From ae8077efe69311b8eee2846affebd6194b7b29c4 Mon Sep 17 00:00:00 2001 From: Sam Bingner Date: Fri, 21 Dec 2018 14:57:51 -1000 Subject: Use AMFI to check AMFI dynamic cache and clean up kern_funcs --- Makefile | 1 + control | 2 +- inject.m | 72 ++++++++++++++---------------------------------------------- kern_funcs.c | 72 ++++++++++++++---------------------------------------------- 4 files changed, 35 insertions(+), 112 deletions(-) diff --git a/Makefile b/Makefile index cf1826f..598ca50 100644 --- a/Makefile +++ b/Makefile @@ -6,6 +6,7 @@ TOOL_NAME = inject inject_CODESIGN_FLAGS = -Hsha256 -Hsha1 -Sentitlements.xml inject_FRAMEWORKS = IOKit Security inject_CFLAGS = -Wno-error=unused-function -Wno-error=unused-variable -Wno-error=missing-braces -Iinclude +inject_LIBRARIES = mis inject_FILES = inject.m patchfinder64.c kern_funcs.c include $(THEOS_MAKE_PATH)/tool.mk diff --git a/control b/control index 99d91ee..d2e93b2 100644 --- a/control +++ b/control @@ -1,6 +1,6 @@ Package: trustinjector Name: Trust Cache Injector -Version: 0.1 +Version: 0.2 Architecture: iphoneos-arm Description: Inject files to kernel trust cache Maintainer: Sam Bingner diff --git a/inject.m b/inject.m index b6e2b21..c332d9e 100644 --- a/inject.m +++ b/inject.m @@ -16,6 +16,14 @@ OSStatus SecStaticCodeCreateWithPathAndAttributes(CFURLRef path, SecCSFlags flags, CFDictionaryRef attributes, SecStaticCodeRef _Nullable *staticCode); OSStatus SecCodeCopySigningInformation(SecStaticCodeRef code, SecCSFlags flags, CFDictionaryRef _Nullable *information); CFStringRef (*_SecCopyErrorMessageString)(OSStatus status, void * __nullable reserved) = NULL; +extern int MISValidateSignatureAndCopyInfo(NSString *file, NSDictionary *options, NSDictionary **info); + +extern NSString *MISCopyErrorStringForErrorCode(int err); +extern NSString *kMISValidationOptionRespectUppTrustAndAuthorization; +extern NSString *kMISValidationOptionValidateSignatureOnly; +extern NSString *kMISValidationOptionUniversalFileOffset; +extern NSString *kMISValidationOptionAllowAdHocSigning; +extern NSString *kMISValidationOptionOnlineAuthorization; mach_port_t tfp0 = MACH_PORT_NULL; @@ -38,9 +46,6 @@ struct hash_entry_t { uint16_t start; } __attribute__((packed)); -struct hash_entry_t amfiIndex[0x100]; -char *amfiData = NULL; - typedef uint8_t hash_t[TRUST_CDHASH_LEN]; mach_port_t try_restore_port() { @@ -57,62 +62,21 @@ mach_port_t try_restore_port() { return MACH_PORT_NULL; } -void free_amfitab() { - if (amfiData != NULL) { - free(amfiData); - amfiData = NULL; - } -} - -bool init_amfitab(uint64_t amfitab) { - if (amfitab == 0) - return false; - - int rv = kread(amfitab, &amfiIndex, sizeof(amfiIndex)); - size_t len = 0; - - for(int i=0; i<0x100; i++) { - len += amfiIndex[i].num * 19; - } - free_amfitab(); - amfiData = malloc(len); - rv = kread(amfitab + sizeof(amfiIndex), amfiData, len); - return true; -} - -bool check_amfi(uint64_t amfitab, NSData *hashData) { - const char *hash = [hashData bytes]; - unsigned char idx = hash[0]; - hash++; - if (amfiData == NULL && !init_amfitab(amfitab)) { - return false; - } - if (amfiIndex[idx].num == 0 || amfiIndex[idx].start == 0) { - fprintf(stderr, "Nothing found to check in amficache (wrong?)\n"); - return false; - } - - char *amfiNext = amfiData + (amfiIndex[idx].start + amfiIndex[idx].num) * 19; - for (char *amfi = amfiData + amfiIndex[idx].start * 19; amfi < amfiNext; amfi += 19) { - if (memcmp(hash, amfi, 19) == 0) { - return true; - } - } - - return false; +bool check_amfi(NSString *path) { + return MISValidateSignatureAndCopyInfo(path, @{kMISValidationOptionAllowAdHocSigning: @YES, kMISValidationOptionRespectUppTrustAndAuthorization: @YES}, NULL) == 0; } -NSArray *filteredHashes(uint64_t trust_chain, NSDictionary *hashes, uint64_t amfitab) { +NSArray *filteredHashes(uint64_t trust_chain, NSDictionary *hashes) { NSArray *result; @autoreleasepool { NSMutableDictionary *filtered = [hashes mutableCopy]; for (NSData *cdhash in [filtered allKeys]) { - if (check_amfi(amfitab, cdhash)) { - printf("%s: already in amfi trustcache, not reinjecting\n", [filtered[cdhash] UTF8String]); + if (check_amfi(filtered[cdhash])) { + printf("%s: already in static trustcache, not reinjecting\n", [filtered[cdhash] UTF8String]); [filtered removeObjectForKey:cdhash]; } } - free_amfitab(); + struct