Exploring MACF

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Exploring MACF

Postby darkknight » Tue Aug 15, 2017 1:50 am

Seeking some help with the following:
On page 49 of Chapter 4: The Mandatory Access Control Framework (MACF)
It states:
"The static mac_policy_conf structure can be found in the kext's __DATA.__data, and is readily identifiable due to its structure"

Having dumped the kernel from iOS 9.3.3 using kdump from ios-kern-utils and then extracting the AMFI kext with joker how do I go about identifying the struct from here?
Code: Select all
jtool -d __DATA.__data com.apple.driver.AppleMobileFileIntegrity.kext
Opened companion File: ./com.apple.driver.AppleMobileFileIntegrity.kext.ARM64.FAAEA5BB-2C25-31C1-AAB7-99A5B7800035
Dumping from address 0xffffff8008d41d70 (Segment: __DATA.__data) to end of section
Address : 0xffffff8008d41d70 = Offset 0x31d70
0xffffff8008d41d70: 57 84 d1 08 80 ff ff ff  "amfi" -
0xffffff8008d41d78: ff ff ff ff 50 57 f3 08
0xffffff8008d41d80: 80 ff ff ff 01 00 00 00
0xffffff8008d41d88: 14 00 00 00 63 6f 6d 2e
0xffffff8008d41d90: 61 70 70 6c 65 2e 64 72
0xffffff8008d41d98: 69 76 65 72 2e 41 70 70
0xffffff8008d41da0: 6c 65 4d 6f 62 69 6c 65
0xffffff8008d41da8: 46 69 6c 65 49 6e 74 65
0xffffff8008d41db0: 67 72 69 74 79 00 00 00
0xffffff8008d41db8: 00 00 00 00 00 00 00 00
0xffffff8008d41dc0: 00 00 00 00 00 00 00 00
0xffffff8008d41dc8: 00 00 00 00 31 2e 30 2e
0xffffff8008d41dd0: 35 00 00 00 00 00 00 00
0xffffff8008d41dd8: 00 00 00 00 00 00 00 00
0xffffff8008d41de0: 00 00 00 00 00 00 00 00
0xffffff8008d41de8: 00 00 00 00 00 00 00 00
0xffffff8008d41df0: 00 00 00 00 00 00 00 00
0xffffff8008d41df8: 00 00 00 00 00 00 00 00
0xffffff8008d41e00: 00 00 00 00 00 00 00 00
0xffffff8008d41e08: 00 00 00 00 0b 00 00 00
0xffffff8008d41e10: 00 83 19 0a 81 ff ff ff
0xffffff8008d41e18: 00 00 d1 08 80 ff ff ff
0xffffff8008d41e20: 00 40 03 00 00 00 00 00
0xffffff8008d41e28: 00 00 00 00 00 00 00 00
0xffffff8008d41e30: cc 6f d1 08 80 ff ff ff  func_ffffff8008d16fcc 
0xffffff8008d41e38: 18 70 d1 08 80 ff ff ff  func_ffffff8008d17018 
0xffffff8008d41e40: 70 17 00 00 00 00 00 00


And then on page 52 where it says "The mac_policy_ops structure should reside in a kext's __DATA.__const....Subtracting the addresses where you find the pointers from the base of the structure, you will get the offsets...
How do I determine the the base of the structure from for example:
Code: Select all
jtool -d __DATA.__const com.apple.driver.AppleMobileFileIntegrity.kext | grep TEXT
Opened companion File: ./com.apple.driver.AppleMobileFileIntegrity.kext.ARM64.FAAEA5BB-2C25-31C1-AAB7-99A5B7800035
Dumping from address 0xffffff8008d40350 (Segment: __DATA.__const) to end of section
Address : 0xffffff8008d40350 = Offset 0x30350
0xffffff8008d40a50: 74 94 d1 08 80 ff ff ff  (0xffffff8008d19474 __TEXT.__const, no symbol)
0xffffff8008d40a60: 7d 94 d1 08 80 ff ff ff  (0xffffff8008d1947d __TEXT.__const, no symbol)
0xffffff8008d40a70: 86 94 d1 08 80 ff ff ff  (0xffffff8008d19486 __TEXT.__const, no symbol)
0xffffff8008d40a80: 8f 94 d1 08 80 ff ff ff  (0xffffff8008d1948f __TEXT.__const, no symbol)
0xffffff8008d40a90: 98 94 d1 08 80 ff ff ff  (0xffffff8008d19498 __TEXT.__const, no symbol)
0xffffff8008d40aa0: 9b 94 d1 08 80 ff ff ff  (0xffffff8008d1949b __TEXT.__const, no symbol)
0xffffff8008d40ab0: 9e 94 d1 08 80 ff ff ff  (0xffffff8008d1949e __TEXT.__const, no symbol)
0xffffff8008d40ac0: a1 94 d1 08 80 ff ff ff  (0xffffff8008d194a1 __TEXT.__const, no symbol)
0xffffff8008d40ad0: a4 94 d1 08 80 ff ff ff  (0xffffff8008d194a4 __TEXT.__const, no symbol)
0xffffff8008d40ae0: a7 94 d1 08 80 ff ff ff  (0xffffff8008d194a7 __TEXT.__const, no symbol)
0xffffff8008d40af0: aa 94 d1 08 80 ff ff ff  (0xffffff8008d194aa __TEXT.__const, no symbol)
0xffffff8008d40b00: ad 94 d1 08 80 ff ff ff  (0xffffff8008d194ad __TEXT.__const, no symbol)
0xffffff8008d40b10: b0 94 d1 08 80 ff ff ff  (0xffffff8008d194b0 __TEXT.__const, no symbol)
0xffffff8008d40b20: b3 94 d1 08 80 ff ff ff  (0xffffff8008d194b3 __TEXT.__const, no symbol)
0xffffff8008d40b30: b6 94 d1 08 80 ff ff ff  (0xffffff8008d194b6 __TEXT.__const, no symbol)
0xffffff8008d40b40: b9 94 d1 08 80 ff ff ff  (0xffffff8008d194b9 __TEXT.__const, no symbol)
0xffffff8008d40b50: c1 94 d1 08 80 ff ff ff  (0xffffff8008d194c1 __TEXT.__const, no symbol)
0xffffff8008d40b60: c9 94 d1 08 80 ff ff ff  (0xffffff8008d194c9 __TEXT.__const, no symbol)
0xffffff8008d40b70: d2 94 d1 08 80 ff ff ff  (0xffffff8008d194d2 __TEXT.__const, no symbol)
0xffffff8008d40b80: db 94 d1 08 80 ff ff ff  (0xffffff8008d194db __TEXT.__const, no symbol)
0xffffff8008d40b90: e3 94 d1 08 80 ff ff ff  (0xffffff8008d194e3 __TEXT.__const, no symbol)
0xffffff8008d40ba0: eb 94 d1 08 80 ff ff ff  (0xffffff8008d194eb __TEXT.__const, no symbol)
0xffffff8008d40bb0: ee 94 d1 08 80 ff ff ff  (0xffffff8008d194ee __TEXT.__const, no symbol)
0xffffff8008d40bc0: f7 94 d1 08 80 ff ff ff  (0xffffff8008d194f7 __TEXT.__const, no symbol)
0xffffff8008d40bd0: fa 94 d1 08 80 ff ff ff  (0xffffff8008d194fa __TEXT.__const, no symbol)
darkknight
 
