diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md
index 75ef4f68797..3a60d6840b9 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md
@@ -1,8 +1,8 @@
# macOS Kernel & System Extensions
{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -58,87 +58,12 @@ The I/O Kit is an open-source, object-oriented **device-driver framework** in th
[macos-ipc-inter-process-communication](../macos-proces-abuse/macos-ipc-inter-process-communication/)
{% endcontent-ref %}
-### Kernelcache
-
-The **kernelcache** is a **pre-compiled and pre-linked version of the XNU kernel**, along with essential device **drivers** and **kernel extensions**. It's stored in a **compressed** format and gets decompressed into memory during the boot-up process. The kernelcache facilitates a **faster boot time** by having a ready-to-run version of the kernel and crucial drivers available, reducing the time and resources that would otherwise be spent on dynamically loading and linking these components at boot time.
-
-In iOS it's located in **`/System/Library/Caches/com.apple.kernelcaches/kernelcache`** in macOS you can find it with **`find / -name kernelcache 2>/dev/null`** or **`mdfind kernelcache | grep kernelcache`**
-
-It's possible to run **`kextstat`** to check the loaded kernel extensions.
-
-#### IMG4
-
-The IMG4 file format is a container format used by Apple in its iOS and macOS devices for securely **storing and verifying firmware** components (like **kernelcache**). The IMG4 format includes a header and several tags which encapsulate different pieces of data including the actual payload (like a kernel or bootloader), a signature, and a set of manifest properties. The format supports cryptographic verification, allowing the device to confirm the authenticity and integrity of the firmware component before executing it.
-
-It's usually composed of the following components:
-
-* **Payload (IM4P)**:
- * Often compressed (LZFSE4, LZSS, …)
- * Optionally encrypted
-* **Manifest (IM4M)**:
- * Contains Signature
- * Additional Key/Value dictionary
-* **Restore Info (IM4R)**:
- * Also known as APNonce
- * Prevents replaying of some updates
- * OPTIONAL: Usually this isn't found
-
-Decompress the Kernelcache:
-
-```bash
-# pyimg4 (https://github.com/m1stadev/PyIMG4)
-pyimg4 im4p extract -i kernelcache.release.iphone14 -o kernelcache.release.iphone14.e
-
-# img4tool (https://github.com/tihmstar/img4tool
-img4tool -e kernelcache.release.iphone14 -o kernelcache.release.iphone14.e
-```
-
-#### Kernelcache Symbols
-
-Sometime Apple releases **kernelcache** with **symbols**. You can download some firmwares with symbols by following links on [https://theapplewiki.com](https://theapplewiki.com/).
-
-### IPSW
-
-These are Apple **firmwares** you can download from [**https://ipsw.me/**](https://ipsw.me/). Among other files it will contains the **kernelcache**.\
-To **extract** the files you can just **unzip** it.
-
-After extracting the firmware you will get a file like: **`kernelcache.release.iphone14`**. It's in **IMG4** format, you can extract the interesting info with:
-
-* [**pyimg4**](https://github.com/m1stadev/PyIMG4)
-
-{% code overflow="wrap" %}
-```bash
-pyimg4 im4p extract -i kernelcache.release.iphone14 -o kernelcache.release.iphone14.e
-```
-{% endcode %}
-
-* [**img4tool**](https://github.com/tihmstar/img4tool)
-
-```bash
-img4tool -e kernelcache.release.iphone14 -o kernelcache.release.iphone14.e
-```
-
-You can check the extracted kernelcache for symbols with: **`nm -a kernelcache.release.iphone14.e | wc -l`**
-
-With this we can now **extract all the extensions** or the **one you are insterested in:**
-
-```bash
-# List all extensions
-kextex -l kernelcache.release.iphone14.e
-## Extract com.apple.security.sandbox
-kextex -e com.apple.security.sandbox kernelcache.release.iphone14.e
-
-# Extract all
-kextex_all kernelcache.release.iphone14.e
-
-# Check the extension for symbols
-nm -a binaries/com.apple.security.sandbox | wc -l
-```
-
## macOS Kernel Extensions
macOS is **super restrictive to load Kernel Extensions** (.kext) because of the high privileges that code will run with. Actually, by default is virtually impossible (unless a bypass is found).
+In the following page you can also see how to recover the `.kext` that macOS loads inside its **kernelcache**:
+
{% content-ref url="macos-kernel-extensions.md" %}
[macos-kernel-extensions.md](macos-kernel-extensions.md)
{% endcontent-ref %}
@@ -157,8 +82,8 @@ Instead of using Kernel Extensions macOS created the System Extensions, which of
* [**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html)
{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
index 9225e451d60..1eff52bd2b0 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
@@ -1,8 +1,8 @@
# macOS Kernel Extensions
{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -47,14 +47,123 @@ In Catalina it was like this: It is interesting to note that the **verification*
If **`kextd`** is not available, **`kextutil`** can perform the same checks.
