sbtool

Used for discussing the various tools in the book as well as encouraging members to share tools

sbtool

Postby b3ntx » Fri Nov 18, 2016 6:09 pm

Hey J,

Checking out your sandbox code/presentations and had some issues using sandbox_inspect_pid(). That method always returns 1 whenever I use it via sbtool.

Code: Select all
sandbox_inspect_pid failed (RC: 1)


I've tried on ElCap 10.11.6 (SIP disabled) and Sierra 10.12 (SIP disabled) with same results. Tried with 'sudo' and 'sudo bash; sbtool <pid> inspect'

Any idea what's going on? Did I miss something in your presentation?
b3ntx
 
Posts: 10
Joined: Wed Dec 16, 2015 1:26 pm

Re: sbtool

Postby morpheus » Sat Nov 19, 2016 1:08 am

Minor but important issue you've overlooked - sbtool inspect only works if the kext cooperates - and it does only if the kernel is deemed to be debuggable (which, in *OS, is via PE_i_can_haz_debugger). The rest of the sbtool functions do work either way, as they use sandbox_check
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm


Return to Tools

Who is online

Users browsing this forum: No registered users and 1 guest