Posts: 65
Joined: Mon Apr 18, 2016 10:49 pm

Re: Exploring MACF

Postby Siguza » Tue Aug 15, 2017 4:24 pm

1. Apple actually moved those structs to __DATA.__const after Pangu exploited the fact that __DATA.__data isn't KPP-checked (which was somewhere in early iOS 9, not sure where exactly). :P
2. Have a look at XNU's /security/mac_policy.h, there you get the relevant structs:

Code: Select all
struct mac_policy_conf {
   const char      *mpc_name;      /** policy name */
   const char      *mpc_fullname;      /** full name */
   char const * const *mpc_labelnames;   /** managed label namespaces */
   unsigned int       mpc_labelname_count;   /** number of managed label namespaces */
   struct mac_policy_ops   *mpc_ops;      /** operation vector */
   int          mpc_loadtime_flags;   /** load time flags */
   int         *mpc_field_off;      /** label slot */
   int          mpc_runtime_flags;   /** run time flags */
   mpc_t          mpc_list;      /** List reference */
   void         *mpc_data;      /** module data */
};
struct mac_policy_ops {
   /* couple of hundred lines omitted */
};


So if you dump __DATA.__const instead, you'll find this somewhere (I omitted stuff before and after, because it's a lot):

Code: Select all
0xffffff801f351660: c4 85 32 1f 80 ff ff ff  "AMFI" -
0xffffff801f351668: c9 85 32 1f 80 ff ff ff  "Apple Mobile File Integrity" -
0xffffff801f351670: 70 1d 35 1f 80 ff ff ff  (0xffffff801f351d70 __DATA.__data, no symbol)
0xffffff801f351678: 01 00 00 00 00 00 00 00
0xffffff801f351680: e8 0b 35 1f 80 ff ff ff  (0xffffff801f350be8 __DATA.__const, no symbol)
0xffffff801f351688: 00 00 00 00 00 00 00 00
0xffffff801f351690: d0 1e 35 1f 80 ff ff ff  (0xffffff801f351ed0 __DATA.__bss, no symbol)
0xffffff801f351698: 01 00 00 00 00 00 00 00
0xffffff801f3516a0: 00 00 00 00 00 00 00 00
0xffffff801f3516a8: 00 00 00 00 00 00 00 00
0xffffff801f3516b0: 70 1e 35 1f 80 ff ff ff  (0xffffff801f351e70 __DATA.__common, no symbol)
0xffffff801f3516b8: 28 65 13 1f 80 ff ff ff


And as you can see, the only pointer in the pointing also to the __DATA.__const segment corresponds to the 5th struct member, mpc_ops. Following that pointer will get you to the mac_policy_ops structure that holds the actual function pointers of the policy.
User avatar
Siguza
Unicorn
 
Posts: 158
Joined: Thu Jan 28, 2016 10:38 am

Re: Exploring MACF

Postby darkknight » Wed Aug 16, 2017 1:02 am

Thank you for the clarification...

And bear with me, but just so I understand....In my case I have the following:
Code: Select all
0xffffff8008d41658: 00 00 00 00 00 00 00 00
0xffffff8008d41660: c4 85 d1 08 80 ff ff ff  "AMFI" -
0xffffff8008d41668: c9 85 d1 08 80 ff ff ff  "Apple Mobile File Integrity" -
0xffffff8008d41670: 70 1d d4 08 80 ff ff ff  (0xffffff8008d41d70 __DATA.__data, no symbol)
0xffffff8008d41678: 01 00 00 00 00 00 00 00
0xffffff8008d41680: e8 0b d4 08 80 ff ff ff  (0xffffff8008d40be8 __DATA.__const, no symbol)
0xffffff8008d41688: 00 00 00 00 00 00 00 00
0xffffff8008d41690: d0 1e d4 08 80 ff ff ff  (0xffffff8008d41ed0 __DATA.__bss, no symbol)
0xffffff8008d41698: 01 00 00 00 00 00 00 00
0xffffff8008d416a0: 00 00 00 00 00 00 00 00
0xffffff8008d416a8: 00 00 00 00 00 00 00 00
0xffffff8008d416b0: 70 1e d4 08 80 ff ff ff  (0xffffff8008d41e70 __DATA.__common, no symbol)


