//// pspaw_payload.m// pspaw_payload//// Created by Tanay Findley on

1. //
2. // pspaw_payload.m
3. // pspaw_payload
4. //
5. // Created by Tanay Findley on 5/14/19.
6. // Copyright © 2019 Slice Team. All rights reserved.
7. //
8.  
9. #include <stdio.h>
10. #include <spawn.h>
11. #include <unistd.h>
12. #include <stdbool.h>
13. #include "substitute.h"
14. #include <dlfcn.h>
15. #include <dispatch/dispatch.h>
16. #include <mach/mach.h>
17. #include <sys/param.h>
18. #include <mach-o/dyld.h>
19. #include "callJBD.h"
20. #include "libproc.h"
21. #include "codesign.h"
22. #include <mach-o/dyld_images.h>
23. #include <sys/errno.h>
24.  
25. dispatch_queue_t queue;
26.  
27.  
28. typedef int (*pspawn_t)(pid_t *pid,
29. const char *path,
30. const posix_spawn_file_actions_t *file_actions,
31. posix_spawnattr_t *attrp,
32. const char *argv[],
33. const char *envp[]);
34.  
35.  
36. pspawn_t old_pspawn, old_pspawnp;
37.  
38. FILE *file2LogTo;
39.  
40. #define MAX_INJECT 1
41. #define logToFile(fmt, args...)\
42. do {\
43. if (file2LogTo == NULL) {\
44. fprintf(stderr, fmt "\n", ##args); \
45. file2LogTo = fopen("/var/log/pspawn.log", "a"); \
46. if (file2LogTo == NULL) break; \
47. } \
48. fprintf(file2LogTo, fmt "\n", ##args); \
49. fflush(file2LogTo); \
50. } while(0)
51.  
52.  
53.  
54. //HEADERS
55. enum sandbox_filter_type {
56. SANDBOX_FILTER_NONE,
57. SANDBOX_FILTER_PATH,
58. SANDBOX_FILTER_GLOBAL_NAME,
59. SANDBOX_FILTER_LOCAL_NAME,
60. SANDBOX_FILTER_APPLEEVENT_DESTINATION,
61. SANDBOX_FILTER_RIGHT_NAME,
62. };
63. extern const enum sandbox_filter_type SANDBOX_CHECK_NO_REPORT __attribute__((weak_import));
64. int sandbox_check(pid_t pid, const char *operation, enum sandbox_filter_type type, ...);
65. int csops(pid_t pid, unsigned int ops, void* useraddr, size_t usersize);
66. int csops_audittoken(pid_t pid, unsigned int ops, void* useraddr, size_t usersize, audit_token_t* token);
67.  
68.  
69.  
70.  
71.  
72. const char* xpcproxy_blacklist[] = {
73. "lskdmsed", // Netflix!
74. "trustd", // Crash!
75. "seputil", // Crash!
76. "TVRemoteConnectionService", // Crash!
77. "debugserver", // Xcode debugging
78. "com.apple.diagnosticd", // syslog
79. "MTLCompilerService", // ?_?
80. "OTAPKIAssetTool", // h_h
81. "cfprefsd", // o_o
82. "jailbreakd", // don't inject into jbd since we'd have to call to it
83. "jelbrekd", // don't inject into jbd since we'd have to call to it
84. "notifyd", // owo
85. "logd", // keep it
86. "diagnosticd", // idk
87. "securityd",
88. NULL
89. };
90.  
91. bool is_blacklisted(const char *proc) {
92. const char **blacklist = xpcproxy_blacklist;
93.  
94. while (*blacklist) {
95. if (strstr(proc, *blacklist)) {
96. return true;
97. }
98.  
99. blacklist++;
100. }
101.  
102. return false;
103. }
104.  
105. #define DYLD_INSERT "DYLD_INSERT_LIBRARIES="
106. #define PSPAWN_HOOK_DYLIB "/usr/lib/pspawn_payload.dylib"
107. #define TWEAKLOADER_DYLIB "/usr/lib/TweakInject.dylib" //fml rn
108. #define AMFID_PAYLOAD_DYLIB "/usr/lib/amfid_payload.dylib" //fml rn
109. #define DISABLE_LOADER_FILE "/var/tmp/.pspawn_disable"
110.  
111.  
112.  
113. //0 = launchd
114. //1 = xpc
115. //2 = other
116. int fake_posix_spawn_common(pid_t *pid, const char *path, const posix_spawn_file_actions_t *file_actions, posix_spawnattr_t *attrp, const char *argv[], const char *envp[], pspawn_t old)
117. {
118.  
119. return 0;
120. }
121.  
122. int fake_posix_spawn(pid_t *pid,
123. const char *file,
124. const posix_spawn_file_actions_t *file_actions,
125. posix_spawnattr_t *attrp,
126. const char *argv[],
127. const char *envp[]) {
128. return fake_posix_spawn_common(pid, file, file_actions, attrp, argv, envp, old_pspawn);
129. }
130.  
131.  
