gdbinit/hydra gdbinit/hydra

  • Stars
    star
    104
  • Rank 330,604 (Top 7 %)
  • Language
    C
  • Created over 11 years ago
  • Updated about 11 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
gdbinit/hydra
github

gdbinit

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A kernel extension and userland daemon to patch applications 
                                                                       
 ____   ____  _____      _____      _____        _____          ____   
|    | |    ||\    \    /    /| ___|\    \   ___|\    \    ____|\   \  
|    | |    || \    \  /    / ||    |\    \ |    |\    \  /    /\    \ 
|    |_|    ||  \____\/    /  /|    | |    ||    | |    ||    |  |    |
|    .-.    | \ |    /    /  / |    | |    ||    |/____/ |    |__|    |
|    | |    |  \|___/    /  /  |    | |    ||    |\    \ |    .--.    |
|    | |    |      /    /  /   |    | |    ||    | |    ||    |  |    |
|____| |____|     /____/  /    |____|/____/||____| |____||____|  |____|
|    | |    |    |`    | /     |    /    | ||    | |    ||    |  |    |
|____| |____|    |_____|/      |____|____|/ |____| |____||____|  |____|
  \(     )/         )/           \(    )/     \(     )/    \(      )/  
   '     '          '             '    '       '     '      '      '   
Hydra

Copyright (c) fG!, 2012,2013 - [email protected] - http://reverse.put.as
All rights reserved.

Welcome,

Hydra is sample code of a kernel extension that will intercept process creation, suspend, and 
communicate it to a userland daemon that will be in charge of patching the application.

Its goal is to demonstrate a process hijacking technique from the kernel and also how to use
kernel control API. Technically all the patching could be done from the kernel extension.

It can be used to crack codesign applications without touching the disk image or resigning
the code. This is due to the fact that patching is done after code signature is verified.
The only exception is if there are any code checksum features, either using internal functions
or the ones from Apple code signing (not even sure if there's an API available for this).

The kernel extension should be feature complete but the userland daemon implements a very
basic example of adding a target and patching it. To be complete it needs an interface to
add targets at request, save a configuration file with targets and patching information.

The userland daemon requires task_for_pid() privileges. You will need to run it as root
or sign it to run with debugging privileges (as gdb does). Follow this lldb document
https://llvm.org/svn/llvm-project/lldb/trunk/docs/code-signing.txt to sign it.

The only supported target for now is Mountain Lion. It's rather easy to support all OS X
versions. In fact if the target is Lion and/or Mountain Lion, there's no need to read
the kernel image from disk to solve symbols. They are available in memory! This applies
if you want to make it work with Snow Leopard and below. Anyway, this code is also an 
example about how to read/write files from a kernel extension.

As usual, this is only sample code. Any usage you make out of it is your own responsibility.

Have fun,
fG!

More Repositories

1

MachOView

MachOView fork
C
2,495
star
2

Gdbinit

Gdbinit for OS X, iOS and others - x86, x86_64 and ARM
1,596
star
3

lldbinit

A gdbinit clone for LLDB
Python
325
star
4

firmware_vault

A repo for all Apple EFI firmware files
255
star
5

readmem

A small OS X/iOS userland util to dump processes memory
C
218
star
6

onyx-the-black-cat

Kernel extension to disable anti-debug tricks and other useful XNU "features"
C
209
star
7

rootfool

A small tool to dynamically disable and enable SIP in El Capitan
C
163
star
8

EFISwissKnife

An IDA plugin to improve (U)EFI reversing
C++
142
star
9

HexRaysDeob

Hex-Rays OLLVM Deobfuscator and MicroCode Explorer
C++
118
star
10

otool-ng

Some improvements to Apple's otool.
C
100
star
11

gopher

A OS X crypto ransomware PoC
C
90
star
12

mach_race

Exploit code for CVE-2016-1757
C
81
star
13

efi_dxe_emulator

EFI DXE Emulator and Interactive Debugger
C
79
star
14

pydbg64

PyDBG64 - OS X PyDbg with 64 bits support
C
68
star
15

osx_boubou

A PoC Mach-O infector via library injection
C
64
star
16

mpress_dumper

MPRESS dumper for OS X
Assembly
64
star
17

gimmedebugah

A small utility to inject a Info.plist into binaries.
C
57
star
18

gdb-ng

Apple's gdb fork with some fixes and enhancements
C
54
star
19

ExtractMachO

IDA plugin to extract Mach-O binaries located in the disassembly or data
C
54
star
20

