Skip to content

Snake&Apple VIII — App Sandbox

Latest
Latest
Compare
Choose a tag to compare
@Karmaz95 Karmaz95 released this 19 Sep 15:02
v0.9
9bd9aba

MAJOR

  • Added SnakeVIII class.
  • Added spbl_compilator_wrapper.c for compiling Sandbox Profile files .sb.
  • Added make_plist.py for converting XML back to PLIST.
  • Added sandbox_inspector for various tasks related to App Sandbox (it is standalone, but I also implemented all functionalities to the latest SnakeVIII)
  • Added sandbox_validator for checking if a given operation is allowed for the sandboxed process
  • Added sandbox_detector for checking if the process is sandboxed
  • Some modifications & additions to the current code (see below).

SnakeI

  • Added --dump_binary for extracting binary from Fat archives.
  • Modified --dump_section to dump raw bytes (no more b'\x01......') just raw binary to stdout.
  • Modified getStringSection so it now returns strings in the order they appear in the binary (not in random order like previously)
    def getStringSection(self):
        '''Return strings from the __cstring (string table).'''
        extracted_strings = []
        for section in self.binary.sections:
            if section.type == lief.MachO.SECTION_TYPES.CSTRING_LITERALS:
                strings_bytes = section.content.tobytes()
                strings = strings_bytes.decode('utf-8', errors='ignore')
                extracted_strings.extend(strings.split('\x00'))
        return extracted_strings
  • Bug patch in MachOFileFinder.py, it did not print file type correctly, due to lief update.
print(f"{binary.header.file_type.__name__}:{file_path}")

SnakeAppExtension

  • Added --bundle_id flag for printing the CFBundleIdentifier value from the Info.plist file if it exists.

MINOR

  • Added decompiled code of Sandbox components.
  • Added sandbox_operations_extractor.py a simple script for extracting Sandbox Operations from Sandbox.kext
  • Added sonoma_sandbox_operations.txt list of all Sandbox Operations extracted from Sandbox.kext on Sonoma using sandbox_operations_extractor.py
  • Added SBPL Compilator article link.
  • Added Sandbox Detector article link.
  • Added Sandbox Validator article link.
  • Added Unexpected but expected behavior article link.
  • Updated README.md
  • Patched one of the helper testing functions because it could not handle some bytes while decoding. Now it looks like this:
def run_and_get_stdout(command):
    command_with_stdout = f"{command} 2>&1"
    # Run the command and capture the output in bytes
    result = subprocess.run(command_with_stdout, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
    
    # Decode with utf-8, ignoring invalid characters or replacing them
    return result.stdout.decode('utf-8', errors='replace').strip()
Assets 2
Loading