (err != KERN_SUCCESS){
-        printf("tfp0 read failed %s addr: 0x%llx err:%x port:%x\n", mach_error_string(err), kaddr, err, tfp0);
-        sleep(3);
-        return 0;
-    }
-   
-    if (outsize != sizeof(uint32_t)){
-        printf("tfp0 read was short (expected %lx, got %llx\n", sizeof(uint32_t), outsize);
-        sleep(3);
+
+    if (kread(kaddr, &val, sizeof(val)) != sizeof(val)) {
         return 0;
     }
     return val;
 }
  
 uint64_t rk64(uint64_t kaddr) {
-    kern_return_t err;
     uint64_t val = 0;
-    mach_vm_size_t outsize = 0;
-    err = mach_vm_read_overwrite(tfp0,
-            (mach_vm_address_t)kaddr,
-            (mach_vm_size_t)sizeof(uint64_t),
-            (mach_vm_address_t)&val,
-            &outsize);
-
-    if (err != KERN_SUCCESS){
-        printf("tfp0 read failed %s addr: 0x%llx err:%x port:%x\n", mach_error_string(err), kaddr, err, tfp0);
-        sleep(3);
-        return 0;
-    }
 
-    if (outsize != sizeof(uint64_t)){
-        printf("tfp0 read was short (expected %lx, got %llx\n", sizeof(uint64_t), outsize);
-        sleep(3);
+    if (kread(kaddr, &val, sizeof(val)) != sizeof(val)) {
         return 0;
     }
     return val;
@@ -163,8 +118,7 @@ vm_address_t get_kernel_base(mach_port_t tfp0)
     }
 }
  
-size_t
-kread(uint64_t where, void *p, size_t size)
+size_t kread(uint64_t where, void *p, size_t size)
 {
     int rv;
     size_t offset = 0;
@@ -183,11 +137,17 @@ kread(uint64_t where, void *p, size_t size)
     return offset;
 }
  
-size_t
-kwrite(uint64_t where, const void *p, size_t size)
+size_t kwrite(uint64_t where, const void *p, size_t size)
 {
     int rv;
     size_t offset = 0;
+
+    if (tfp0 == MACH_PORT_NULL) {
+        printf("attempt to write to kernel memory before any kernel memory write primitives available\n");
+        sleep(3);
+        return offset;
+    }
+   
     while (offset < size) {
         size_t chunk = 2048;
         if (chunk > size - offset) {
author	Sam Bingner <sam@bingner.com>	2018-12-21 14:57:51 -1000
committer	Sam Bingner <sam@bingner.com>	2018-12-21 14:57:51 -1000
commit	ae8077efe69311b8eee2846affebd6194b7b29c4 (patch)
tree	15f39189fd0031e93f32e96e510604d6b92fb5ec
parent	ee8a0cfb5148f3376fbfe7103354811c6b69c64f (diff)