132. //CSOPS
133. int (*old_csops)(pid_t pid, unsigned int ops, unsigned int *useraddr, size_t usersize);
134. int fake_csops(pid_t pid, unsigned int ops, unsigned int *useraddr, size_t usersize) {
135. int orig = old_csops(pid, ops, useraddr, usersize);
136.  
137. if (ops == CS_OPS_STATUS) {
138. if (useraddr) {
139. *useraddr &= 0xefffffff;
140. *useraddr |= 1;
141. }
142. }
143. return orig;
144. }
145.  
146. int (*old_csops_audittoken)(pid_t pid, unsigned int ops, unsigned int* useraddr, size_t usersize, audit_token_t* token);
147. int fake_csops_audittoken(pid_t pid, unsigned int ops, unsigned int* useraddr, size_t usersize, audit_token_t* token) {
148. int orig = old_csops_audittoken(pid, ops, useraddr, usersize, token);
149.  
150. if (ops == CS_OPS_STATUS) {
151. if (useraddr) {
152. *useraddr &= 0xefffffff;
153. *useraddr |= 1;
154. }
155. }
156. return orig;
157. }
158.  
159. //FCNTL
160. int (*old_fcntl)(int fd, int b);
161. int fake_fcntl(int fd, int b) {
162. if (b == F_ADDFILESIGS_RETURN) return -1;
163. if (b == F_CHECK_LV) return 0;
164. return old_fcntl(fd, b);
165. }
166.  
167. int (*old_fcntl2)(int fd, int b);
168. int fake_fcntl2(int fd, int b) {
169. if (b == F_CHECK_LV) {
170. errno = 0;
171. return 0;
172. }
173. return old_fcntl2(fd, b);
174. }
175.  
176. //EXECVE
177. int (*old_execve)(const char *__file, char *const *__argv, char *const *__envp);
178. int fake_execve(const char *__file, char *const *__argv, char *const *__envp) {
179. posix_spawnattr_t attr;
180. posix_spawnattr_init(&attr);
181. posix_spawnattr_setflags(&attr, POSIX_SPAWN_SETEXEC);
182. int ret = posix_spawn(NULL, __file, NULL, &attr, __argv, __envp);
183. if (ret) {
184. errno = ret;
185. }
186.  
187. return -1;
188. };
189.  
190. //SIG CHECK
191. const char *(*ImagePath)(void);
192. uint64_t (*old_hasCodeSignature)(uint64_t a, uint64_t b, uint64_t c);
193. uint64_t fake_hasCodeSignature(uint64_t a, uint64_t b, uint64_t c) {
194. const char *path = ImagePath();
195. if (!strcmp(path, "/usr/lib/libobjc-trampolines.dylib") || !strcmp(path, "/usr/lib/libpmsample.dylib") || !strcmp(path, "/usr/lib/libstdc++.6.0.9.dylib") || !strcmp(path, "/usr/lib/libSystem.B_asan.dylib") || !strncmp(path, "/System", 7)) {
196. return old_hasCodeSignature(a, b, c);
197. }
198. else return 0;
199. }
200.  
201. uint64_t (*old_hasCdHash)(uint64_t a, uint64_t b);
202. uint64_t fake_hasCdHash(uint64_t a, uint64_t b) {
203. const char *path = ImagePath();
204. if (!strcmp(path, "/usr/lib/libobjc-trampolines.dylib") || !strcmp(path, "/usr/lib/libpmsample.dylib") || !strcmp(path, "/usr/lib/libstdc++.6.0.9.dylib") || !strcmp(path, "/usr/lib/libSystem.B_asan.dylib") || !strncmp(path, "/System", 7)) {
205. return old_hasCdHash(a, b);
206. }
207. else return 0;
208. }
209.  
210. //HOOK
211.  
212.  
213.  
214.  
215. void hookMe(void)
216. {
217.  
218. task_dyld_info_data_t output;
219. size_t cnt = 5;
220.  
221. task_info(mach_task_self(), TASK_DYLD_INFO, (void *)&output, (mach_msg_type_number_t *)&cnt);
222. struct dyld_all_image_infos *all_image_info = (struct dyld_all_image_infos *)output.all_image_info_addr;
223. const struct mach_header *dyld_load_addr = all_image_info->dyldImageLoadAddress;
224.  
225. struct substitute_image image;
226. image.slide = -1;
227. image.dlhandle = 0;
228. image.image_header = dyld_load_addr;
229.  
230. const char *symbol = "_fcntl";
231. void *sym_addr = NULL;
232. substitute_find_private_syms(&image, &symbol, &sym_addr, 1);
233.  
234. uint32_t flags;
235. csops(1, CS_OPS_STATUS, &flags, 0);
236.  
237.  
238.  