Gatekeerper

A kernel extension to mitigate Gatekeeper bypasses
C
48
star
21

kextstat_aslr

Implementation of kexstat via /dev/kmem with kernel ASLR support
C
38
star
22

can_I_suid

A TrustedBSD module to control execution of binaries with suid bit set
C
37
star
23

crackme_nr1

fG!'s crackme #1 source code
C
36
star
24

bruteforcesysent

Small util to discover OS X sysent via bruteforce
C
33
star
25

tcplognke

Apple's tcplognke code sample
C
29
star
26

TELoader

A TE executable format loader for IDA
C
28
star
27

unicorn_string_deobfuscator

A Unicorn based emulator to deobfuscate Equation Group string XOR obfuscation
C
27
star
28

mario

The kernel component of rootpipe fix for Mavericks
C
27
star
29

adium-ng-preview

Repo to dump some preview info and builds for adium-ng
27
star
30

MicrocodeExplorer

Hex-Rays MicrocodeExplorer
C++
26
star
31

readkmem

small utility to dump kernel memory
C
25
star
32

rex_versus_the_romans

Anti Hacking Team TrustedBSD module
C
25
star
33

readphysmem

A small utility to read and write to Macs physical memory using default AppleHWAccess.kext.
Objective-C
25
star
34

llvmpatches

Misc llvm patches
CMake
22
star
35

hello_santa_bye_santa

Bypass Google's Santa
C
21
star
36

fixobjc

IDA IDC script to improve Objective-C disassembly output
21
star
37

checkidt

Small util to dump the IDT table of a running OS X system with kmem enabled
C
20
star
38

armorysandbox

A USB armory based USB sandbox
Makefile
20
star
39

MachOPlugin

IDA plugin to Display Mach-O headers
C
19
star
40

icetheguardianv2

A TrustedBSD module PoC to monitor writes to Daemons and Agents folders
C
19
star
41

diagnostic_service

OS X rootkit loader version #1
C++
18
star
42

kgmacros

Fixed kgmacros to work with VMware kernel gdb stub
17
star
43

ExtractMacho2

IDA plugin to extract Mach-O binaries located in the disassembly or data
C++
17
star
44

syscall-benchmark

macOS syscall performance benchmark
Assembly
16
star
45

av-monster

PoC kext to disable OS X anti-virus software
C
15
star
46

luigi

The userland component of rootpipe fix for Mavericks
Objective-C
14
star
47

carbon_copy_cloner_keychaingen

A keygen for Carbon Copy Cloner private keychain
Objective-C
14
star
48

Crisis-Analysis-Tools

Scripts and other material related to OS.X/Crisis malware analysis
C
13
star
49

diagnostic_service2

OS X rootkit loader version #2
C++
12
star
50

calcspace

Small util to calculate available free space in mach-o binaries for code injection
C
12
star
51

idc-scripts

Random collection of IDA's IDC scripts
11
star
52

Disable-m3u

iTunes plugin to disable creation of m3u playlists
C
11
star
53

rexthewonderdog

A lazy PoC for implementing backdoors in OS X TrustedBSD Mac framework.
C
10
star
54

fuckyouilfak

A IDA Pro 9.0 Beta 2 macOS x86 Fix Loader
C
10
star
55

delambert

GreenLambert macOS IDA plugin to deobfuscate strings
C++
10
star
56

GiveMeHex

A quick IDA hack to get addresses with 0x prefix
C++
9
star
57

twitterwipe

A Go utillty to delete your Twitter history
Go
9
star
58

how_crap_is_ida

An IDA plugin to compare IDA detected functions output versus LC_FUNCTION_STARTS information
C++
9
star
59

evilquest_stats

Small utility to hash EvilQuest code and cstrings sections
Go
7
star
60

keygen_CrackMe_nr1_qwertyoruiop

Keygen for qwertyoruiop's CrackMe nr1
C
7
star
61

spiflash

Very fast reader for SPI flashes for Teensy 2.x.
C
7
star
62

bpf_dbg_output

Small tool to convert bpf binary bytecode to bpf_dbg format
C
7
star
63

evilquest_deobfuscator

EvilQuest/ThiefQuest malware strings decrypter/deobfuscator
Go
6
star
64

icetheguardian

A PoC to protect critical OS X files using TrustedBSD Mac framework.
C
5
star
65

SMBIOSKeygen

macserial and GenSMBIOS merged and ported to Go
Go
4
star
66

yage

An age fork with internal Yubikeys support
Go
2
star
67

snake_queue_parser

A decryptor for Snake/Turla configuration files
Objective-C
2
star
68

Mach-O-Lib

Library to access and manipulate Mach-O headers
1
star
69

macserial

macserial Go module
1
star