Where the mac_policy_ops struct is at 0xffffff8008d40be8. And if I go to that address I should see a bunch of NULL's for callouts the policy is not interested in correct?

amfi_kext.png
amfi_kext.png (63.12 KiB) Viewed 795 times

After that its simply a matter of calculating offsets based on https://opensource.apple.com/source/xnu/xnu-3789.51.2/security/mac_policy.h.auto.html. So from the above image FFFFFF8008D40C18 is an offset into the struct ...? Should it not be some multiple of 8 like in the example where mpo_cred_check_label_update_execve is at offset 0x48 and so on ....?
darkknight
 
Posts: 65
Joined: Mon Apr 18, 2016 10:49 pm

Re: Exploring MACF

Postby Siguza » Wed Aug 16, 2017 4:52 pm

Yes, the mac_policy_ops would be at that address, but what you'll find there is an array of pointers rather than code or anything else. Another excerpt from the __DATA.__const section:

Code: Select all
bash$ jtool -d __DATA.__const com.apple.driver.AppleMobileFileIntegrity.kext
[...]
0xffffff801f350be8: 00 00 00 00 00 00 00 00
0xffffff801f350bf0: 00 00 00 00 00 00 00 00
0xffffff801f350bf8: 00 00 00 00 00 00 00 00
0xffffff801f350c00: 00 00 00 00 00 00 00 00
0xffffff801f350c08: 00 00 00 00 00 00 00 00
0xffffff801f350c10: 00 00 00 00 00 00 00 00
0xffffff801f350c18: 8c 60 32 1f 80 ff ff ff  (0xffffff801f32608c __TEXT.__text, no symbol)
0xffffff801f350c20: 00 00 00 00 00 00 00 00
0xffffff801f350c28: 00 00 00 00 00 00 00 00
0xffffff801f350c30: 00 00 00 00 00 00 00 00
0xffffff801f350c38: 00 00 00 00 00 00 00 00
0xffffff801f350c40: 94 60 32 1f 80 ff ff ff  (0xffffff801f326094 __TEXT.__text, no symbol)
0xffffff801f350c48: 00 00 00 00 00 00 00 00
0xffffff801f350c50: fc 60 32 1f 80 ff ff ff  (0xffffff801f3260fc __TEXT.__text, no symbol)
0xffffff801f350c58: 00 00 00 00 00 00 00 00
0xffffff801f350c60: 00 00 00 00 00 00 00 00
0xffffff801f350c68: b4 61 32 1f 80 ff ff ff  (0xffffff801f3261b4 __TEXT.__text, no symbol)
0xffffff801f350c70: 00 00 00 00 00 00 00 00
0xffffff801f350c78: 14 47 32 1f 80 ff ff ff  (0xffffff801f324714 __TEXT.__text, no symbol)
0xffffff801f350c80: 00 00 00 00 00 00 00 00
0xffffff801f350c88: 00 00 00 00 00 00 00 00
0xffffff801f350c90: 00 00 00 00 00 00 00 00
0xffffff801f350c98: 00 00 00 00 00 00 00 00
0xffffff801f350ca0: 00 00 00 00 00 00 00 00
0xffffff801f350ca8: 00 00 00 00 00 00 00 00
0xffffff801f350cb0: 00 00 00 00 00 00 00 00
0xffffff801f350cb8: 00 00 00 00 00 00 00 00
0xffffff801f350cc0: 00 00 00 00 00 00 00 00
0xffffff801f350cc8: 00 00 00 00 00 00 00 00
0xffffff801f350cd0: 00 00 00 00 00 00 00 00
0xffffff801f350cd8: 00 00 00 00 00 00 00 00
0xffffff801f350ce0: 00 00 00 00 00 00 00 00
0xffffff801f350ce8: 00 00 00 00 00 00 00 00
0xffffff801f350cf0: 00 00 00 00 00 00 00 00
0xffffff801f350cf8: 00 00 00 00 00 00 00 00
0xffffff801f350d00: 00 00 00 00 00 00 00 00
0xffffff801f350d08: 98 43 32 1f 80 ff ff ff  (0xffffff801f324398 __TEXT.__text, no symbol)
0xffffff801f350d10: 00 00 00 00 00 00 00 00
0xffffff801f350d18: 00 00 00 00 00 00 00 00
0xffffff801f350d20: 00 00 00 00 00 00 00 00
0xffffff801f350d28: 00 00 00 00 00 00 00 00
0xffffff801f350d30: 00 00 00 00 00 00 00 00
0xffffff801f350d38: 00 00 00 00 00 00 00 00
0xffffff801f350d40: 00 00 00 00 00 00 00 00
0xffffff801f350d48: 00 00 00 00 00 00 00 00
0xffffff801f350d50: 00 00 00 00 00 00 00 00
0xffffff801f350d58: 00 00 00 00 00 00 00 00
0xffffff801f350d60: 00 00 00 00 00 00 00 00
0xffffff801f350d68: 00 00 00 00 00 00 00 00
0xffffff801f350d70: 00 00 00 00 00 00 00 00
0xffffff801f350d78: 00 00 00 00 00 00 00 00
0xffffff801f350d80: 00 00 00 00 00 00 00 00
0xffffff801f350d88: 00 00 00 00 00 00 00 00
0xffffff801f350d90: 00 00 00 00 00 00 00 00
0xffffff801f350d98: 00 00 00 00 00 00 00 00
0xffffff801f350da0: 00 00 00 00 00 00 00 00
0xffffff801f350da8: 00 00 00 00 00 00 00 00
0xffffff801f350db0: 00 00 00 00 00 00 00 00
0xffffff801f350db8: 00 00 00 00 00 00 00 00
0xffffff801f350dc0: 00 00 00 00 00 00 00 00
0xffffff801f350dc8: 00 00 00 00 00 00 00 00
0xffffff801f350dd0: 00 00 00 00 00 00 00 00
0xffffff801f350dd8: 00 00 00 00 00 00 00 00
0xffffff801f350de0: 00 00 00 00 00 00 00 00
0xffffff801f350de8: 00 00 00 00 00 00 00 00