+### Enumeration (loaded kexts)
+
+```bash
+# Get loaded kernel extensions
+kextstat
+
+# Get dependencies of the kext number 22
+kextstat | grep " 22 " | cut -c2-5,50- | cut -d '(' -f1
+```
+
+## Kernelcache
+
+{% hint style="danger" %}
+Even though the kernel extensions are expected to be in `/System/Library/Extensions/`, if you go to this folder you **won't find any binary**. This is because of the **kernelcache** and in order to reverse one `.kext` you need to find a way to obtain it.
+{% endhint %}
+
+The **kernelcache** is a **pre-compiled and pre-linked version of the XNU kernel**, along with essential device **drivers** and **kernel extensions**. It's stored in a **compressed** format and gets decompressed into memory during the boot-up process. The kernelcache facilitates a **faster boot time** by having a ready-to-run version of the kernel and crucial drivers available, reducing the time and resources that would otherwise be spent on dynamically loading and linking these components at boot time.
+
+### Local Kerlnelcache
+
+In iOS it's located in **`/System/Library/Caches/com.apple.kernelcaches/kernelcache`** in macOS you can find it with: **`find / -name "kernelcache" 2>/dev/null`** \
+In my case in macOS I found it in:
+
+* `/System/Volumes/Preboot/1BAEB4B5-180B-4C46-BD53-51152B7D92DA/boot/DAD35E7BC0CDA79634C20BD1BD80678DFB510B2AAD3D25C1228BB34BCD0A711529D3D571C93E29E1D0C1264750FA043F/System/Library/Caches/com.apple.kernelcaches/kernelcache`
+
+#### IMG4
+
+The IMG4 file format is a container format used by Apple in its iOS and macOS devices for securely **storing and verifying firmware** components (like **kernelcache**). The IMG4 format includes a header and several tags which encapsulate different pieces of data including the actual payload (like a kernel or bootloader), a signature, and a set of manifest properties. The format supports cryptographic verification, allowing the device to confirm the authenticity and integrity of the firmware component before executing it.
+
+It's usually composed of the following components:
+
+* **Payload (IM4P)**:
+ * Often compressed (LZFSE4, LZSS, …)
+ * Optionally encrypted
+* **Manifest (IM4M)**:
+ * Contains Signature
+ * Additional Key/Value dictionary
+* **Restore Info (IM4R)**:
+ * Also known as APNonce
+ * Prevents replaying of some updates
+ * OPTIONAL: Usually this isn't found
+
+Decompress the Kernelcache:
+
+```bash
+# img4tool (https://github.com/tihmstar/img4tool
+img4tool -e kernelcache.release.iphone14 -o kernelcache.release.iphone14.e
+
+# pyimg4 (https://github.com/m1stadev/PyIMG4)
+pyimg4 im4p extract -i kernelcache.release.iphone14 -o kernelcache.release.iphone14.e
+```
+
+### Download
+
+* [**KernelDebugKit Github**](https://github.com/dortania/KdkSupportPkg/releases)
+
+In [https://github.com/dortania/KdkSupportPkg/releases](https://github.com/dortania/KdkSupportPkg/releases) it's possible to find all the kernel debug kits. You can download it, mount it, open it with [Suspicious Package](https://www.mothersruin.com/software/SuspiciousPackage/get.html) tool, access the **`.kext`** folder and **extract it**.
+
+Check it for symbols with:
+
+```bash
+nm -a ~/Downloads/Sandbox.kext/Contents/MacOS/Sandbox | wc -l
+```
+
+* [**theapplewiki.com**](https://theapplewiki.com/wiki/Firmware/Mac/14.x)**,** [**ipsw.me**](https://ipsw.me/)**,** [**theiphonewiki.com**](https://www.theiphonewiki.com/)
+
+Sometime Apple releases **kernelcache** with **symbols**. You can download some firmwares with symbols by following links on those pages. The firmwares will contain the **kernelcache** among other files.
+
+To **extract** the files start by changing the extension from `.ipsw` to `.zip` and **unzip** it.
