Used for discussing the various tools in the book as well as encouraging members to share tools


Postby b3ntx » Fri Nov 18, 2016 6:09 pm

Hey J,

Checking out your sandbox code/presentations and had some issues using sandbox_inspect_pid(). That method always returns 1 whenever I use it via sbtool.

Code: Select all
sandbox_inspect_pid failed (RC: 1)

I've tried on ElCap 10.11.6 (SIP disabled) and Sierra 10.12 (SIP disabled) with same results. Tried with 'sudo' and 'sudo bash; sbtool <pid> inspect'

Any idea what's going on? Did I miss something in your presentation?
Posts: 13
Joined: Wed Dec 16, 2015 1:26 pm

Re: sbtool

Postby morpheus » Sat Nov 19, 2016 1:08 am

Minor but important issue you've overlooked - sbtool inspect only works if the kext cooperates - and it does only if the kernel is deemed to be debuggable (which, in *OS, is via PE_i_can_haz_debugger). The rest of the sbtool functions do work either way, as they use sandbox_check
Site Admin
Posts: 738
Joined: Thu Apr 11, 2013 6:24 pm

Re: sbtool

Postby 0xdead10cc » Thu Mar 15, 2018 11:18 am

Note that at least on 10.12, the kext now requires an Apple internal build.

Because I already had a working Kernel build environment, it was easiest to patch the csr_check function in bsd/kern/kern_csr.c to return 0 when called with CSR_ALLOW_APPLE_INTERNAL. Setting a boot arg should also work, but I did not investigate this further.

After this patch, the inspect functionality should work on 10.12 (and possibly also 10.13).
Posts: 5
Joined: Fri Jan 05, 2018 12:00 am

Return to Tools

Who is online

Users browsing this forum: No registered users and 3 guests