0xffffff801f350df0: 00 00 00 00 00 00 00 00
0xffffff801f350df8: 00 00 00 00 00 00 00 00
0xffffff801f350e00: 00 00 00 00 00 00 00 00
0xffffff801f350e08: 00 00 00 00 00 00 00 00
0xffffff801f350e10: 00 00 00 00 00 00 00 00
0xffffff801f350e18: 00 00 00 00 00 00 00 00
0xffffff801f350e20: 00 00 00 00 00 00 00 00
0xffffff801f350e28: 00 00 00 00 00 00 00 00
0xffffff801f350e30: 00 00 00 00 00 00 00 00
0xffffff801f350e38: 00 00 00 00 00 00 00 00
0xffffff801f350e40: 00 00 00 00 00 00 00 00
0xffffff801f350e48: 00 00 00 00 00 00 00 00
0xffffff801f350e50: 00 00 00 00 00 00 00 00
0xffffff801f350e58: 00 00 00 00 00 00 00 00
0xffffff801f350e60: 00 00 00 00 00 00 00 00
0xffffff801f350e68: 00 00 00 00 00 00 00 00
0xffffff801f350e70: 00 00 00 00 00 00 00 00
0xffffff801f350e78: 00 00 00 00 00 00 00 00
0xffffff801f350e80: 00 00 00 00 00 00 00 00
0xffffff801f350e88: 00 00 00 00 00 00 00 00
0xffffff801f350e90: 00 00 00 00 00 00 00 00
0xffffff801f350e98: 00 00 00 00 00 00 00 00
0xffffff801f350ea0: 00 00 00 00 00 00 00 00
0xffffff801f350ea8: 00 00 00 00 00 00 00 00
0xffffff801f350eb0: 00 00 00 00 00 00 00 00
0xffffff801f350eb8: 00 00 00 00 00 00 00 00
0xffffff801f350ec0: 00 00 00 00 00 00 00 00
0xffffff801f350ec8: 00 00 00 00 00 00 00 00
0xffffff801f350ed0: 00 00 00 00 00 00 00 00
0xffffff801f350ed8: 00 00 00 00 00 00 00 00
0xffffff801f350ee0: 00 00 00 00 00 00 00 00
0xffffff801f350ee8: 00 00 00 00 00 00 00 00
0xffffff801f350ef0: 00 00 00 00 00 00 00 00
0xffffff801f350ef8: 00 00 00 00 00 00 00 00
0xffffff801f350f00: 00 00 00 00 00 00 00 00
0xffffff801f350f08: 00 00 00 00 00 00 00 00
0xffffff801f350f10: 00 00 00 00 00 00 00 00
0xffffff801f350f18: 00 00 00 00 00 00 00 00
0xffffff801f350f20: 00 00 00 00 00 00 00 00
0xffffff801f350f28: 00 00 00 00 00 00 00 00
0xffffff801f350f30: 00 00 00 00 00 00 00 00
0xffffff801f350f38: 00 00 00 00 00 00 00 00
0xffffff801f350f40: 00 00 00 00 00 00 00 00
0xffffff801f350f48: 00 00 00 00 00 00 00 00
0xffffff801f350f50: 00 00 00 00 00 00 00 00
0xffffff801f350f58: 00 00 00 00 00 00 00 00
0xffffff801f350f60: 00 00 00 00 00 00 00 00
0xffffff801f350f68: 00 00 00 00 00 00 00 00
0xffffff801f350f70: 00 00 00 00 00 00 00 00
0xffffff801f350f78: 00 00 00 00 00 00 00 00
0xffffff801f350f80: 00 00 00 00 00 00 00 00
0xffffff801f350f88: 68 6a 32 1f 80 ff ff ff  (0xffffff801f326a68 __TEXT.__text, no symbol)
0xffffff801f350f90: 00 00 00 00 00 00 00 00
0xffffff801f350f98: 00 00 00 00 00 00 00 00
0xffffff801f350fa0: f0 61 32 1f 80 ff ff ff  (0xffffff801f3261f0 __TEXT.__text, no symbol)
0xffffff801f350fa8: 00 00 00 00 00 00 00 00
0xffffff801f350fb0: 00 00 00 00 00 00 00 00
0xffffff801f350fb8: 00 00 00 00 00 00 00 00
0xffffff801f350fc0: 00 00 00 00 00 00 00 00
0xffffff801f350fc8: 00 00 00 00 00 00 00 00
0xffffff801f350fd0: 00 00 00 00 00 00 00 00
0xffffff801f350fd8: 00 00 00 00 00 00 00 00
0xffffff801f350fe0: 00 00 00 00 00 00 00 00
0xffffff801f350fe8: 00 00 00 00 00 00 00 00
0xffffff801f350ff0: 00 00 00 00 00 00 00 00
0xffffff801f350ff8: 00 00 00 00 00 00 00 00
0xffffff801f351000: 00 00 00 00 00 00 00 00
0xffffff801f351008: 00 00 00 00 00 00 00 00
0xffffff801f351010: 00 00 00 00 00 00 00 00
0xffffff801f351018: 00 00 00 00 00 00 00 00
0xffffff801f351020: 00 00 00 00 00 00 00 00
0xffffff801f351028: 00 00 00 00 00 00 00 00
0xffffff801f351030: 00 00 00 00 00 00 00 00
0xffffff801f351038: 00 00 00 00 00 00 00 00
0xffffff801f351040: 00 00 00 00 00 00 00 00
0xffffff801f351048: 00 00 00 00 00 00 00 00
0xffffff801f351050: 00 00 00 00 00 00 00 00
0xffffff801f351058: 00 00 00 00 00 00 00 00
0xffffff801f351060: 00 00 00 00 00 00 00 00
0xffffff801f351068: 00 00 00 00 00 00 00 00
0xffffff801f351070: 00 00 00 00 00 00 00 00
0xffffff801f351078: 00 00 00 00 00 00 00 00
0xffffff801f351080: 00 00 00 00 00 00 00 00
0xffffff801f351088: 00 00 00 00 00 00 00 00
0xffffff801f351090: 00 00 00 00 00 00 00 00
0xffffff801f351098: 00 00 00 00 00 00 00 00
0xffffff801f3510a0: 00 00 00 00 00 00 00 00
0xffffff801f3510a8: 00 00 00 00 00 00 00 00
0xffffff801f3510b0: 00 00 00 00 00 00 00 00
0xffffff801f3510b8: 00 00 00 00 00 00 00 00
0xffffff801f3510c0: 00 00 00 00 00 00 00 00
