CSOPS and Jailbreak Detection

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

CSOPS and Jailbreak Detection

Postby darkknight » Fri May 04, 2018 6:43 pm

@S1guza
I had a question about this project you started sometime ago - https://twitter.com/s1guza/status/932444509933326336. What options are you using to determine the state of code signing...CS_OPS_[CDHASH/STATUS] etc?
darkknight
 
Posts: 86
Joined: Mon Apr 18, 2016 10:49 pm

Re: CSOPS and Jailbreak Detection

Postby Siguza » Sat May 05, 2018 3:41 pm

Syscall 169 (csops() in bsd/kern/kern_proc.c).
User avatar
Siguza
Unicorn
 
Posts: 200
Joined: Thu Jan 28, 2016 10:38 am

Re: CSOPS and Jailbreak Detection

Postby darkknight » Sat May 05, 2018 5:39 pm

Right...so the question was more geared towards the flag you were using ie _IDENTITY/CDHASH etc sycall(SYS_csops, pid, CS_OPS_IDENTITY, buff, 4096) etc

Makes sense?
darkknight
 
Posts: 86
Joined: Mon Apr 18, 2016 10:49 pm

Re: CSOPS and Jailbreak Detection

Postby Siguza » Sat May 05, 2018 7:20 pm

Oh I see, sorry.
Code: Select all
uint32_t ret = 0;
csops(0, CS_OPS_STATUS, &ret, sizeof(ret)); // 0 here means "current process"
User avatar
Siguza
Unicorn
 
Posts: 200
Joined: Thu Jan 28, 2016 10:38 am

Re: CSOPS and Jailbreak Detection

Postby darkknight » Sun May 06, 2018 7:48 pm

Siguza wrote:Oh I see, sorry.
Code: Select all
uint32_t ret = 0;
csops(0, CS_OPS_STATUS, &ret, sizeof(ret)); // 0 here means "current process"

Kewl thanks man....
darkknight
 
Posts: 86
Joined: Mon Apr 18, 2016 10:49 pm

Re: CSOPS and Jailbreak Detection

Postby morpheus » Mon May 07, 2018 1:13 am

Note that this can't reliably detect any jailbreak. Flags could still be toggled to CS_VALID | whatever. Also there are some cops() operations (notably IDENT) which AAPL now applies a MACF hook for
morpheus
Site Admin
 
Posts: 650
Joined: Thu Apr 11, 2013 6:24 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 0 guests