iOS/macOS Darwin Kernel Post Collection

[jmpews]

Prologue

Somniloquy

Kernel Protection

http://newosxbook.com/files/LendMeYourTaskPort.pdf

Entitlements

有些 ent 是不允许签上, 不能通过 AMDeviceSecureInstallApplication 校验. 比如:

run-unsigned-code
dynamic-codesigning
com.apple.private.skip-library-validation

具体可以参考 Security-58286.41.2/OSX/include/security_codesigning/signer.cpp 等 Security 目录下的一些代码.

这里有篇文章讲解, 尝试 break entitlements verification process.

Diving into the iOS Kernel: Breaking Entitlements

是否可以通过 Hook AMDeviceSecureInstallApplication 从而完成校验呢?

kernelcache

https://bazad.github.io/2018/03/ida-kernelcache-class-reconstruction/