simplify SIP patch

Signed-off-by: SergeySlice <sergey.slice@gmail.com>
This commit is contained in:
SergeySlice 2020-05-03 07:10:02 +03:00
parent 06f1f9301a
commit d7d3c960a9
3 changed files with 49 additions and 21 deletions

View File

@ -178,7 +178,7 @@ UINTN SearchAndCount(const UINT8 *Source, UINT64 SourceSize, const UINT8 *Search
BOOLEAN CompareMemMask(const UINT8 *Source, const UINT8 *Search, UINTN SearchSize, const UINT8 *Mask, UINTN MaskSize); BOOLEAN CompareMemMask(const UINT8 *Source, const UINT8 *Search, UINTN SearchSize, const UINT8 *Mask, UINTN MaskSize);
VOID CopyMemMask(UINT8 *Dest, const UINT8 *Replace, const UINT8 *Mask, UINTN SearchSize); VOID CopyMemMask(UINT8 *Dest, const UINT8 *Replace, const UINT8 *Mask, UINTN SearchSize);
UINTN FindMemMask(const UINT8 *Source, UINTN SourceSize, const UINT8 *Search, UINTN SearchSize, const UINT8 *MaskSearch, UINTN MaskSize); UINTN FindMemMask(const UINT8 *Source, UINTN SourceSize, const UINT8 *Search, UINTN SearchSize, const UINT8 *MaskSearch, UINTN MaskSize);
UINTN FindRelative32(const UINT8 *Source, UINTN Start, UINTN SourceSize, UINTN taskLocation);
// //
// Searches Source for Search pattern of size SearchSize // Searches Source for Search pattern of size SearchSize
// and replaces it with Replace up to MaxReplaces times. // and replaces it with Replace up to MaxReplaces times.

