forked from axelexic/CSOps
-
Notifications
You must be signed in to change notification settings - Fork 0
dongAxis/CSOps
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
CSOps - A program that invokes the csops system call on MAC OS X csops system call, is an Apple Private system call that is used by many system deamons (mainly /usr/libexec/taskgated) to verify code signature. The 'codesign' command line utility, creates a hash of executable -- one hash per memory page -- and stores them in a code directory. 'codesign' then computes the hash of the code directory and signs this hash. While signing code, one can specify if the signature should be embedded inside the executable itself, or if it should be kept in a seperate external file or in a seperate database (/var/db/DetachedSignature, which is sqlite3 database with two tables-- code and global). When execv/__mac_execve system call runs, it checks to see if the executable is code signed. If it is not, then it uses the TASK_ACCESS_PORT (mach port 14) in the kernel, to communicate with 'taskgated' in userspace to see if the process has a detached signature. 'taskgated', consults the executable as well as the DetachedSignature database to verify if the code was signed. (Note that this whole process results in multiple context switches, and is highly inefficient. If you want to avoid this inefficiency, you are well advised to sign your code.) While signing code, one can specify what action the kernel should take if the signature is invalid. For invalid code, the options are to mark as 'kill' (which will send a SIGKILL to the process) or mark it as 'hard', which doesn't seem to be doing anything. These flags are checked at the time kernel executes execve (__mac_execve) system call. At runtime, one can use the csops system call to query and mark an already running code as invalid and kill it. This utility is a command line tool to do these things. Note that giving a PID value of 0 (zero), results in invoking these operations on the CSOps utility itself. To manipulate the state of any other process, you must have root privileges. Usage: ./CSOps [options] PID Options are: -status : Return the status of the given PID. -mark_invalid : Mark a given PID as having invalid Code Signature. -kill_if_invalid : Kill the given PID if it has invalid code signature. -mark_hard : Doesn't do anything meaningful right now... :-) -executable_path_for_pid : Return the executable path name for PID. Used by taskgated. -code_directory_hash : Return the Hash of the code directory. -entitlement : Return the entitlements blob embedded in executable. -macho_offset : Return file offset of active mach-o section. -restrict : Mark the process as sandboxed. Only valid for child processes.
About
Utility to manipulate codesigned application in Mac OS X. Demonstrate the use of csops system call.
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published
Languages
- C 100.0%