[@ninjaprawn] questions about amfid about async_wake-fun HOT 7 CLOSED

@NewDwarf You need platform-application entitlement.

$ cat ent.plist
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>platform-application</key>
    <true/>
</dict>
</plist>

$ jtool --sign --inplace --ent ent.plist hello

from async_wake-fun.

Hm ok. I didn't expect inject_amfid to be in a zombie state - i guess opening a seperate thread with dlopen still has the constructor running - might look into it, or just turn it into some useful daemon.

inject_amfid is a simple process that takes in the pid of amfid. it then retrieves the task port of it. Them uses some of ian beers code from triple_fetch to call a function remotely in a process. we can do this since pretty much all functions are loaded in from the dyld_shared_cache, which has a shared address space (for efficiency reasons). We call dlopen in amfid with our own dylib (amfid_payload.dylib). This dylib pretty much just replaces the function pointer to MISValidateSignatureAndCopyInfo with our own. Note that whenever a binary references a function statically, its reference put into a section within the macho, which is what we override.

The reason I can replace the pointer to the real function with my function, and it still works, is because we dlopen'd our dylib in the amfid space, but didnt dlclose it. this means that everything is still "loaded" into amfid's address space - so we can still call it. (however this does mean there is a random handle still in there, but it doesnt really matter)

from async_wake-fun.

Nice idea. Thanks for the explanation. Do you have plans to put http://newosxbook.com/files/binpack64.tar in your app? The content of this archive is already signed by SHA-256 and suitable for using in iOS 11

from async_wake-fun.

It looks like your injector for amfid doesn't work. I created the test app and run it.
The test app doesn't run until the hash would not be inserted into the trusted kernel cache.

from async_wake-fun.

@NewDwarf Why doesn't it work? Make sure your app is arm64 (not FAT), SHA-256 signed and either has platform-application entitlement or is launched by launchd.

from async_wake-fun.

Here is the sample code:
cat hello.m
#import <Foundation/Foundation.h>

int main (int argc, const char * argv[])
{
        NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init];
        NSLog (@"Hello, World!");
        [pool drain];
        return 0;
}

Yes, it is thin arm64 app and pseudo-signed (sha-256) by jtool.

otool -h hello
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
0xfeedfacf 16777228 0 0x00 2 20 1880 0x00200085

jtool --sig hello
Blob at offset: 49648 (624 bytes) is an embedded signature
Code Directory (574 bytes)
Version: 20001
Flags: none
CodeLimit: 0xc1f0
Identifier: hello (0x58)
CDHash: 92bf521f43a475303d9d3e3cd65d1bf5fe84ed140b1b457cfa338fa8a8f5c59f (computed)
# of Hashes: 13 code + 2 special
Hashes @158 size: 32 Type: SHA-256
Empty requirement set (12 bytes)

When I run the 'hello' from the main app or from the shell console, 'hello' is killed by the kernel as amfid patched by amfid_payload.dylib returns 'Bad Signature' (I guess).
If I insert the hash into the kernel's trust cache, the 'hello' works fine.

This is a reason why I told that amfid hooking doesn't work.

What was your solution? How did you verify that pseudo signed third party code run fine?

from async_wake-fun.

@stek29 Thank you!

from async_wake-fun.