239. //SUBSTITUTE DYLIB
240. void *handle = dlopen("/usr/lib/libsubstitute.dylib", RTLD_NOW);
241. if (!handle) {
242. logToFile("[PSPAWN_ERROR] %s", dlerror());
243. return;
244. }
245. int (*substitute_hook_functions)(const struct substitute_function_hook *hooks, size_t nhooks, struct substitute_function_hook_record **recordp, int options) = dlsym(handle, "substitute_hook_functions");
246. if (!substitute_hook_functions) {
247. logToFile("[PSPAWN_ERROR] %s", dlerror());
248. return;
249. }
250.  
251. int (*substitute_find_private_syms)(struct substitute_image *handle, const char **__restrict names, void **__restrict syms, size_t nsyms) = dlsym(handle, "substitute_find_private_syms");
252. if (!substitute_find_private_syms) {
253. logToFile("[PSPAWN_ERROR] %s", dlerror());
254. }
255.  
256.  
257. //HookMe
258.  
259. int error = errno;
260. if (sandbox_check(getpid(), "process-fork", SANDBOX_CHECK_NO_REPORT)) {
261. if (error == EPERM) {
262. struct substitute_function_hook hook[0];
263.  
264. hook[0].function = &sym_addr;
265. hook[0].replacement = fake_fcntl;
266. hook[0].old_ptr = &old_fcntl;
267. hook[0].options = 0;
268.  
269. substitute_hook_functions(hook, 1, NULL, SUBSTITUTE_NO_THREAD_SAFETY);
270. }
271. else {
272. struct substitute_function_hook hook[3];
273.  
274. hook[0].function = &csops;
275. hook[0].replacement = fake_csops;
276. hook[0].old_ptr = &old_csops;
277. hook[0].options = 0;
278.  
279. hook[1].function = &csops_audittoken;
280. hook[1].replacement = fake_csops_audittoken;
281. hook[1].old_ptr = &old_csops_audittoken;
282. hook[1].options = 0;
283.  
284. hook[2].function = &sym_addr;
285. hook[2].replacement = fake_fcntl;
286. hook[2].old_ptr = &old_fcntl;
287. hook[2].options = 0;
288.  
289. substitute_hook_functions(hook, 3, NULL, SUBSTITUTE_NO_THREAD_SAFETY);
290. }
291. }
292. else {
293. struct substitute_function_hook hook[6];
294.  
295. hook[0].function = &csops;
296. hook[0].replacement = fake_csops;
297. hook[0].old_ptr = &old_csops;
298. hook[0].options = 0;
299.  
300. hook[1].function = &csops_audittoken;
301. hook[1].replacement = fake_csops_audittoken;
302. hook[1].old_ptr = &old_csops_audittoken;
303. hook[1].options = 0;
304.  
305. hook[2].function = &sym_addr;
306. hook[2].replacement = fake_fcntl;
307. hook[2].old_ptr = &old_fcntl;
308. hook[2].options = 0;
309.  
310. hook[3].function = &posix_spawn;
311. hook[3].replacement = fake_posix_spawn;
312. hook[3].old_ptr = &old_pspawn;
313. hook[3].options = 0;
314.  
315. hook[4].function = &execve;
316. hook[4].replacement = fake_execve;
317. hook[4].old_ptr = &old_execve;
318. hook[4].options = 0;
319.  
320. hook[5].function = &vfork;
321. hook[5].replacement = &fork;
322. hook[5].old_ptr = NULL;
323. hook[5].options = 0;
324.  
325. substitute_hook_functions(hook, 6, NULL, SUBSTITUTE_NO_THREAD_SAFETY);
326. }
327.  
328. struct substitute_image *dyld = substitute_open_image("/usr/lib/system/libdyld.dylib");
329. if (dyld) {
330. const char *syms[] = { "_gUseDyld3", "__ZNK5dyld37closure5Image16hasCodeSignatureERjS2_", "__ZNK5dyld37closure5Image9hasCdHashEPh", "__ZNK5dyld37closure5Image4pathEv" };
331. void *sym_addrs[4];
332. substitute_find_private_syms(dyld, syms, sym_addrs, 4);
333.  
334. if (sym_addrs[0]) {
335. ImagePath = sym_addrs[3];
336.  
337. struct substitute_function_hook hook[3];
338.  
339. hook[0].function = &fcntl;
340. hook[0].replacement = fake_fcntl2;
341. hook[0].old_ptr = &old_fcntl2;
342. hook[0].options = 0;
343.  
344. hook[1].function = sym_addrs[1];
345. hook[1].replacement = fake_hasCodeSignature;
346. hook[1].old_ptr = &old_hasCodeSignature;
347. hook[1].options = 0;
348.  
349. hook[2].function = sym_addrs[2];
350. hook[2].replacement = fake_hasCdHash;
351. hook[2].old_ptr = &old_hasCdHash;
352. hook[2].options = 0;
353.  
354. substitute_hook_functions(hook, 3, NULL, SUBSTITUTE_NO_THREAD_SAFETY);
355. }
356. }
357.  
358. }
359.  
360.  
361. __attribute__ ((constructor))
362. static void ctor(void) {
363.  
364. logToFile("[PSPAWN] Init!");
365.  
366. hookMe();
367.  
368.  
369. }