Skip to content
/ CSOps Public
forked from axelexic/CSOps

Utility to manipulate codesigned application in Mac OS X. Demonstrate the use of csops system call.

0 stars 15 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

its-a-feature/CSOps

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
CSOps.xcodeproj
CSOps.xcodeproj
 
 
CSOps
CSOps
 
 
README
README
 
 

Repository files navigation

# CSOps - A program that invokes the csops system call on MAC OS X

## Modified
This version of CSOps was modified from the original version forked from axelexic to fix a few breaking changes and to remove some functionality that I didn't need.

## Description
csops system call, is an Apple Private system call that is used by many system deamons (mainly /usr/libexec/taskgated) to verify code signature. The 'codesign' command line utility, creates a hash of executable -- one hash per memory page -- and stores them in a code directory. 'codesign' then computes the hash of the code directory and signs this hash. While signing code, one can specify if the signature should be embedded inside the executable itself, or if it should be kept in a seperate external file or in a seperate database (/var/db/DetachedSignature, which is  sqlite3 database with two tables-- code and global). When execv/__mac_execve system call runs, it checks to see if the executable is code signed. If it is not, then it uses the TASK_ACCESS_PORT (mach port 14) in the kernel, to communicate with 'taskgated' in userspace to see if the process has a detached signature. 'taskgated', consults the executable as well as the DetachedSignature database to verify if the code was signed. (Note that this whole process results in multiple context switches, and is highly inefficient. If you want to avoid this inefficiency, you are well advised to sign your code.)

While signing code, one can specify what action the kernel should take if the signature is invalid. For invalid code, the options are to mark as 'kill' (which will send a SIGKILL to the process) or mark it as 'hard', which doesn't seem to be doing anything. These flags are checked at the time kernel executes execve (__mac_execve) system call. 

At runtime, one can use the csops system call to query and mark an already running code as invalid and kill it. This utility is a command line tool to do these things. Note that giving a PID value of 0 (zero), results in invoking these operations on the CSOps utility itself. To manipulate the state of any other process, you must have root privileges.

Usage: ./CSOps PID

About

Utility to manipulate codesigned application in Mac OS X. Demonstrate the use of csops system call.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Objective-C 57.3%
  • C 42.7%