Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-16 14:08:26 +00:00
Code Issues Projects Releases Packages Wiki Activity

GITBOOK-3916: change request with no subject merged in GitBook

Browse source
This commit is contained in:
CPol 2023-05-12 16:36:21 +00:00 committed by gitbook-bot
parent b212998555
commit 67ef248850
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
4 changed files with 66 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
SUMMARY.md
View file

@ -148,7 +148,8 @@
* [macOS Network Protocols](macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md)
* [macOS Red Teaming](macos-hardening/macos-security-and-privilege-escalation/macos-red-teaming.md)
* [macOS Serial Number](macos-hardening/macos-security-and-privilege-escalation/macos-serial-number.md)
* [macOS Apps - Inspecting, debugging and Fuzzing](macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md)
* [macOS Apps - Inspecting, debugging and Fuzzing](macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md)
* [ARM64 Basic Assembly](macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)
## 🪟 Windows Hardening

4
macos-hardening/macos-security-and-privilege-escalation/README.md
View file

@ -244,8 +244,8 @@ printf "\nThe following services are OFF if '0', or ON otherwise:\nScreen Sharin
### MacOS - Inspecting, Debugging and Fuzzing
{% content-ref url="macos-apps-inspecting-debugging-and-fuzzing.md" %}
[macos-apps-inspecting-debugging-and-fuzzing.md](macos-apps-inspecting-debugging-and-fuzzing.md)
{% content-ref url="macos-apps-inspecting-debugging-and-fuzzing/" %}
[macos-apps-inspecting-debugging-and-fuzzing](macos-apps-inspecting-debugging-and-fuzzing/)
{% endcontent-ref %}
## MacOS Security Mechanisms

47
macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md → macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md
View file