+
+After extracting the firmware you will get a file like: **`kernelcache.release.iphone14`**. It's in **IMG4** format, you can extract the interesting info with:
+
+[**pyimg4**](https://github.com/m1stadev/PyIMG4)**:**
+
+{% code overflow="wrap" %}
+```bash
+pyimg4 im4p extract -i kernelcache.release.iphone14 -o kernelcache.release.iphone14.e
+```
+{% endcode %}
+
+[**img4tool**](https://github.com/tihmstar/img4tool)**:**
+
+```bash
+img4tool -e kernelcache.release.iphone14 -o kernelcache.release.iphone14.e
+```
+
+### Inspecting kernelcache
+
+Check if the kernelcache has symbols with
+
+```bash
+nm -a kernelcache.release.iphone14.e | wc -l
+```
+
+With this we can now **extract all the extensions** or the **one you are interested in:**
+
+```bash
+# List all extensions
+kextex -l kernelcache.release.iphone14.e
+## Extract com.apple.security.sandbox
+kextex -e com.apple.security.sandbox kernelcache.release.iphone14.e
+
+# Extract all
+kextex_all kernelcache.release.iphone14.e
+
+# Check the extension for symbols
+nm -a binaries/com.apple.security.sandbox | wc -l
+```
+
## Referencias
* [https://www.makeuseof.com/how-to-enable-third-party-kernel-extensions-apple-silicon-mac/](https://www.makeuseof.com/how-to-enable-third-party-kernel-extensions-apple-silicon-mac/)
* [https://www.youtube.com/watch?v=hGKOskSiaQo](https://www.youtube.com/watch?v=hGKOskSiaQo)
{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md b/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
index 2dce5bf9ed0..5675918b4e6 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
@@ -1,8 +1,8 @@
# Introduction to ARM64v8
{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -352,6 +352,8 @@ dyldex -e libsystem_kernel.dylib /System/Library/Caches/com.apple.dyld/dyld_shar
```
{% endcode %}
+Note that **Ida** and **Ghidra** can also decompile **specific dylibs** from the cache just by passing the cache.
+
{% hint style="success" %}
Sometimes it's easier to check the **decompiled** code from **`libsystem_kernel.dylib`** **than** checking the **source code** because the code of several syscalls (BSD and Mach) are generated via scripts (check comments in the source code) while in the dylib you can find what is being called.
{% endhint %}
@@ -808,8 +810,8 @@ call_execve:
```
{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md
index a4a6096929f..ec5fbeb3c91 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md
@@ -1,8 +1,8 @@
# macOS Security Protections
{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -27,6 +27,10 @@ More information in:
## Processes Limitants
+### MACF
+
+
+
### SIP - System Integrity Protection
{% content-ref url="macos-sip.md" %}
@@ -152,9 +156,10 @@ References and **more information about BTM**:
* [https://youtu.be/9hjUmT031tc?t=26481](https://youtu.be/9hjUmT031tc?t=26481)
* [https://www.patreon.com/posts/new-developer-77420730?l=fr](https://www.patreon.com/posts/new-developer-77420730?l=fr)
* [https://support.apple.com/en-gb/guide/deployment/depdca572563/web](https://support.apple.com/en-gb/guide/deployment/depdca572563/web)
+
{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -166,4 +171,3 @@ Learn & practice GCP Hacking:
{% endhint %}
-
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md
index ff26bb43677..c6e890974eb 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md
@@ -401,7 +401,7 @@ Note that in iOS the kernel extension contains **hardcoded all the profiles** in
**`Sandbox.kext`** uses more than a hundred of hooks via MACF. Most of the hooks will just check some trivial cases that allows to perform the action if it not, they will call **`cred_sb_evalutate`** with the **credentials** from MACF and a number corresponding to the **operation** to perform and a **buffer** for the output.
-A good example of that is the function **`_mpo_file_check_mmap`** which hooked **`mmap`** and which will start checking if the new memory is going to be writable (and if not allow the execution), then it'll check if its used for the dyld shared cache and if so allow the execution, and finally it'll call **`cred_sb_evalutate`** to perform further allowance checks.
+A good example of that is the function **`_mpo_file_check_mmap`** which hooked **`mmap`** and which will start checking if the new memory is going to be writable (and if not allow the execution), then it'll check if its used for the dyld shared cache and if so allow the execution, and finally it'll call **`sb_evaluate_internal`** (or one of its wrappers) to perform further allowance checks.
Moreover, out of the hundred(s) hooks Sandbox uses, there are 3 in particular that are very interesting:
@@ -409,7 +409,7 @@ Moreover, out of the hundred(s) hooks Sandbox uses, there are 3 in particular th
* `mpo_vnode_check_exec`: Called when a process loads the associated binary, then a profile check is perfomed and also a check forbidding SUID/SGID executions.
* `mpo_cred_label_update_execve`: This is called when the label is assigned. This is the longest one as it's called when the binary is fully loaded but it hasn't been executed yet. It'll perform actions such as creating the sandbox object, attach sandbox struct to the kauth credentials, remove access to mach ports...
-Note that **`cred_sb_evalutate`** is a wrapper over **`sb_evaluate`** and this function gets the credentials passed and then performs the evaluation using the **`eval`** function which usually evaluates the **platform profile** which is by default applied to all processes and then the **specific process profile**. Note that the platform profile is one of the main components of **SIP** in macOS.
+Note that **`_cred_sb_evalutate`** is a wrapper over **`sb_evaluate_internal`** and this function gets the credentials passed and then performs the evaluation using the **`eval`** function which usually evaluates the **platform profile** which is by default applied to all processes and then the **specific process profile**. Note that the platform profile is one of the main components of **SIP** in macOS.
## Sandboxd