0xffffff801f3510c8: 00 00 00 00 00 00 00 00
0xffffff801f3510d0: 30 6b 32 1f 80 ff ff ff  (0xffffff801f326b30 __TEXT.__text, no symbol)
0xffffff801f3510d8: 00 00 00 00 00 00 00 00
0xffffff801f3510e0: 00 00 00 00 00 00 00 00
0xffffff801f3510e8: 30 6b 32 1f 80 ff ff ff  (0xffffff801f326b30 __TEXT.__text, no symbol)
0xffffff801f3510f0: 00 00 00 00 00 00 00 00
0xffffff801f3510f8: 00 00 00 00 00 00 00 00
0xffffff801f351100: 00 00 00 00 00 00 00 00
0xffffff801f351108: 6c 6a 32 1f 80 ff ff ff  (0xffffff801f326a6c __TEXT.__text, no symbol)
0xffffff801f351110: 00 00 00 00 00 00 00 00
0xffffff801f351118: 00 00 00 00 00 00 00 00
0xffffff801f351120: 00 00 00 00 00 00 00 00
0xffffff801f351128: 00 00 00 00 00 00 00 00
0xffffff801f351130: 00 00 00 00 00 00 00 00
0xffffff801f351138: 00 00 00 00 00 00 00 00
0xffffff801f351140: 00 00 00 00 00 00 00 00
0xffffff801f351148: 00 00 00 00 00 00 00 00
0xffffff801f351150: 00 00 00 00 00 00 00 00
0xffffff801f351158: 00 00 00 00 00 00 00 00
0xffffff801f351160: 00 00 00 00 00 00 00 00
0xffffff801f351168: 00 00 00 00 00 00 00 00
0xffffff801f351170: 00 00 00 00 00 00 00 00
0xffffff801f351178: 00 00 00 00 00 00 00 00
0xffffff801f351180: 00 00 00 00 00 00 00 00
0xffffff801f351188: 00 00 00 00 00 00 00 00
0xffffff801f351190: 00 00 00 00 00 00 00 00
0xffffff801f351198: 00 00 00 00 00 00 00 00
0xffffff801f3511a0: 00 00 00 00 00 00 00 00
0xffffff801f3511a8: 00 00 00 00 00 00 00 00
0xffffff801f3511b0: 00 00 00 00 00 00 00 00
0xffffff801f3511b8: 00 00 00 00 00 00 00 00
0xffffff801f3511c0: 00 00 00 00 00 00 00 00
0xffffff801f3511c8: 00 00 00 00 00 00 00 00
0xffffff801f3511d0: 00 00 00 00 00 00 00 00
0xffffff801f3511d8: 00 00 00 00 00 00 00 00
0xffffff801f3511e0: 00 00 00 00 00 00 00 00
0xffffff801f3511e8: 00 00 00 00 00 00 00 00
0xffffff801f3511f0: 00 00 00 00 00 00 00 00
0xffffff801f3511f8: 00 00 00 00 00 00 00 00
0xffffff801f351200: 00 00 00 00 00 00 00 00
0xffffff801f351208: 00 00 00 00 00 00 00 00
0xffffff801f351210: 00 00 00 00 00 00 00 00
0xffffff801f351218: 00 00 00 00 00 00 00 00
0xffffff801f351220: 00 00 00 00 00 00 00 00
0xffffff801f351228: 00 00 00 00 00 00 00 00
0xffffff801f351230: 00 00 00 00 00 00 00 00
0xffffff801f351238: 00 00 00 00 00 00 00 00
0xffffff801f351240: 00 00 00 00 00 00 00 00
0xffffff801f351248: 00 00 00 00 00 00 00 00
0xffffff801f351250: 00 00 00 00 00 00 00 00
0xffffff801f351258: 00 00 00 00 00 00 00 00
0xffffff801f351260: 00 00 00 00 00 00 00 00
0xffffff801f351268: 00 00 00 00 00 00 00 00
0xffffff801f351270: 00 00 00 00 00 00 00 00
0xffffff801f351278: 00 00 00 00 00 00 00 00
0xffffff801f351280: 00 00 00 00 00 00 00 00
0xffffff801f351288: 00 00 00 00 00 00 00 00
0xffffff801f351290: 00 00 00 00 00 00 00 00
0xffffff801f351298: 00 00 00 00 00 00 00 00
0xffffff801f3512a0: 00 00 00 00 00 00 00 00
0xffffff801f3512a8: 00 00 00 00 00 00 00 00
0xffffff801f3512b0: 00 00 00 00 00 00 00 00
0xffffff801f3512b8: 00 00 00 00 00 00 00 00
0xffffff801f3512c0: 00 00 00 00 00 00 00 00
0xffffff801f3512c8: 00 00 00 00 00 00 00 00
0xffffff801f3512d0: 00 00 00 00 00 00 00 00
0xffffff801f3512d8: 00 00 00 00 00 00 00 00
0xffffff801f3512e0: 00 00 00 00 00 00 00 00
0xffffff801f3512e8: 00 00 00 00 00 00 00 00
0xffffff801f3512f0: 00 00 00 00 00 00 00 00
0xffffff801f3512f8: 00 00 00 00 00 00 00 00
0xffffff801f351300: 00 00 00 00 00 00 00 00
0xffffff801f351308: 00 00 00 00 00 00 00 00
0xffffff801f351310: 00 00 00 00 00 00 00 00
0xffffff801f351318: 00 00 00 00 00 00 00 00
0xffffff801f351320: 00 00 00 00 00 00 00 00
0xffffff801f351328: 00 00 00 00 00 00 00 00
0xffffff801f351330: 00 00 00 00 00 00 00 00
0xffffff801f351338: 00 00 00 00 00 00 00 00
0xffffff801f351340: 00 00 00 00 00 00 00 00
0xffffff801f351348: 00 00 00 00 00 00 00 00
0xffffff801f351350: 00 00 00 00 00 00 00 00
0xffffff801f351358: 00 00 00 00 00 00 00 00
0xffffff801f351360: 00 00 00 00 00 00 00 00
0xffffff801f351368: 00 00 00 00 00 00 00 00
0xffffff801f351370: 00 00 00 00 00 00 00 00
0xffffff801f351378: 00 00 00 00 00 00 00 00
0xffffff801f351380: 00 00 00 00 00 00 00 00
0xffffff801f351388: 00 00 00 00 00 00 00 00
0xffffff801f351390: 00 00 00 00 00 00 00 00
0xffffff801f351398: 00 00 00 00 00 00 00 00
