Skip to content

Snake & Apple: Antivirus
Compare
Choose a tag to compare
@Karmaz95 Karmaz95 released this 28 Jun 11:06
· 54 commits to main since this release
v0.7
7471e88

MAJOR

  • Repaired bug in checkDyldInsertLibraries that was missing the case for 0x10000 + insecure entitlements

  • I repaired all the bugs I missed after the latest updates to the lief library.

  • All tests were successful, so it should work for the latest lief version.

  • Added testDyldSLC and printtestDyldSLC to support --test_dyld_SLC option to test for code injection using DYLD_SHARED_CACHE_DIR.

  • New Snake VII. Antivirus class with bunch of new functionalities.

  • Added AMFI_test.sh script.

MINOR

  • Patched Type-error because of changes in lief library:
    if arm64_bin == None:
       ^^^^^^^^^^^^^^^^^
TypeError: __eq__(): incompatible function arguments. The following argument types are supported:
    1. __eq__(self, arg: lief._lief.Object, /) -> bool

Invoked with types: lief._lief.MachO.Binary, NoneType

Now it cannot use == as the operator arm64_bin is None.

  • Patched the getEndianess function because of changes in the lief library.
  File "/Users/karmaz/.local/bin/CrimsonUroboros", line 261, in getEndianess
    magic = self.binary.header.magic.name
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'lief._lief.MachO.MACHO_TYPES' object has no attribute 'name

Now we must use __name__ property.

  • __name__ patch in getDylibID
  File "/Users/karmaz/.local/bin/CrimsonUroboros", line 1365, in getDylibID
    if cmd.command.name == 'ID_DYLIB':
       ^^^^^^^^^^^^^^^^
AttributeError: 'lief._lief.MachO.LOAD_COMMAND_TYPES' object has no attribute 'name'
  • __name__ patch in getDylibLoadCommands
  File "/Users/karmaz/.local/bin/CrimsonUroboros", line 1176, in getDylibLoadCommands
    cmd_name = cmd.command.name
               ^^^^^^^^^^^^^^^^
AttributeError: 'lief._lief.MachO.LOAD_COMMAND_TYPES' object has no attribute 'name'
  • __name__ patch in getUnresolvedRunPathLoadCommandsPaths
  File "/Users/karmaz/.local/bin/CrimsonUroboros", line 1188, in getUnresolvedRunPathLoadCommandsPaths
    return [cmd.path for cmd in self.load_commands if cmd.command.name == 'RPATH']
                                                      ^^^^^^^^^^^^^^^^
AttributeError: 'lief._lief.MachO.LOAD_COMMAND_TYPES' object has no attribute 'name'
  • ... and other places where __name__ should be used instead of .name as from lief verion 14.0
  • Minor bug patch with getSections where byte string was returned instead of decoded utf.
  • Added information about success in dumpPrelink_info and dumpPrelink_text
  • Patched getSectionRange bug with if section_name == section.fullname - lack od .decode() after changes in lief.
    def getSectionRange(self, segment_name, section_name):
        '''
            Return section start and end file offset. 
            If there is no such section return False, False.
        '''
        for section in self.binary.sections:
            if segment_name == section.segment_name:
                if section_name == section.fullname.decode():

  • Modified some tests.

  • Added some RE to Dyld according to DYLD VII.

  • Fix the name in Arg parser for amfi_group.

  • Added X. NU directory for storing materials related to macOS kernel.

  • Added some presentations and decompiled code to the mac directory of Antivirus

Assets 2
Loading