Use AMFI to check AMFI dynamic cache and clean up kern_funcs

Makefile

@@ -6,6 +6,7 @@ TOOL_NAME = inject
 inject_CODESIGN_FLAGS = -Hsha256 -Hsha1 -Sentitlements.xml
 inject_FRAMEWORKS = IOKit Security
 inject_CFLAGS = -Wno-error=unused-function -Wno-error=unused-variable -Wno-error=missing-braces -Iinclude
+inject_LIBRARIES = mis
 inject_FILES = inject.m patchfinder64.c kern_funcs.c
 
 include $(THEOS_MAKE_PATH)/tool.mk

control

@@ -1,6 +1,6 @@
 Package: science.xnu.injector
 Name: Injector
-Version: 0.1
+Version: 0.2
 Architecture: iphoneos-arm
 Description: Inject files to kernel trust cache
 Maintainer: Sam Bingner <[email protected]>

inject.m

@@ -16,6 +16,14 @@
 OSStatus SecStaticCodeCreateWithPathAndAttributes(CFURLRef path, SecCSFlags flags, CFDictionaryRef attributes, SecStaticCodeRef _Nullable *staticCode);
 OSStatus SecCodeCopySigningInformation(SecStaticCodeRef code, SecCSFlags flags, CFDictionaryRef _Nullable *information);
 CFStringRef (*_SecCopyErrorMessageString)(OSStatus status, void * __nullable reserved) = NULL;
+extern int MISValidateSignatureAndCopyInfo(NSString *file, NSDictionary *options, NSDictionary **info);
+
+extern NSString *MISCopyErrorStringForErrorCode(int err);
+extern NSString *kMISValidationOptionRespectUppTrustAndAuthorization;
+extern NSString *kMISValidationOptionValidateSignatureOnly;
+extern NSString *kMISValidationOptionUniversalFileOffset;
+extern NSString *kMISValidationOptionAllowAdHocSigning;
+extern NSString *kMISValidationOptionOnlineAuthorization;
 
 mach_port_t tfp0 = MACH_PORT_NULL;
 
@@ -38,9 +46,6 @@
  uint16_t start;
 } __attribute__((packed));
 
-struct hash_entry_t amfiIndex[0x100];
-char *amfiData = NULL;
-
 typedef uint8_t hash_t[TRUST_CDHASH_LEN];
 
 mach_port_t try_restore_port() {
@@ -57,62 +62,21 @@ mach_port_t try_restore_port() {
  return MACH_PORT_NULL;
 }
 
-void free_amfitab() {
- if (amfiData != NULL) {
- free(amfiData);
- amfiData = NULL;
- }
-}
-
-bool init_amfitab(uint64_t amfitab) {
- if (amfitab == 0)
- return false;
-
- int rv = kread(amfitab, &amfiIndex, sizeof(amfiIndex));
- size_t len = 0;
-
- for(int i=0; i<0x100; i++) {
- len += amfiIndex[i].num * 19;
- }
- free_amfitab();
- amfiData = malloc(len);
- rv = kread(amfitab + sizeof(amfiIndex), amfiData, len);
- return true;
-}
-
-bool check_amfi(uint64_t amfitab, NSData *hashData) {
- const char *hash = [hashData bytes];
- unsigned char idx = hash[0];
- hash++;
- if (amfiData == NULL && !init_amfitab(amfitab)) {
- return false;
- }
- if (amfiIndex[idx].num == 0 || amfiIndex[idx].start == 0) {
- fprintf(stderr, "Nothing found to check in amficache (wrong?)\n");
- return false;
- }
-
- char *amfiNext = amfiData + (amfiIndex[idx].start + amfiIndex[idx].num) * 19;
- for (char *amfi = amfiData + amfiIndex[idx].start * 19; amfi < amfiNext; amfi += 19) {
- if (memcmp(hash, amfi, 19) == 0) {
- return true;
- }
- }
-
- return false;
+bool check_amfi(NSString *path) {
+ return MISValidateSignatureAndCopyInfo(path, @{kMISValidationOptionAllowAdHocSigning: @YES, kMISValidationOptionRespectUppTrustAndAuthorization: @YES}, NULL) == 0;
 }
 
-NSArray *filteredHashes(uint64_t trust_chain, NSDictionary *hashes, uint64_t amfitab) {
+NSArray *filteredHashes(uint64_t trust_chain, NSDictionary *hashes) {
  NSArray *result;
  @autoreleasepool {
  NSMutableDictionary *filtered = [hashes mutableCopy];
  for (NSData *cdhash in [filtered allKeys]) {
- if (check_amfi(amfitab, cdhash)) {
- printf("%s: already in amfi trustcache, not reinjecting\n", [filtered[cdhash] UTF8String]);
+ if (check_amfi(filtered[cdhash])) {
+ printf("%s: already in static trustcache, not reinjecting\n", [filtered[cdhash] UTF8String]);
  [filtered removeObjectForKey:cdhash];
  }
  }
- free_amfitab();
+
  struct trust_mem search;
  search.next = trust_chain;
  while (search.next != 0) {
@@ -143,7 +107,7 @@ bool check_amfi(uint64_t amfitab, NSData *hashData) {
  return [result autorelease];
 }
 
