-
Stars104
-
Rank 320,189 (Top 7 %)
-
LanguageC
-
Created about 11 years ago
-
Updated over 10 years ago
Reviews
There are no reviews yet. Be the first to send feedback to the community and the maintainers!
Repository Details
A kernel extension and userland daemon to patch applications
____ ____ _____ _____ _____ _____ ____ | | | ||\ \ / /| ___|\ \ ___|\ \ ____|\ \ | | | || \ \ / / || |\ \ | |\ \ / /\ \ | |_| || \____\/ / /| | | || | | || | | | | .-. | \ | / / / | | | || |/____/ | |__| | | | | | \|___/ / / | | | || |\ \ | .--. | | | | | / / / | | | || | | || | | | |____| |____| /____/ / |____|/____/||____| |____||____| |____| | | | | |` | / | / | || | | || | | | |____| |____| |_____|/ |____|____|/ |____| |____||____| |____| \( )/ )/ \( )/ \( )/ \( )/ ' ' ' ' ' ' ' ' ' Hydra Copyright (c) fG!, 2012,2013 - [email protected] - http://reverse.put.as All rights reserved. Welcome, Hydra is sample code of a kernel extension that will intercept process creation, suspend, and communicate it to a userland daemon that will be in charge of patching the application. Its goal is to demonstrate a process hijacking technique from the kernel and also how to use kernel control API. Technically all the patching could be done from the kernel extension. It can be used to crack codesign applications without touching the disk image or resigning the code. This is due to the fact that patching is done after code signature is verified. The only exception is if there are any code checksum features, either using internal functions or the ones from Apple code signing (not even sure if there's an API available for this). The kernel extension should be feature complete but the userland daemon implements a very basic example of adding a target and patching it. To be complete it needs an interface to add targets at request, save a configuration file with targets and patching information. The userland daemon requires task_for_pid() privileges. You will need to run it as root or sign it to run with debugging privileges (as gdb does). Follow this lldb document https://llvm.org/svn/llvm-project/lldb/trunk/docs/code-signing.txt to sign it. The only supported target for now is Mountain Lion. It's rather easy to support all OS X versions. In fact if the target is Lion and/or Mountain Lion, there's no need to read the kernel image from disk to solve symbols. They are available in memory! This applies if you want to make it work with Snow Leopard and below. Anyway, this code is also an example about how to read/write files from a kernel extension. As usual, this is only sample code. Any usage you make out of it is your own responsibility. Have fun, fG!
More Repositories
1
MachOView
MachOView forkC
2,495
2
Gdbinit
Gdbinit for OS X, iOS and others - x86, x86_64 and ARM
1,596
3
lldbinit
A gdbinit clone for LLDBPython
325
4
firmware_vault
A repo for all Apple EFI firmware files
255
5
readmem
A small OS X/iOS userland util to dump processes memoryC
218
6
onyx-the-black-cat
Kernel extension to disable anti-debug tricks and other useful XNU "features"C
209
7
rootfool
A small tool to dynamically disable and enable SIP in El CapitanC
163
8
EFISwissKnife
An IDA plugin to improve (U)EFI reversingC++
142
9
HexRaysDeob
Hex-Rays OLLVM Deobfuscator and MicroCode ExplorerC++
118
10
otool-ng
Some improvements to Apple's otool.C
100
11
gopher
A OS X crypto ransomware PoCC
90
12
mach_race
Exploit code for CVE-2016-1757C
81
13
efi_dxe_emulator
EFI DXE Emulator and Interactive DebuggerC
79
14
pydbg64
PyDBG64 - OS X PyDbg with 64 bits supportC
68
15
osx_boubou
A PoC Mach-O infector via library injectionC
64
16
mpress_dumper
MPRESS dumper for OS XAssembly
64
17
gimmedebugah
A small utility to inject a Info.plist into binaries.C
57
18