trust_mem search; search.next = trust_chain; while (search.next != 0) { @@ -143,7 +107,7 @@ NSArray *filteredHashes(uint64_t trust_chain, NSDictionary *hashes, uint64_t amf return [result autorelease]; } -int injectTrustCache(int argc, char* argv[], uint64_t trust_chain, uint64_t amficache) { +int injectTrustCache(int argc, char* argv[], uint64_t trust_chain) { @autoreleasepool { struct trust_mem mem; uint64_t kernel_trust = 0; @@ -205,7 +169,7 @@ int injectTrustCache(int argc, char* argv[], uint64_t trust_chain, uint64_t amfi } - NSArray *filtered = filteredHashes(mem.next, hashes, amficache); + NSArray *filtered = filteredHashes(mem.next, hashes); int hashesToInject = [filtered count]; printf("%d new hashes to inject\n", hashesToInject); if (hashesToInject < 1) { @@ -251,11 +215,9 @@ int main(int argc, char* argv[]) { uint64_t kernel_base = get_kernel_base(tfp0); init_kernel(kernel_base, NULL); uint64_t trust_chain = find_trustcache(); - uint64_t amficache = find_amficache(); term_kernel(); - bzero(amfiIndex, sizeof(amfiIndex)); printf("Injecting to trust cache...\n"); - int ninjected = injectTrustCache(argc, argv, trust_chain, amficache); + int ninjected = injectTrustCache(argc, argv, trust_chain); printf("Successfully injected [%d/%d] to trust cache.\n", ninjected, argc - 1); return argc - ninjected - 1; } diff --git a/kern_funcs.c b/kern_funcs.c index 09e1e4f..cd43438 100644 --- a/kern_funcs.c +++ b/kern_funcs.c @@ -21,75 +21,30 @@ #include "CSCommon.h" extern mach_port_t tfp0; +size_t kread(uint64_t where, void *p, size_t size); +size_t kwrite(uint64_t where, const void *p, size_t size); void wk32(uint64_t kaddr, uint32_t val) { - if (tfp0 == MACH_PORT_NULL) { - printf("attempt to write to kernel memory before any kernel memory write primitives available\n"); - sleep(3); - return; - } - - kern_return_t err; - err = mach_vm_write(tfp0, - (mach_vm_address_t)kaddr, - (vm_offset_t)&val, - (mach_msg_type_number_t)sizeof(uint32_t)); - - if (err != KERN_SUCCESS) { - printf("tfp0 write failed: %s %x\n", mach_error_string(err), err); - return; - } + kwrite(kaddr, &val, sizeof(uint32_t)); } void wk64(uint64_t kaddr, uint64_t val) { - uint32_t lower = (uint32_t)(val & 0xffffffff); - uint32_t higher = (uint32_t)(val >> 32); - wk32(kaddr, lower); - wk32(kaddr+4, higher); + kwrite(kaddr, &val, sizeof(uint64_t)); } uint32_t rk32(uint64_t kaddr) { - kern_return_t err; uint32_t val = 0; - mach_vm_size_t outsize = 0; - err = mach_vm_read_overwrite(tfp0, - (mach_vm_address_t)kaddr, - (mach_vm_size_t)sizeof(uint32_t), - (mach_vm_address_t)&val, - &outsize); - if (err != KERN_SUCCESS){ - printf("tfp0 read failed %s addr: 0x%llx err:%x port:%x\n", mach_error_string(err), kaddr, err, tfp0); - sleep(3); - return 0; - } - - if (outsize != sizeof(uint32_t)){ - printf("tfp0 read was short (expected %lx, got %llx\n", sizeof(uint32_t), outsize); - sleep(3); + + if (kread(kaddr, &val, sizeof(val)) != sizeof(val)) { return 0; } return val; } uint64_t rk64(uint64_t kaddr) { - kern_return_t err; uint64_t val = 0; - mach_vm_size_t outsize = 0; - err = mach_vm_read_overwrite(tfp0, - (mach_vm_address_t)kaddr, - (mach_vm_size_t)sizeof(uint64_t), - (mach_vm_address_t)&val, - &outsize); - - if (err != KERN_SUCCESS){ - printf("tfp0 read failed %s addr: 0x%llx err:%x port:%x\n", mach_error_string(err), kaddr, err, tfp0); - sleep(3); - return 0; - } - if (outsize != sizeof(uint64_t)){ - printf("tfp0 read was short (expected %lx, got %llx\n", sizeof(uint64_t), outsize); - sleep(3); + if (kread(kaddr, &val, sizeof(val)) != sizeof(val)) { return 0; } return val; @@ -163,8 +118,7 @@ vm_address_t get_kernel_base(mach_port_t tfp0) } } -size_t -kread(uint64_t where, void *p, size_t size) +size_t kread(uint64_t where, void *p, size_t size) { int rv; size_t offset = 0; @@ -183,11 +137,17 @@ kread(uint64_t where, void *p, size_t size) return offset; } -size_t -kwrite(uint64_t where, const void *p, size_t size) +size_t kwrite(uint64_t where, const void *p, size_t size) { int rv; size_t offset = 0; + + if (tfp0 == MACH_PORT_NULL) { + printf("attempt to write to kernel memory before any kernel memory write primitives available\n"); + sleep(3); + return offset; + } + while (offset < size) { size_t chunk = 2048; if (chunk > size - offset) { -- cgit v1.2.3