0xffffff801f3513a0: 00 00 00 00 00 00 00 00
0xffffff801f3513a8: 00 00 00 00 00 00 00 00
0xffffff801f3513b0: 00 00 00 00 00 00 00 00
0xffffff801f3513b8: 00 00 00 00 00 00 00 00
0xffffff801f3513c0: 00 00 00 00 00 00 00 00
0xffffff801f3513c8: 00 00 00 00 00 00 00 00
0xffffff801f3513d0: 00 00 00 00 00 00 00 00
0xffffff801f3513d8: 00 00 00 00 00 00 00 00
0xffffff801f3513e0: 00 00 00 00 00 00 00 00
0xffffff801f3513e8: 00 00 00 00 00 00 00 00
0xffffff801f3513f0: 00 00 00 00 00 00 00 00
0xffffff801f3513f8: cc 6a 32 1f 80 ff ff ff  (0xffffff801f326acc __TEXT.__text, no symbol)
0xffffff801f351400: 00 00 00 00 00 00 00 00
0xffffff801f351408: 00 00 00 00 00 00 00 00
0xffffff801f351410: 00 00 00 00 00 00 00 00
0xffffff801f351418: 00 00 00 00 00 00 00 00
0xffffff801f351420: 00 00 00 00 00 00 00 00
0xffffff801f351428: 00 00 00 00 00 00 00 00
0xffffff801f351430: 00 00 00 00 00 00 00 00
0xffffff801f351438: 00 00 00 00 00 00 00 00
0xffffff801f351440: 00 00 00 00 00 00 00 00
0xffffff801f351448: 00 00 00 00 00 00 00 00
0xffffff801f351450: 00 00 00 00 00 00 00 00
0xffffff801f351458: 00 00 00 00 00 00 00 00
0xffffff801f351460: 00 00 00 00 00 00 00 00
0xffffff801f351468: 00 00 00 00 00 00 00 00
0xffffff801f351470: 00 00 00 00 00 00 00 00
0xffffff801f351478: 00 00 00 00 00 00 00 00
0xffffff801f351480: 00 00 00 00 00 00 00 00
0xffffff801f351488: 00 00 00 00 00 00 00 00
0xffffff801f351490: 00 00 00 00 00 00 00 00
0xffffff801f351498: 00 00 00 00 00 00 00 00
0xffffff801f3514a0: 00 00 00 00 00 00 00 00
0xffffff801f3514a8: 00 00 00 00 00 00 00 00
0xffffff801f3514b0: 00 00 00 00 00 00 00 00
0xffffff801f3514b8: 00 00 00 00 00 00 00 00
0xffffff801f3514c0: 00 00 00 00 00 00 00 00
0xffffff801f3514c8: 00 00 00 00 00 00 00 00
0xffffff801f3514d0: 00 00 00 00 00 00 00 00
0xffffff801f3514d8: 00 00 00 00 00 00 00 00
0xffffff801f3514e0: 00 00 00 00 00 00 00 00
0xffffff801f3514e8: 00 00 00 00 00 00 00 00
0xffffff801f3514f0: 00 00 00 00 00 00 00 00
0xffffff801f3514f8: 00 00 00 00 00 00 00 00
0xffffff801f351500: 00 00 00 00 00 00 00 00
0xffffff801f351508: 00 00 00 00 00 00 00 00
0xffffff801f351510: 00 00 00 00 00 00 00 00
0xffffff801f351518: 00 00 00 00 00 00 00 00
0xffffff801f351520: 00 00 00 00 00 00 00 00
0xffffff801f351528: 00 00 00 00 00 00 00 00
0xffffff801f351530: 00 00 00 00 00 00 00 00
0xffffff801f351538: 00 00 00 00 00 00 00 00
0xffffff801f351540: 00 00 00 00 00 00 00 00
0xffffff801f351548: 00 00 00 00 00 00 00 00
0xffffff801f351550: 00 00 00 00 00 00 00 00
0xffffff801f351558: 00 00 00 00 00 00 00 00
0xffffff801f351560: 00 00 00 00 00 00 00 00
0xffffff801f351568: 1c 66 32 1f 80 ff ff ff  (0xffffff801f32661c __TEXT.__text, no symbol)
0xffffff801f351570: 00 00 00 00 00 00 00 00
0xffffff801f351578: 00 00 00 00 00 00 00 00
0xffffff801f351580: cc 6b 32 1f 80 ff ff ff  (0xffffff801f326bcc __TEXT.__text, no symbol)
0xffffff801f351588: 00 00 00 00 00 00 00 00
0xffffff801f351590: 00 00 00 00 00 00 00 00
0xffffff801f351598: 00 00 00 00 00 00 00 00
0xffffff801f3515a0: 00 00 00 00 00 00 00 00
0xffffff801f3515a8: 00 00 00 00 00 00 00 00
0xffffff801f3515b0: 00 00 00 00 00 00 00 00
0xffffff801f3515b8: 00 00 00 00 00 00 00 00
0xffffff801f3515c0: 74 6a 32 1f 80 ff ff ff  (0xffffff801f326a74 __TEXT.__text, no symbol)
0xffffff801f3515c8: 00 00 00 00 00 00 00 00
0xffffff801f3515d0: 00 00 00 00 00 00 00 00
0xffffff801f3515d8: 00 00 00 00 00 00 00 00
0xffffff801f3515e0: 00 00 00 00 00 00 00 00
0xffffff801f3515e8: 00 00 00 00 00 00 00 00
0xffffff801f3515f0: 00 00 00 00 00 00 00 00
0xffffff801f3515f8: 00 00 00 00 00 00 00 00
0xffffff801f351600: 7c 6c 32 1f 80 ff ff ff  (0xffffff801f326c7c __TEXT.__text, no symbol)
0xffffff801f351608: 00 00 00 00 00 00 00 00
0xffffff801f351610: 00 00 00 00 00 00 00 00
0xffffff801f351618: 00 00 00 00 00 00 00 00
0xffffff801f351620: 00 00 00 00 00 00 00 00
0xffffff801f351628: 00 00 00 00 00 00 00 00
0xffffff801f351630: 00 00 00 00 00 00 00 00
0xffffff801f351638: 00 00 00 00 00 00 00 00
0xffffff801f351640: 00 00 00 00 00 00 00 00
0xffffff801f351648: 00 00 00 00 00 00 00 00
0xffffff801f351650: 00 00 00 00 00 00 00 00
0xffffff801f351658: 00 00 00 00 00 00 00 00
[...]


