search

ninjaprawn / async_wake-fun

async_wake with a bit of fun! - async_awake by Ian Beer (https://bugs.chromium.org/p/project-zero/issues/detail?id=1417#c3)
161 stars 63 forks source link

New inject_trusts #13

Closed hieplpvip closed 6 years ago

hieplpvip commented 6 years ago

void inject_trusts(int pathc, char *paths[]) { uint64_t tc = find_trustcache();

struct trust_chain {
    uint64_t next;
    unsigned char uuid[16];
    unsigned int count;
} __attribute__((packed));

struct trust_chain fake_chain;
fake_chain.next = kread64(tc);
*(uint64_t *)&fake_chain.uuid[0] = 0xabadbabeabadbabe;
*(uint64_t *)&fake_chain.uuid[8] = 0xabadbabeabadbabe;
fake_chain.count = pathc;

uint8_t *allhash = malloc(20*pathc);
for (int i = 0; i != pathc; ++i) {
    printf("[+] calculating hash '%s'\n", paths[i]);
    uint8_t *hash = get_sha256(get_code_directory(paths[i]));
    memmove(allhash + 20*i, hash, 20);
    free(hash);
}

size_t length = (sizeof(fake_chain) + pathc * 20 + 0xFFFF) & ~0xFFFF;
uint64_t kernel_trust = kalloc(length);

kwrite(kernel_trust, &fake_chain, sizeof(fake_chain));
kwrite(kernel_trust + sizeof(fake_chain), allhash, pathc * 20);
kwrite64(tc, kernel_trust);
    printf("[+] injected trust cache\n");
return;

}

stek29 commented 6 years ago

Does that code actually work lol?

ninjaprawn commented 6 years ago

First thing - i'm really confused whose PR this is - stek if you want to submit a PR, please create a separate PR (it says its by hieplpvip, but everything else is related to your stuff)

Second thing - I don't intend to have a method to "dynamically" add hashes to the trust chain. Main reasons being that a) you're current method stek is IMO a little bit bad since its creating a new entry every time, whereas it would be better to have one entry for multiple hashes and b) it's better if we use the trust chain to run binaries to patch amfid, so that we don't have to rely on injecting the trust cache every time

stek29 commented 6 years ago

It's not by me, it's by @hieplpvip

Speaking of my current method -- I was trying to make it add structs with dynamic size or even create a struct and add hashes to it later, but failed and resorted to just adding them one by one for now, see here

And yes, it'd be better to patch amfid, I agree. But for now adding stuff manually will do.

stek29 commented 6 years ago

If I was going to make a PR I'd at least Clean it up, rebase it and make a separate branch :)

hieplpvip commented 6 years ago

Sorry about it @stek29 it does work :)

stek29 commented 6 years ago

@hieplpvip sorry, I haven't noticed you've posted entirely different code in comment :}