View File

@ -1074,14 +1074,15 @@ VOID EFIAPI LOADER_ENTRY::KernelBooterExtensionsPatch(IN UINT8 *Kernel)
} }
} }
#else #else
bool otherSys = false; // bool otherSys = false;
procLocation = searchProc(Kernel, "IOTaskHasEntitlement", &procLen); // UINTN procLocation = searchProc(Kernel, "IOTaskHasEntitlement", &procLen);
//Catalina //Catalina
const UINT8 find2[] = {0x45, 0x31, 0xF6, 0x48, 0x85, 0xC0 }; // const UINT8 find2[] = {0x45, 0x31, 0xF6, 0x48, 0x85, 0xC0 };
const UINT8 mask2[] = {0xFF, 0xFF, 0x00, 0xFF, 0xFF, 0xFF }; // const UINT8 mask2[] = {0xFF, 0xFF, 0x00, 0xFF, 0xFF, 0xFF };
//older systems //older systems
const UINT8 find3[] = {0x48, 0x85, 00, 0x74, 00, 0x48, 00, 00, 0x48 }; const UINT8 find3[] = {0x48, 0x85, 00, 0x74, 00, 0x48, 00, 00, 0x48 };
const UINT8 mask3[] = {0xFF, 0xFF, 00, 0xFF, 00, 0xFF, 00, 00, 0xFF }; const UINT8 mask3[] = {0xFF, 0xFF, 00, 0xFF, 00, 0xFF, 00, 00, 0xFF };
/*
patchLocation2 = FindMemMask(&Kernel[procLocation], 0x30, find2, sizeof(find2), mask2, sizeof(mask2)); patchLocation2 = FindMemMask(&Kernel[procLocation], 0x30, find2, sizeof(find2), mask2, sizeof(mask2));
if (patchLocation2 == KERNEL_MAX_SIZE) { if (patchLocation2 == KERNEL_MAX_SIZE) {
//other systems //other systems
@ -1091,7 +1092,7 @@ VOID EFIAPI LOADER_ENTRY::KernelBooterExtensionsPatch(IN UINT8 *Kernel)
if (patchLocation2 != KERNEL_MAX_SIZE) { if (patchLocation2 != KERNEL_MAX_SIZE) {
patchLocation2 += procLocation; patchLocation2 += procLocation;
} }
*/
/* /*
procLocation = searchProc(Kernel, "loadExecutable", &procLen); procLocation = searchProc(Kernel, "loadExecutable", &procLen);
@ -1132,6 +1133,7 @@ VOID EFIAPI LOADER_ENTRY::KernelBooterExtensionsPatch(IN UINT8 *Kernel)
*/ */
#endif #endif
// Stall(9000000); // Stall(9000000);
/*
if (!patchLocation2 || patchLocation2 == KERNEL_MAX_SIZE) { if (!patchLocation2 || patchLocation2 == KERNEL_MAX_SIZE) {
DBG_RT("==> can't find SIP (10.11 - recent macOS), kernel patch aborted.\n"); DBG_RT("==> can't find SIP (10.11 - recent macOS), kernel patch aborted.\n");
for (UINTN j=procLocation; j<procLocation+0x20; ++j) { for (UINTN j=procLocation; j<procLocation+0x20; ++j) {
@ -1164,24 +1166,34 @@ VOID EFIAPI LOADER_ENTRY::KernelBooterExtensionsPatch(IN UINT8 *Kernel)
DBG_RT("\n"); DBG_RT("\n");
Stall(10000000); Stall(10000000);
} }
*/
//But older systems like Capitan has no call to IOTaskHasEntitlement //ffffff80009a2267 488D35970D2400 lea rsi, qword [ds:0xffffff8000be3005] ; "com.apple.private.security.kext-management"
// having same codes in loadExecutable. //ffffff80009a226e E89D780D00 call _IOTaskHasEntitlement
//check them //ffffff80009a2273 85C0 test eax, eax =>change to eb06 -> jmp .+6
if (otherSys) { //ffffff80009a2275 0F843C010000 je 0xffffff80009a23b7
procLocation = searchProc(Kernel, "loadExecutable", &procLen); //ffffff80009a227b
patchLocation2 = FindMemMask(&Kernel[procLocation], 0x200, find3, sizeof(find3), mask3, sizeof(mask3)); UINTN taskLocation = searchProc(Kernel, "IOTaskHasEntitlement", &procLen);
if (patchLocation2 != KERNEL_MAX_SIZE) { procLocation = searchProc(Kernel, "loadExecutable", &procLen);
patchLocation2 += procLocation; patchLocation2 = FindMemMask(&Kernel[procLocation], 0x500, find3, sizeof(find3), mask3, sizeof(mask3));
Kernel[patchLocation2 + 3] = 0xEB; if (patchLocation2 != KERNEL_MAX_SIZE) {
if (Kernel[patchLocation2 + 4] == 0x6C) { DBG_RT("=> patch SIP applied\n");
Kernel[patchLocation2 + 4] = 0x15; patchLocation2 += procLocation;
} else { Kernel[patchLocation2 + 3] = 0xEB;
Kernel[patchLocation2 + 4] = 0x12; if (Kernel[patchLocation2 + 4] == 0x6C) {
} Kernel[patchLocation2 + 4] = 0x15;
} else {
Kernel[patchLocation2 + 4] = 0x12;
}
} else {
patchLocation2 = FindRelative32(Kernel, procLocation, 0x500, taskLocation);
if (patchLocation2 != 0) {
DBG_RT("=> patch2 SIP applied\n");
Kernel[patchLocation2] = 0xEB;
Kernel[patchLocation2 + 1] = 0x06;
} }
} }
Stall(10000000);
/* /*
//Capitan: 48 85 db 74 70 48 8b 03 48 //Capitan: 48 85 db 74 70 48 8b 03 48

View File

@ -115,6 +115,22 @@ VOID CopyMemMask(UINT8 *Dest, const UINT8 *Replace, const UINT8 *Mask, UINTN Sea
} }
} }
// search a pattern like
// call task or jmp address
//return the address next to the command
// 0 if not found
UINTN FindRelative32(const UINT8 *Source, UINTN Start, UINTN SourceSize, UINTN taskLocation)
{
UINTN Offset;
for (UINTN i = Start; i < Start + SourceSize - 4; ++i) {
Offset = Source[i] + (Source[i+1]<<8) + (Source[i+2]<<16) + (Source[i+3]<<24); //should not use *(UINT32*) because of alignment
if (taskLocation == i + Offset + 4) {
return (i+4);
}
}
return 0;
}
UINTN FindMemMask(const UINT8 *Source, UINTN SourceSize, const UINT8 *Search, UINTN SearchSize, const UINT8 *MaskSearch, UINTN MaskSize) UINTN FindMemMask(const UINT8 *Source, UINTN SourceSize, const UINT8 *Search, UINTN SearchSize, const UINT8 *MaskSearch, UINTN MaskSize)
{ {
if (!Source || !Search || !SearchSize) { if (!Source || !Search || !SearchSize) {