Now the 7th pointer, 0xffffff801f32608c, would correspond to mac_policy_ops.mpo_cred_check_label_update_execve, the 12th pointer, 0xffffff801f326094, would correspond to mac_policy_ops. mpo_cred_label_associate, etc.
User avatar
Siguza
Unicorn
 
Posts: 158
Joined: Thu Jan 28, 2016 10:38 am

Re: Exploring MACF

Postby darkknight » Thu Aug 17, 2017 2:02 am

Think I found the source of my confusion. So on page 52 it says you grep for TEXT to get the callouts.

JCOLOR=1 jtool -d __DATA.__const com.apple.driver.AppleMobileFileIntegrity.kext | grep TEXT
Opened companion File: ./com.apple.driver.AppleMobileFileIntegrity.kext.ARM64.FAAEA5BB-2C25-31C1-AAB7-99A5B7800035
Dumping from address 0xffffff8008d40350 (Segment: __DATA.__const) to end of section
Address : 0xffffff8008d40350 = Offset 0x30350
0xffffff8008d40a50: 74 94 d1 08 80 ff ff ff (0xffffff8008d19474 __TEXT.__const, no symbol)
0xffffff8008d40a60: 7d 94 d1 08 80 ff ff ff (0xffffff8008d1947d __TEXT.__const, no symbol)
0xffffff8008d40a70: 86 94 d1 08 80 ff ff ff (0xffffff8008d19486 __TEXT.__const, no symbol)
0xffffff8008d40a80: 8f 94 d1 08 80 ff ff ff (0xffffff8008d1948f __TEXT.__const, no symbol)
0xffffff8008d40a90: 98 94 d1 08 80 ff ff ff (0xffffff8008d19498 __TEXT.__const, no symbol)

But that returns __TEXT.__const as opposed to __TEXT.__text listed in the example. And that is what I was trying to make sense of in my environment. But as you pointed out if I go to 0xffffff8008d40be8 from below

Code: Select all
0xffffff8008d41660: c4 85 d1 08 80 ff ff ff  "AMFI" -
0xffffff8008d41668: c9 85 d1 08 80 ff ff ff  "Apple Mobile File Integrity" -
0xffffff8008d41670: 70 1d d4 08 80 ff ff ff  (0xffffff8008d41d70 __DATA.__data, no symbol)
0xffffff8008d41678: 01 00 00 00 00 00 00 00
0xffffff8008d41680: e8 0b d4 08 80 ff ff ff  (0xffffff8008d40be8 __DATA.__const, no symbol)
0xffffff8008d41688: 00 00 00 00 00 00 00 00
0xffffff8008d41690: d0 1e d4 08 80 ff ff ff  (0xffffff8008d41ed0 __DATA.__bss, no symbol)
0xffffff8008d41698: 01 00 00 00 00 00 00 00
0xffffff8008d416a0: 00 00 00 00 00 00 00 00
0xffffff8008d416a8: 00 00 00 00 00 00 00 00


Then I get the following:
Code: Select all
...........................
0xffffff8008d40be8: 00 00 00 00 00 00 00 00
0xffffff8008d40bf0: 00 00 00 00 00 00 00 00
0xffffff8008d40bf8: 00 00 00 00 00 00 00 00
0xffffff8008d40c00: 00 00 00 00 00 00 00 00
0xffffff8008d40c08: 00 00 00 00 00 00 00 00
0xffffff8008d40c10: 00 00 00 00 00 00 00 00
0xffffff8008d40c18: 8c 60 d1 08 80 ff ff ff  func_ffffff8008d1608c 
0xffffff8008d40c20: 00 00 00 00 00 00 00 00
0xffffff8008d40c28: 00 00 00 00 00 00 00 00
0xffffff8008d40c30: 00 00 00 00 00 00 00 00
0xffffff8008d40c38: 00 00 00 00 00 00 00 00
0xffffff8008d40c40: 94 60 d1 08 80 ff ff ff  func_ffffff8008d16094 
0xffffff8008d40c48: 00 00 00 00 00 00 00 00
0xffffff8008d40c50: fc 60 d1 08 80 ff ff ff  func_ffffff8008d160fc 


where func_* implements the hook etc. So ffffff8008d1608c looks like...
Screen Shot 2017-08-16 at 6.49.40 PM.png
Screen Shot 2017-08-16 at 6.49.40 PM.png (24.23 KiB) Viewed 755 times

and so on...

