Page 1 of 1

sbtool

PostPosted: Fri Nov 18, 2016 6:09 pm
by b3ntx
Hey J,

Checking out your sandbox code/presentations and had some issues using sandbox_inspect_pid(). That method always returns 1 whenever I use it via sbtool.

Code: Select all
sandbox_inspect_pid failed (RC: 1)


I've tried on ElCap 10.11.6 (SIP disabled) and Sierra 10.12 (SIP disabled) with same results. Tried with 'sudo' and 'sudo bash; sbtool <pid> inspect'

Any idea what's going on? Did I miss something in your presentation?

Re: sbtool

PostPosted: Sat Nov 19, 2016 1:08 am
by morpheus
Minor but important issue you've overlooked - sbtool inspect only works if the kext cooperates - and it does only if the kernel is deemed to be debuggable (which, in *OS, is via PE_i_can_haz_debugger). The rest of the sbtool functions do work either way, as they use sandbox_check