-int injectTrustCache(int argc, char* argv[], uint64_t trust_chain, uint64_t amficache) {
+int injectTrustCache(int argc, char* argv[], uint64_t trust_chain) {
  @autoreleasepool {
  struct trust_mem mem;
  uint64_t kernel_trust = 0;
@@ -205,7 +169,7 @@ int injectTrustCache(int argc, char* argv[], uint64_t trust_chain, uint64_t amfi
  }
 
 
- NSArray *filtered = filteredHashes(mem.next, hashes, amficache);
+ NSArray *filtered = filteredHashes(mem.next, hashes);
  int hashesToInject = [filtered count];
  printf("%d new hashes to inject\n", hashesToInject);
  if (hashesToInject < 1) {
@@ -251,11 +215,9 @@ int main(int argc, char* argv[]) {
  uint64_t kernel_base = get_kernel_base(tfp0);
  init_kernel(kernel_base, NULL);
  uint64_t trust_chain = find_trustcache();
- uint64_t amficache = find_amficache();
  term_kernel();
- bzero(amfiIndex, sizeof(amfiIndex));
  printf("Injecting to trust cache...\n");
- int ninjected = injectTrustCache(argc, argv, trust_chain, amficache);
+ int ninjected = injectTrustCache(argc, argv, trust_chain);
  printf("Successfully injected [%d/%d] to trust cache.\n", ninjected, argc - 1);
  return argc - ninjected - 1;
 }

kern_funcs.c

@@ -21,75 +21,30 @@
 #include "CSCommon.h"
 
 extern mach_port_t tfp0;
+size_t kread(uint64_t where, void *p, size_t size);
+size_t kwrite(uint64_t where, const void *p, size_t size);
 
 void wk32(uint64_t kaddr, uint32_t val) {
- if (tfp0 == MACH_PORT_NULL) {
- printf("attempt to write to kernel memory before any kernel memory write primitives available\n");
- sleep(3);
- return;
- }
-
- kern_return_t err;
- err = mach_vm_write(tfp0,
- (mach_vm_address_t)kaddr,
- (vm_offset_t)&val,
- (mach_msg_type_number_t)sizeof(uint32_t));
-
- if (err != KERN_SUCCESS) {
- printf("tfp0 write failed: %s %x\n", mach_error_string(err), err);
- return;
- }
+ kwrite(kaddr, &val, sizeof(uint32_t));
 }
 
 void wk64(uint64_t kaddr, uint64_t val) {
- uint32_t lower = (uint32_t)(val & 0xffffffff);
- uint32_t higher = (uint32_t)(val >> 32);
- wk32(kaddr, lower);
- wk32(kaddr+4, higher);
+ kwrite(kaddr, &val, sizeof(uint64_t));
 }
 
 uint32_t rk32(uint64_t kaddr) {
- kern_return_t err;
  uint32_t val = 0;
- mach_vm_size_t outsize = 0;
- err = mach_vm_read_overwrite(tfp0,
- (mach_vm_address_t)kaddr,
- (mach_vm_size_t)sizeof(uint32_t),
- (mach_vm_address_t)&val,
- &outsize);
- if (err != KERN_SUCCESS){
- printf("tfp0 read failed %s addr: 0x%llx err:%x port:%x\n", mach_error_string(err), kaddr, err, tfp0);
- sleep(3);
- return 0;
- }
-
- if (outsize != sizeof(uint32_t)){
- printf("tfp0 read was short (expected %lx, got %llx\n", sizeof(uint32_t), outsize);
- sleep(3);
+
+ if (kread(kaddr, &val, sizeof(val)) != sizeof(val)) {
  return 0;
  }
  return val;
 }
 
 uint64_t rk64(uint64_t kaddr) {
- kern_return_t err;
  uint64_t val = 0;
- mach_vm_size_t outsize = 0;
- err = mach_vm_read_overwrite(tfp0,
- (mach_vm_address_t)kaddr,
- (mach_vm_size_t)sizeof(uint64_t),
- (mach_vm_address_t)&val,
- &outsize);
-
- if (err != KERN_SUCCESS){
- printf("tfp0 read failed %s addr: 0x%llx err:%x port:%x\n", mach_error_string(err), kaddr, err, tfp0);
- sleep(3);
- return 0;
- }
 
- if (outsize != sizeof(uint64_t)){
- printf("tfp0 read was short (expected %lx, got %llx\n", sizeof(uint64_t), outsize);
- sleep(3);
+ if (kread(kaddr, &val, sizeof(val)) != sizeof(val)) {
  return 0;
  }
  return val;
@@ -163,8 +118,7 @@ vm_address_t get_kernel_base(mach_port_t tfp0)
  }
 }
 
-size_t
-kread(uint64_t where, void *p, size_t size)
+size_t kread(uint64_t where, void *p, size_t size)
 {
  int rv;
  size_t offset = 0;
@@ -183,11 +137,17 @@ kread(uint64_t where, void *p, size_t size)
  return offset;
 }
 
-size_t
-kwrite(uint64_t where, const void *p, size_t size)
+size_t kwrite(uint64_t where, const void *p, size_t size)
 {
  int rv;
  size_t offset = 0;
+
+ if (tfp0 == MACH_PORT_NULL) {
+ printf("attempt to write to kernel memory before any kernel memory write primitives available\n");
+ sleep(3);
+ return offset;
+ }
+
  while (offset < size) {
  size_t chunk = 2048;
  if (chunk > size - offset) {