Skip to content

Commit

Permalink
add hash agility patch
Browse files Browse the repository at this point in the history
  • Loading branch information
@miticollo
Tom E authored and miticollo committed Feb 6, 2023
1 parent 2326647 commit 51a6a0b
Showing 1 changed file with 36 additions and 0 deletions.
36 changes: 36 additions & 0 deletions checkra1n/kpf/main.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1926,6 +1926,32 @@ bool kpf_amfi_mac_syscall_low(struct xnu_pf_patch *patch, uint32_t *opcode_strea
// So we need to follow the b.eq for 0x5a here.
return kpf_amfi_mac_syscall(patch, opcode_stream + 3 + sxt32(opcode_stream[3] >> 5, 19)); // uint32 takes care of << 2
}

// written in nano fr
bool kpf_amfi_hash_agility(struct xnu_pf_patch *patch, uint32_t *opcode_stream) {
uint64_t page = ((uint64_t)(opcode_stream) & ~0xfffULL) + adrp_off(opcode_stream[0]);
uint32_t off = (opcode_stream[1] >> 10) & 0xfff;
const char *str = (const char *)(page + off);

if (strcmp(str, "AMFI: \'%s\': no hash agility data and first cd hash type (%d) does not match best cd hash type (%d)\n") == 0) {
uint32_t *b = find_next_insn(opcode_stream, 0x6, 0x14000000, 0xff000000);

b[0] = NOP;

printf("KPF: found not best cdhash type\n");
return true;
} else if (strcmp(str, "AMFI: \'%s\': first code directory doesn\'t match the best code directory, but no hash agility data") == 0) {
uint32_t *b = find_next_insn(opcode_stream, 0x4, 0x14000000, 0xff000000);

b[0] = NOP;

printf("KPF: found not best code directory\n");
return true;
} else {
return false;
}
}

void kpf_amfi_kext_patches(xnu_pf_patchset_t* patchset) {
// this patch helps us find the return of the amfi function so that we can jump into shellcode from there and modify the cs flags
// to do that we search for the sequence below also as an example from i7 13.3:
Expand Down Expand Up @@ -2109,6 +2135,16 @@ void kpf_amfi_kext_patches(xnu_pf_patchset_t* patchset) {
0xff00001f,
};
xnu_pf_maskmatch(patchset, "amfi_mac_syscall_low", iiii_matches, iiii_masks, sizeof(iiii_matches)/sizeof(uint64_t), false, (void*)kpf_amfi_mac_syscall_low);

uint64_t iiiiii_matches[] = {
0x00000000,
0x91000000,
};
uint64_t iiiiii_masks[] = {
0x0f000000,
0xff000000,
};
xnu_pf_maskmatch(patchset, "hash_agility", iiiiii_matches, iiiiii_masks, sizeof(iiiiii_matches)/sizeof(uint64_t), false, (void*)kpf_amfi_hash_agility);
}

void kpf_sandbox_kext_patches(xnu_pf_patchset_t* patchset) {
Expand Down

0 comments on commit 51a6a0b

Please sign in to comment.