jmpews

static instrument + runtime kernel hook

I did similar work , share some tricks. 1. append a new segment (used as static memory allocator). 2.hook 1st inst of every block, and store all rewritten insts in the static memory allocator from step 1. 3.hack `thread_kcov_data` to achieve compatibility with kcov.

@CodeColorist 👍

Our very first blog post: “iOS 17, new version, new acronyms” #iOS17 #DFF #sptm #txm df-f.com/blog/ios17

@Lakr233 找个班上8️⃣

@khronokernel packed with kexts

A few weeks ago, we also had the KDK for 13.3 Beta 2 drop a few days *before* 13.3 Beta 2 itself. Additionally the first 2 KDKs of 13.3 were almost double the size, without any actual reason. Thankfully that issue seems to be mostly resolved with Beta 3

Whoever manages KDKs at Apple, hope you’re doing alright. Today’s KDK is labeled as the usual DMG but is actually PKG @-@ Simple rename works for anyone having issues

`bootstrap.tar` is copy from fugu15, and make some fixup, like dropbear logging issue, etc.

"you shall not pass" * 2

something changed: 1. is_table with SMR_POINTER wrap(16.2+ maybe) 2. new trust cache format (16.0+) 3. der format ent (serialize and deserialize with `der_encode_plist` and `der_decode_plist` from Security framework(15.0+) 4. proc to task

@merryhime_ trick with q0? (in some cases

@rh0main @fridadotre 4. xnuspy

@rh0main @fridadotre other tricks to trace syscall: 1. trace with dobby instrument(single instruction)(usersapce level)(github.com/jmpews/Dobby/b… maybe compile failed) 2. trace with kperf support(ktrace + ktrace_event_t parser)(kernel level) 3. dtrace on silicon(manual spawn app)(kernel level)

I'm happy to publish the second part of the series about iOS (de)Obfuscation and RASP protections. romainthomas.fr/post/22-09-ios… In particular, it introduces a new technique to "hook" syscalls on AArch64 based on 'gum_memory_patch_code' from @fridadotre

That's pretty straightforward

Based on the rate of research, you could say fuzzing is kind of a big deal. So many papers are being published it’s hard to track it all, let alone read it all. These repos are doing a good job indexing the papers: github.com/0xricksanchez/… github.com/wcventure/Fuzz…

I went back and merged Voyager-1 and Voyager-2 all into a single project. Now there are only 3 solutions, 2 of which are payloads. I can start working on more examples now that the code is not a mess...

Now you can hook kernel functions with custom code and sniff all mach messages passed in the system. github.com/alephsecurity/…

[BLOG] "Fuzzing binaries with LLVM's libFuzzer and rev.ng" by @antoniofrighez rev.ng/blog/fuzzing/p… #firstblood #revng #decompiler

Here are the slides from my BlackHat talk "iOS Kernel PAC, One Year Later", in which I consider how kernel PAC CFI has changed since its introduction in iOS 12 and examine 5 ways to bypass it in iOS 13: bazad.github.io/presentations/…

PoC gdb debugging of Win10 secure kernel, on top of QEMU-KVM github.com/commial/experi… Tiny examples includes debugging LsaIso, logging Skpg* function calls or logging secure services calls

Can't wait to present the progress we've made since #BHEU at @offensive_con! tfp0, full disk mounts with our own block device driver, most of the iOS services running, ssh and a textual framebuffer. #offensivecon