So the results of jtool -d __DATA.__const com.apple.driver.AppleMobileFileIntegrity.kext | grep TEXT was what threw me for a loop.

Thanks for the assistance man. Appreciated...
Last edited by darkknight on Thu Aug 17, 2017 2:12 am, edited 1 time in total.
darkknight
 
Posts: 65
Joined: Mon Apr 18, 2016 10:49 pm

Re: Exploring MACF

Postby morpheus » Thu Aug 17, 2017 10:58 am

Clarification:

I say somewhere in the book that the AMFI example has changed and as of 9.something they do the assignments in code. You can grep __DATA.__const or __DATA_CONST.__const in the case of Sandbox, but AMFI does assignments in code. you'd be looking at

root@Zephyr (~/Documents/iOS) #~/Documents/Work/JTool/joker -K com.apple.driver.AppleMobileFileIntegrity kernelcache.release.ipad7
Feeding me a compressed kernelcache, eh? That's fine, now. I can decompress! (Type -dec _file_ if you want to save to file)!
Compressed Size: 15360164, Uncompressed: 31162368. Unknown (CRC?): 0x9650ab0f, Unknown 1: 0x1
Got kernel at 432
got mem 0x11a673000
mmapped: 0x11a673000
This is a 64-bit kernel from iOS 11.x (b1+), or later (4481.0.0.2.1)
ARM64 Exception Vector is at file offset @0xc7000 (Addr: 0xfffffff0070cb000)
Found com.apple.driver.AppleMobileFileIntegrity at load address: fffffff005b9aa80, offset: 666a80
Writing kext out to /tmp/com.apple.driver.AppleMobileFileIntegrity.kext
...
Symbolicated stubs to /tmp/com.apple.driver.AppleMobileFileIntegrity.kext.ARM64.DB261F08-D56B-3456-8E6A-7A7D8B03AEEA


And then , with jtool -d , you 'd be working back from

Code: Select all
fffffff0061999ac        ADRP    X1, 3178                ; ->R1 = 0xfffffff006e03000
fffffff0061999b0        ADD     X1, X1, #1340   ; X1 = 0xfffffff006e0353c -|
fffffff0061999b4        MOVZ    X2, 0x0                 ; ->R2 = 0x0
fffffff0061999b8        BL      _mac_policy_register.stub       ; 0xfffffff00619b520



so that

Code: Select all
fffffff006199958        ADRP    X8, 2097151             ; ->R8 = 0xfffffff006198000
fffffff00619995c        ADD     X8, X8, #3840   ; X8 = 0xfffffff006198f00 -|
fffffff006199960        ADRP    X0, 3178                ; ->R0 = 0xfffffff006e03000
fffffff006199964        ADD     X0, X0, #4032   ; X0 = 0xfffffff006e03fc0 -|
fffffff006199968        STR     X8, [X9, #288]          ;$ *(R9 + 288) = *(0xfffffff006e03668) = R8
= X8  0xfffffff006198f00  <- X8 stored in policy_ops
fffffff00619996c        ADRP    X8, 2095619             ; ->R8 = 0xfffffff005b9c000
fffffff006199970        ADD     X8, X8, #1041   "AMFI"; X8 = 0xfffffff005b9c411 -|. <-- Policy
fffffff006199974        ADRP    X10, 2095619            ; ->R10 = 0xfffffff005b9c000
fffffff006199978        ADD     X10, X10, #1046 "Apple Mobile File Integrity"; X10 = 0 <-- Policy full name
xfffffff005b9c416 -|
fffffff00619997c        STP     X8, X10, [X0, #0]               ;$ *(R0 + 0) = *(0xfff
ffff006e03fc0) = R8


And that gets you the policy ops (loaded into x8, one at a time, and saved.

For sandbox, you can do __DATA_CONST.__const, and joker automatically gets you the ops:

~/Documents/Work/JTool/joker -K com.apple.security.sandbox kernelcache.release.ipad7
Feeding me a compressed kernelcache, eh? That's fine, now. I can decompress! (Type -dec _file_ if you want to save to file)!
Compressed Size: 15360164, Uncompressed: 31162368. Unknown (CRC?): 0x9650ab0f, Unknown 1: 0x1
Got kernel at 432
got mem 0x126dcb000
mmapped: 0x126dcb000
jtool -d This is a 64-bit kernel from iOS 11.x (b1+), or later (4481.0.0.2.1)

Found policy at 0xfffffff006fac7e8
...Getting value : 0xfffffff005fc80b7
Policy name: Sandbox
Flags: 0
Ops: fffffff006fac840
...Getting value : 0xfffffff006fac840
Dumped 335 MAC Policy ops!
Symbolicated stubs to /tmp/com.apple.security.sandbox.kext.ARM64.0F19961F-D7BF-39BD-A890-34FE4204AC83




AAPL had changed that when I was halfway into the chapter, so I figured I'd leave experiment as is, and add note on it.
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm

Re: Exploring MACF

Postby darkknight » Fri Aug 18, 2017 4:32 pm

Thanks for the clarification @morpheus and thanks again @s1guza...
darkknight
 
Posts: 65
Joined: Mon Apr 18, 2016 10:49 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 2 guests

cron