r3ggi · July 12, 2024 09:11
diff --git a/audit_token_by_pid.m b/audit_token_by_pid.m
 // code based on Scott Knight's blog post: https://knight.sc/reverse%20engineering/2019/04/15/detecting-task-modifications.html
 // WARNING: this approach is insecure - do not rely on audit_token retrieved from PID!!!

 #import <Foundation/Foundation.h>
 #include <libproc.h>
 #include <mach/mach.h>

 audit_token_t auditTokenForPid(pid_t pid) {
    task_name_t task;
    mach_msg_type_number_t size = TASK_AUDIT_TOKEN_COUNT;
    kern_return_t kr;
    audit_token_t token;
    memset(&token, 0, sizeof(token));
    
    kr = task_name_for_pid(mach_task_self(), pid, &task);
    if (kr != KERN_SUCCESS) {
        NSLog(@"[!] Error getting task_name_for_pid: %s", mach_error_string(kr));
        return token;
    }
    
    kr = task_info(task, TASK_AUDIT_TOKEN, (task_info_t)&token, &size);
    if (kr != KERN_SUCCESS) {
        NSLog(@"[!] Error getting info from task: %s", mach_error_string(kr));
        return token;
    }
    
    kr = mach_port_deallocate(mach_task_self(), task);
    if (kr != KERN_SUCCESS) {
        NSLog(@"[!] Error deallocating task: %s", mach_error_string(kr));
        return token;
    }
    
    return token;
    
 }

 NSString* describeAuditToken(audit_token_t token) {
    
    NSString *ai_auid = [NSString stringWithFormat:@"%d", token.val[0]];
    NSString *cr_uid = [NSString stringWithFormat:@"%d", token.val[1]];
    NSString *cr_groupid = [NSString stringWithFormat:@"%d", token.val[2]];
    NSString *cr_ruid = [NSString stringWithFormat:@"%d", token.val[3]];
    NSString *cr_rgid = [NSString stringWithFormat:@"%d", token.val[4]];
    NSString *p_pid = [NSString stringWithFormat:@"%d", token.val[5]];
    NSString *ai_asid = [NSString stringWithFormat:@"%d", token.val[6]];
    NSString *p_idversion = [NSString stringWithFormat:@"%d", token.val[7]];
    
    NSString *esf_format = [NSString stringWithFormat:@"%@-%@-%@-%@-%@-%@-%@-%@", ai_auid, cr_uid, cr_groupid, cr_ruid, cr_rgid, p_pid, ai_asid, p_idversion];
    return esf_format;
 }

 int main(int argc, const char * argv[]) {
    
    pid_t pid = 1;
    
    audit_token_t token = auditTokenForPid(pid);
    
    NSLog(@"got: %@", describeAuditToken(token));
    
    return 0;
 }
	// code based on Scott Knight's blog post: https://knight.sc/reverse%20engineering/2019/04/15/detecting-task-modifications.html
	// WARNING: this approach is insecure - do not rely on audit_token retrieved from PID!!!

	#import <Foundation/Foundation.h>
	#include <libproc.h>
	#include <mach/mach.h>

	audit_token_t auditTokenForPid(pid_t pid) {
	task_name_t task;
	mach_msg_type_number_t size = TASK_AUDIT_TOKEN_COUNT;
	kern_return_t kr;
	audit_token_t token;
	memset(&token, 0, sizeof(token));

	kr = task_name_for_pid(mach_task_self(), pid, &task);
	if (kr != KERN_SUCCESS) {
	NSLog(@"[!] Error getting task_name_for_pid: %s", mach_error_string(kr));
	return token;
	}

	kr = task_info(task, TASK_AUDIT_TOKEN, (task_info_t)&token, &size);
	if (kr != KERN_SUCCESS) {
	NSLog(@"[!] Error getting info from task: %s", mach_error_string(kr));
	return token;
	}

	kr = mach_port_deallocate(mach_task_self(), task);
	if (kr != KERN_SUCCESS) {
	NSLog(@"[!] Error deallocating task: %s", mach_error_string(kr));
	return token;
	}

	return token;

	}

	NSString* describeAuditToken(audit_token_t token) {

	NSString *ai_auid = [NSString stringWithFormat:@"%d", token.val[0]];
	NSString *cr_uid = [NSString stringWithFormat:@"%d", token.val[1]];
	NSString *cr_groupid = [NSString stringWithFormat:@"%d", token.val[2]];
	NSString *cr_ruid = [NSString stringWithFormat:@"%d", token.val[3]];
	NSString *cr_rgid = [NSString stringWithFormat:@"%d", token.val[4]];
	NSString *p_pid = [NSString stringWithFormat:@"%d", token.val[5]];
	NSString *ai_asid = [NSString stringWithFormat:@"%d", token.val[6]];
	NSString *p_idversion = [NSString stringWithFormat:@"%d", token.val[7]];

	NSString *esf_format = [NSString stringWithFormat:@"%@-%@-%@-%@-%@-%@-%@-%@", ai_auid, cr_uid, cr_groupid, cr_ruid, cr_rgid, p_pid, ai_asid, p_idversion];
	return esf_format;
	}

	int main(int argc, const char * argv[]) {

	pid_t pid = 1;

	audit_token_t token = auditTokenForPid(pid);

	NSLog(@"got: %@", describeAuditToken(token));

	return 0;
	}