v1.1

theevilbit · May 16, 2021 · 1115746 · 1115746
1 parent 91940d9
commit 1115746
Show file tree

Hide file tree

Showing 30 changed files with 1,436 additions and 314 deletions.
diff --git a/Common/Constants.h b/Common/Constants.h
@@ -23,16 +23,24 @@
 
 //preferences strings
 
-#define PREF_ELECTRON @"prefElectron"
-#define PREF_ENVVARS @"prefEnvVars"
-#define PREF_TFP @"prefTFP"
-#define PREF_DYLIB @"prefDylib"
-#define PREF_SKIPAPPLE @"skipApple"
-#define PREF_ISBLOCKING @"isBlocking"
-#define PREF_ISLEARNING @"isLearning"
-#define PREF_ISRUNNING @"isRunning"
+#define PREF_ELECTRON @"pref_electron_debug"
+#define PREF_ENVVARS @"pref_env_vars"
+#define PREF_TFP @"pref_taskforpid"
+#define PREF_DYLIB @"pref_dylib"
+#define PREF_SKIPAPPLE @"skip_apple"
+#define PREF_ISBLOCKING @"is_blocking"
+#define PREF_ISLEARNING @"is_learning"
+#define PREF_ISRUNNING @"is_running"
+#define PREF_SELFPROTECTION @"pref_selfprotection"
+#define PREF_FILELINK_SYMBOLIC @"pref_filelink_symbolic"
+#define PREF_FILELINK_HARD @"pref_filelink_hard"
+
+//define attack types
+#define ATTACK_INJECTION @0
+#define ATTACK_FILELINKS @1
 
 //notification strings
+#define NOTIFICATION_ATTACK_TYPE @"attack_type"
 #define NOTIFICATION_TYPE @"type"
 #define NOTIFICATION_ID @"id"
 #define NOTIFICATION_VICTIM_PATH @"victim_path"
@@ -41,6 +49,15 @@
 #define NOTIFICATION_ENV @"env"
 #define NOTIFICATION_ARGUMENTS @"arguments"
 
+//notification strings for symlink/hardlink detection
+#define NOTIFICATION_LINK_TYPE @"type"
+#define NOTIFICATION_LINK_PROCESS_PATH @"process_path"
+#define NOTIFICATION_LINK_SOURCE_PATH @"source_path"
+#define NOTIFICATION_LINK_DESTINATION_PATH @"destination_path"
+#define NOTIFICATION_LINK_FILE_UID @"file_uid"
+#define NOTIFICATION_LINK_PROCESS_UID @"process_uid"
+
+
 #define CS_VALID 0x00000001
 #define CS_RUNTIME 0x00010000
 #define CS_REQUIRE_LV               0x00002000

diff --git a/Extension/Preferences.m b/Extension/Preferences.m
@@ -61,11 +61,25 @@ -(BOOL)initPrefFile {
             goto bail;
         }
     }
+
+    BOOL reset_successful = [self reset];
+
+    return reset_successful;
+    bail:
+        return NO;
+}
+
+-(BOOL)reset {
     self.preferences = [NSMutableDictionary new];
+    self.preferences[@"version"] = @2;
     self.preferences[PREF_ELECTRON] = @YES;
     self.preferences[PREF_ENVVARS] = @YES;
     self.preferences[PREF_TFP] = @YES;
     self.preferences[PREF_DYLIB] = @YES;
+    self.preferences[PREF_FILELINK_HARD] = @YES;
+    self.preferences[PREF_FILELINK_SYMBOLIC] = @YES;
+    self.preferences[PREF_SELFPROTECTION] = @NO;
+
     self.preferences[PREF_SKIPAPPLE] = @YES;
     self.preferences[PREF_ISBLOCKING] = @NO;
     self.preferences[PREF_ISLEARNING] = @NO;
@@ -74,12 +88,9 @@ -(BOOL)initPrefFile {
     BOOL saved = [self save];
     if(saved == NO) {
         os_log_error(log_handle, "Preferences: Error saving preferences");
-        goto bail;
     }
 
-    return YES;
-    bail:
-        return NO;
+    return saved;
 }
 
 //load prefs from disk
@@ -88,6 +99,9 @@ -(BOOL)load
     //flag
     BOOL loaded = NO;
 
+    //version
+    NSNumber* pref_version = nil;
+
     //load
     self.preferences = [NSMutableDictionary dictionaryWithContentsOfFile:[DIR_PATH_ES stringByAppendingPathComponent:PREFS_FILE]];
     if(nil == self.preferences)
@@ -96,6 +110,16 @@ -(BOOL)load
         goto bail;
     }
 
+    //reset preferences if older version is found
+    //1.0.1 didn't support versioning, so only checking if the key exists
+    pref_version = self.preferences[@"version"];
+    if (pref_version == nil) {
+        BOOL reset_successful = [self reset];
+        if(reset_successful == NO) {
+            goto bail;
+        }
+    }
+
     //dbg msg
     os_log_debug(log_handle, "loaded preferences: %@", self.preferences);
 

diff --git a/Extension/ShieldMonitor.h b/Extension/ShieldMonitor.h
@@ -6,21 +6,26 @@
 //  Copyright © 2020. csaba.fitzl. All rights reserved.
 //
 
+@import Foundation;
+
+#include <stdlib.h>
+#include <limits.h> /* PATH_MAX */
+
 #import "../Common/logging.h"
-#import "ProcessMonitor.h"
+#import "Monitor.h"
 #import "Preferences.h"
 #import "AllowList.h"
 #import "XPCAppClient.h"
 #import "XPCExtension.h"
-@import Foundation;
 #import "Constants.h"
 #import "utilities.h"
 
 @interface ShieldMonitor: NSObject
 
 @property BOOL isRunning;
-@property NSArray* monitoredEnvVars;
-@property ProcessMonitor* procMon;
+@property NSArray* monitored_env_vars;
+@property NSArray* monitored_electron_debug_strings;
+@property Monitor* procMon;
 @property XPCAppClient* xpc_client;
 
 - (BOOL) monitor;