This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def __lldb_init_module(debugger, internal_dict): | |
| debugger.HandleCommand('command script add -f bundlore_python_dump.custom_breakpoints bundlore_python_dump') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def custom_breakpoints(debugger, command, result, internal_dict): | |
| target = debugger.GetSelectedTarget() | |
| breakpoint = target.BreakpointCreateByName("write", "libsystem_kernel.dylib") | |
| breakpoint.SetScriptCallbackFunction('bundlore_python_dump.write_callback') | |
| breakpoint = target.BreakpointCreateByName("waitpid") | |
| breakpoint.SetScriptCallbackFunction('bundlore_python_dump.waitpid_callback') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def waitpid_callback(frame, bp_loc, dict): | |
| print ("waitpid() detected!") | |
| print ("bundlore_python_dump has finished, dumped python code is here: /tmp/dumped.py") | |
| frame.thread.process.Stop() | |
| frame.thread.process.Kill() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def write_callback(frame, bp_loc, dict): | |
| print ("write() detected!") | |
| print ("dumping python code from $rsi register") | |
| memory_address = 0 | |
| registerSet = frame.GetRegisters() # Returns an SBValueList. | |
| for regs in registerSet: | |
| if 'general purpose registers' in regs.name.lower(): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| WRITE(2) BSD System Calls Manual WRITE(2) | |
| NAME | |
| pwrite, write, writev -- write output | |
| LIBRARY | |
| Standard C Library (libc, -lc) | |
| SYNOPSIS | |
| #include <unistd.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # by [email protected] | |
| # LLDB custom command to dump OSX/Bundlore Loader python payload | |
| # tested on $lldb --version | |
| # lldb-1100.0.30.6 | |
| # Apple Swift version 5.1.2 (swiftlang-1100.0.278 clang-1100.0.33.9) | |
| # (lldb) script | |
| # Python Interactive Interpreter. To exit, type 'quit()', 'exit()' or Ctrl-D. | |
| # >>> import sys | |
| # >>> print(sys.version) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def __lldb_init_module(debugger, internal_dict): | |
| debugger.HandleCommand('command script add -f follow_fork_child.custom_breakpoints follow-fork-child') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # global variables | |
| # this variable stores original bytes of the child process before the patch | |
| backup_bytes = 0 | |
| # this is the "child entry-point" | |
| patch_address = 0x10000ac87 | |
| def custom_breakpoints(debugger, command, result, internal_dict): | |
| target = debugger.GetSelectedTarget() | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def fork_callback(frame, bp_loc, dict): | |
| global backup_bytes | |
| global patch_address | |
| print ("fork() detected!") | |
| error = lldb.SBError() | |
| backup_bytes = frame.thread.process.ReadUnsignedFromMemory(patch_address, 2, error) | |
| # backup_bytes = 0x7d8b |
OlderNewer