@ -88,7 +88,7 @@ It will be mounted in `/Volumes`
When a function is called in a binary that uses objective-C, the compiled code instead of calling that function, it will call **`objc_msgSend`**. Which will be calling the final function:
![](<../../.gitbook/assets/image (560).png>)
![](<../../../.gitbook/assets/image (560).png>)
The params this function expects are:
@ -132,11 +132,11 @@ In the left panel of hopper it's possible to see the symbols (**Labels**) of the
In the middle panel you can see the **dissasembled code**. And you can see it a **raw** disassemble, as **graph**, as **decompiled** and as **binary** by clicking on the respective icon:
<figure><img src="../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
Right clicking in a code object you can see **references to/from that object** or even change its name (this doesn't work in decompiled pseudocode):
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
Moreover, in the **middle down you can write python commands**.
@ -163,6 +163,8 @@ ktrace trace -s -S -t c -c ls | grep "ls("
It allows users access to applications at an extremely **low level** and provides a way for users to **trace** **programs** and even change their execution flow. Dtrace uses **probes** which are **placed throughout the kernel** and are at locations such as the beginning and end of system calls.
DTrace uses the **`dtrace_probe_create`** function to create a probe for each system call. These probes can be fired in the **entry and exit point of each system call**. The interaction with DTrace occur through /dev/dtrace which is only available for the root user.
The available probes of dtrace can be obtained with:
```bash
@ -177,10 +179,14 @@ dtrace -l | head
The probe name consists of four parts: the provider, module, function, and name (`fbt:mach_kernel:ptrace:entry`). If you not specifies some part of the name, Dtrace will apply that part as a wildcard.
To configure DTrace to activate probes and to specify what actions to perform when they fire, we will need to use the D language.
A more detailed explanation and more examples can be found in [https://illumos.org/books/dtrace/chp-intro.html](https://illumos.org/books/dtrace/chp-intro.html)
#### Examples
Run `man -k dtrace` to list the **DTrace scripts available**. Example: `sudo dtruss -n binary`
* In line
```bash
@ -261,22 +267,23 @@ lldb -n malware.bin
lldb -n malware.bin --waitfor
```
| **(lldb) Command** | **Description** |
| ----------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **run (r)** | Starting execution, which will continue unabated until a breakpoint is hit or the process terminates. |
| **continue (c)** | Continue execution of the debugged process. |
| **nexti (n)** | Execute the next instruction. This command will skip over function calls. |
| **stepi (s)** | Execute the next instruction. Unlike the nexti command, this command will step into function calls. |
| **finish (f)** | Execute the rest of the instructions in the current function (“frame”) return and halt. |
| **control + c** | Pause execution. If the process has been run (r) or continued (c), this will cause the process to halt ...wherever it is currently executing. |
| **breakpoint (b)** | <p>b main</p><p>b -[NSDictionary objectForKey:]</p><p>b 0x0000000100004bd9</p><p>br l #Breakpoint list</p><p>br e/dis &#x3C;num> #Enable/Disable breakpoint</p><p>breakpoint delete &#x3C;num></p> |
| **help** | <p>help breakpoint #Get help of breakpoint command</p><p>help memory write #Get help to write into the memory</p> |
| **reg** | <p>reg read $rax</p><p>reg write $rip 0x100035cc0</p> |
| **x/s \<reg/memory address>** | Display the memory as a null-terminated string. |
| **x/i \<reg/memory address>** | Display the memory as assembly instruction. |
| **x/b \<reg/memory address>** | Display the memory as byte. |
| **print object (po)** | <p>This will print the object referenced by the param</p><p>po $raw</p><p><code>{</code></p><p><code>dnsChanger = {</code></p><p><code>"affiliate" = "";</code></p><p><code>"blacklist_dns" = ();</code></p><p>Note that most of Apples Objective-C APIs or methods return objects, and thus should be displayed via the “print object” (po) command. If po doesn't produce a meaningful output use <code>x/b</code><br></p> |
| **memory write** | memory write 0x100600000 -s 4 0x41414141 #Write AAAA in that address |
| **(lldb) Command** | **Description** |
| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **run (r)** | Starting execution, which will continue unabated until a breakpoint is hit or the process terminates. |
| **continue (c)** | Continue execution of the debugged process. |
| **nexti (n / ni)** | Execute the next instruction. This command will skip over function calls. |
| **stepi (s / si)** | Execute the next instruction. Unlike the nexti command, this command will step into function calls. |
| **finish (f)** | Execute the rest of the instructions in the current function (“frame”) return and halt. |
| **control + c** | Pause execution. If the process has been run (r) or continued (c), this will cause the process to halt ...wherever it is currently executing. |
| **breakpoint (b)** | <p>b main</p><p>b -[NSDictionary objectForKey:]</p><p>b 0x0000000100004bd9</p><p>br l #Breakpoint list</p><p>br e/dis &#x3C;num> #Enable/Disable breakpoint</p><p>breakpoint delete &#x3C;num><br>b set -n main --shlib &#x3C;lib_name></p> |
| **help** | <p>help breakpoint #Get help of breakpoint command</p><p>help memory write #Get help to write into the memory</p> |
| **reg** | <p>reg read</p><p>reg read $rax</p><p>reg write $rip 0x100035cc0</p> |
| **x/s \<reg/memory address>** | Display the memory as a null-terminated string. |
| **x/i \<reg/memory address>** | Display the memory as assembly instruction. |
| **x/b \<reg/memory address>** | Display the memory as byte. |
| **print object (po)** | <p>This will print the object referenced by the param</p><p>po $raw</p><p><code>{</code></p><p><code>dnsChanger = {</code></p><p><code>"affiliate" = "";</code></p><p><code>"blacklist_dns" = ();</code></p><p>Note that most of Apples Objective-C APIs or methods return objects, and thus should be displayed via the “print object” (po) command. If po doesn't produce a meaningful output use <code>x/b</code></p> |
| **memory** | <p>memory read 0x000....<br>memory read $x0+0xf2a<br>memory write 0x100600000 -s 4 0x41414141 #Write AAAA in that address<br>memory write -f s $rip+0x11f+7 "AAAA" #Write AAAA in the addr</p> |
| **disassembly** | <p>dis #Disas current function<br>dis -c 6 #Disas 6 lines<br>dis -c 0x100003764 -e 0x100003768 # From one add until the other<br>dis -p -c 4 # Start in current addres disassembling</p> |
{% hint style="info" %}
When calling the **`objc_sendMsg`** function, the **rsi** register holds the **name of the method** as a null-terminated (“C”) string. To print the name via lldb do:
@ -346,7 +353,7 @@ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
### Internal Handlers
[**Checkout this section**](./#file-extensions-apps) to find out how you can find which app is responsible of **handling the specified scheme or protocol**.
[**Checkout this section**](../#file-extensions-apps) to find out how you can find which app is responsible of **handling the specified scheme or protocol**.
### Enumerating Network Processes

35
macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md Normal file
View file

@ -0,0 +1,35 @@
# ARM64 Basic Assembly
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>
* **`sub sp, sp, #0x40`**: This instruction subtracts the hexadecimal value 0x40 (64 in decimal) from the stack pointer (`sp`). This effectively **reserves 64 bytes of space on the stack for local variables and saved registers**.
* **`stp x29, x30, [sp, #0x30]`**: The `stp` (store pair of registers) instruction **stores the values of the x29 and x30 registers into the memory locations pointed to by `sp` plus an offset of 0x30 (48 in decimal)**. In the context of this function prologue, **x29 is the frame pointer** and **x30 is the link register** (return address).
* **`add x29, sp, #0x30`**: This instruction **adds** the hexadecimal value **0x30** (48 in decimal) to the **stack pointer** and **stores** the result in the **x29 register**. In other words, it **sets the frame pointer (`x29`)** to point to the part of the stack where the function's frame begins.
* **`adrp x0, 0`**: The `adrp` (address of page) instruction computes the address of the 4KB page that contains the address given as the second operand, and stores that page address into the specified register (here, `x0`). In this case, the address is 0, so it's loading the address of the page containing the address 0 into `x0`. This is often used in conjunction with a following `add` or `ldr` instruction to form a complete address, but without that instruction, it's unclear exactly what is being referenced.
* **`bl 0x100003ec8`**: The `bl` (branch with link) instruction jumps to the subroutine located at the memory address `0x100003ec8`. In this case, the comment suggests that it's a "stub" for `printf`, a common function for formatted output in C. The "link" part of this instruction means that the return address (the next instruction after this `bl` instruction) is stored in the link register (`x30`), so the program knows where to return after the `printf` function completes.
* **`add x0, x0, #0xf2a`**: This instruction adds the hexadecimal value `0xf2a` to the value currently stored in `x0`, and stores the result back in `x0`. The comment suggests that the resulting address points to the string "/tmp/hello-c.txt", probably located in the program's memory space. The `adrp` and `add` instructions together form an address pointing to this string.
\
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>