gdb-ng
Apple's gdb fork with some fixes and enhancementsC
54
19
ExtractMachO
IDA plugin to extract Mach-O binaries located in the disassembly or dataC
54
20
Gatekeerper
A kernel extension to mitigate Gatekeeper bypassesC
48
21
kextstat_aslr
Implementation of kexstat via /dev/kmem with kernel ASLR supportC
38
22
can_I_suid
A TrustedBSD module to control execution of binaries with suid bit setC
37
23
crackme_nr1
fG!'s crackme #1 source codeC
36
24
bruteforcesysent
Small util to discover OS X sysent via bruteforceC
33
25
tcplognke
Apple's tcplognke code sampleC
29
26
TELoader
A TE executable format loader for IDAC
28
27
unicorn_string_deobfuscator
A Unicorn based emulator to deobfuscate Equation Group string XOR obfuscationC
27
28
mario
The kernel component of rootpipe fix for MavericksC
27
29
adium-ng-preview
Repo to dump some preview info and builds for adium-ng
27
30
MicrocodeExplorer
Hex-Rays MicrocodeExplorerC++
26
31
readkmem
small utility to dump kernel memoryC
25
32
rex_versus_the_romans
Anti Hacking Team TrustedBSD moduleC
25
33
readphysmem
A small utility to read and write to Macs physical memory using default AppleHWAccess.kext.Objective-C
25
34
llvmpatches
Misc llvm patches
CMake
22
35
hello_santa_bye_santa
Bypass Google's SantaC
21
36
fixobjc
IDA IDC script to improve Objective-C disassembly output
21
37
checkidt
Small util to dump the IDT table of a running OS X system with kmem enabledC
20
38
armorysandbox
A USB armory based USB sandbox
Makefile
20
39
MachOPlugin
IDA plugin to Display Mach-O headersC
19
40
icetheguardianv2
A TrustedBSD module PoC to monitor writes to Daemons and Agents foldersC
19
41
diagnostic_service
OS X rootkit loader version #1C++
18
42
kgmacros
Fixed kgmacros to work with VMware kernel gdb stub
17
43
ExtractMacho2
IDA plugin to extract Mach-O binaries located in the disassembly or dataC++
17
44
syscall-benchmark
macOS syscall performance benchmarkAssembly
16
45
av-monster
PoC kext to disable OS X anti-virus softwareC
15
46
luigi
The userland component of rootpipe fix for MavericksObjective-C
14
47
carbon_copy_cloner_keychaingen
A keygen for Carbon Copy Cloner private keychainObjective-C
14
48
Crisis-Analysis-Tools
Scripts and other material related to OS.X/Crisis malware analysisC
13
49
diagnostic_service2
OS X rootkit loader version #2C++
12
50
calcspace
Small util to calculate available free space in mach-o binaries for code injectionC
12
51
idc-scripts
Random collection of IDA's IDC scripts
11
52
Disable-m3u
iTunes plugin to disable creation of m3u playlistsC
11
53
rexthewonderdog
A lazy PoC for implementing backdoors in OS X TrustedBSD Mac framework.C
10
54
delambert
GreenLambert macOS IDA plugin to deobfuscate stringsC++
10
55
GiveMeHex
A quick IDA hack to get addresses with 0x prefixC++
9
56
twitterwipe
A Go utillty to delete your Twitter historyGo
9
57
how_crap_is_ida
An IDA plugin to compare IDA detected functions output versus LC_FUNCTION_STARTS informationC++
9
58
spiflash
Very fast reader for SPI flashes for Teensy 2.x.C
7
59
keygen_CrackMe_nr1_qwertyoruiop
Keygen for qwertyoruiop's CrackMe nr1C
7
60
evilquest_stats
Small utility to hash EvilQuest code and cstrings sectionsGo
7
61
bpf_dbg_output
Small tool to convert bpf binary bytecode to bpf_dbg formatC
7
62
evilquest_deobfuscator
EvilQuest/ThiefQuest malware strings decrypter/deobfuscatorGo
6
63
icetheguardian
A PoC to protect critical OS X files using TrustedBSD Mac framework.C
5
64
SMBIOSKeygen
macserial and GenSMBIOS merged and ported to GoGo
4
65
yage
An age fork with internal Yubikeys supportGo
2
66
snake_queue_parser
A decryptor for Snake/Turla configuration filesObjective-C
2
67
Mach-O-Lib
Library to access and manipulate Mach-O headers
1
68
macserial
macserial Go module
1