This repo contains a jumble of experiments and notes exploring paths to function interposition and code injection.
Target version: macOS 10.15
macOS is the main focus of this work, as it seems to apply the most complex and convoluted layers out of all of the major desktop platforms at the moment.
- App Sandbox (guide)
- Blocks access to files and system resources when entitlement set
- Can be relaxed through further entitlements
- Apps get a special app container directory to work with that only they can access
- Sandboxing via profiles (sometimes called "Seatbelt") such as those in
/System/Library/Sandbox/Profiles/*- While this is marked as deprecated, it's far more powerful than the newer App Sandbox, and remains heavily used by macOS system components, browsers, etc.
- The newer App Sandbox makes use of this older system internally by applying
the profile
/System/Library/Sandbox/Profiles/application.sbduring app startup
- Hardened Runtime
- Blocks code injection, memory access, debugger access when signing option
(
-o runtime) set - Can be relaxed through further entitlements
- Blocks code injection, memory access, debugger access when signing option
(
- Notarization
- Developers send apps to Apple's notarization service which staples them with a signature if they pass various undocumented checks
- macOS 10.14.5 and later require apps and kernel extensions to be notarized
- Requirements include:
- Code signature
- Hardened Runtime enabled
- Secure timestamp in signature
com.apple.security.get-task-allowentitlement must not be present (but perhaps permissible when hosting plugins and disabling library validation as well)- Link against macOS 10.9 or later SDK
- Must have properly-formatted XML ASCII entitlements
- System Integrity Protection
- Blocks access to various system files via:
- Paths listed in
/System/Library/Sandbox/rootless.conf - Files marked with
com.apple.rootlessxattr
- Paths listed in
- Blocks access to Mach tasks for protected apps and those
without the
get-task-allowentitlement (all apps, or just hardened runtime?)SecTaskAccessplist key on requester also plays some role
- Blocks unsigned kernel extensions from loading
- Can be disabled via
csrutilin Recovery OS
- Blocks access to various system files via:
task_for_pidaccess enforcement- Some parts checked by kernel, others passed off to
taskgateddaemon - Flags examined by these checks may include:
- SIP protection status of target
get-task-allowentitlement on targetSecTaskAccessplist key on requesterdebuggerentitlement on requester
- Some parts checked by kernel, others passed off to
- Custom kernel extension
- Parent process spawning app via various methods
- NSTask
- XPC services
spawnlaunchApplication
- Stub process that absorbs code from disk and morphs into different app