A simple utility for bypassing amfid signature verification

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for zqxwce from gravatar.com zqxwce

Unverified details

These details have not been verified by PyPI
Meta
  • License: GNU General Public License v3 or later (GPLv3+) (GNU GENERAL PUBLIC LICENSE)
  • Author: zqxwce
  • Maintainer: zqxwce
  • Tags macos , cli , amfi , amfidont , entitlements , codesign , amfid
  • Requires: Python >=3.9
Classifiers
Report project as malware

Project description

amfidont

Description

A macOS utility that attaches to amfid with LLDB and bypasses app signature validation for explicitly allowed binaries. Allowed targets are matched by executable path prefix and/or cdhash.

Requirements

  • SIP configuration that allows debugging system processes by either:
    • fully disable SIP
    • disable only debugging restrictions (csrutil enable --without debug)

Installation

xcrun python3 -m pip install -U amfidont

Usage

Usage: amfidont [OPTIONS] COMMAND [ARGS]...

A simple utility for bypassing amfid signature verification

Options:
  --path, -p TEXT      path of executable to allow (can be specified multiple times, merged with ~/.amfidont/paths)
  --cdhash, -c TEXT    cdhash of executable to allow (can be specified multiple times, merged with ~/.amfidont/cdhashes)
  --verbose, -v        enable verbose output
  --allow-all          allow all validations to pass
  --install-completion Install completion for the current shell.
  --show-completion    Show completion for the current shell, to copy it or customize the installation.
  --help               Show this message and exit.

Commands:
  daemon        Start amfidont in daemon mode.
  add-path      Add an allowed path prefix to persistent configuration.
  remove-path   Remove an allowed path prefix from persistent configuration.
  add-cdhash    Add an allowed cdhash to persistent configuration.
  remove-cdhash Remove an allowed cdhash from persistent configuration.

Example

  1. Add a persistent allowed path:

    sudo amfidont add-path /Users/user/dev/myapp/build/Release/MyApp.app/

  2. Start bypass mode (foreground):

    sudo amfidont --verbose

  3. (Optional) Start as daemon instead:

    sudo amfidont daemon --verbose

  4. Stop foreground mode with Ctrl-C (this detaches amfidont and leaves amfid running).

Inner implementation details

  • amfidont attaches to /usr/libexec/amfid using LLDB.
  • It sets a breakpoint on:
-[AMFIPathValidator_macos validateWithError:]
  • On each breakpoint hit, it inspects validator fields:
    • code path (codePath)
    • cdhash (cdhashAsData)
    • validation state (isValid)
  • If the validator is invalid but the path/cdhash matches configured allow-rules, the return register is patched to success and execution continues.
  • Persistent configuration is stored in:
    • ~/.amfidont/paths
    • ~/.amfidont/cdhashes

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for zqxwce from gravatar.com zqxwce

Unverified details

These details have not been verified by PyPI
Meta
  • License: GNU General Public License v3 or later (GPLv3+) (GNU GENERAL PUBLIC LICENSE)
  • Author: zqxwce
  • Maintainer: zqxwce
  • Tags macos , cli , amfi , amfidont , entitlements , codesign , amfid
  • Requires: Python >=3.9
Classifiers

Release history Release notifications | RSS feed

0.0.3

0.0.2

This version

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

amfidont-0.0.1.tar.gz (52.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

amfidont-0.0.1-py3-none-any.whl (39.0 kB view details)

Uploaded Python 3

File details

Details for the file amfidont-0.0.1.tar.gz.

File metadata

  • Download URL: amfidont-0.0.1.tar.gz
  • Upload date:
  • Size: 52.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for amfidont-0.0.1.tar.gz
Algorithm Hash digest
SHA256 6a3e742f79155ac094cf13ece426f5f9f21bb4844066052276a4a73ac52e616f
MD5 d3c4c62429c7c92093cd8c3332c82c72
BLAKE2b-256 1845f8eb853c44af03c3236a0807ab642197c2cc58130a33e088a6583afadb3b

See more details on using hashes here.

Provenance

The following attestation bundles were made for amfidont-0.0.1.tar.gz:

Publisher: python-publish.yml on zqxwce/amfidont

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file amfidont-0.0.1-py3-none-any.whl.

File metadata

  • Download URL: amfidont-0.0.1-py3-none-any.whl
  • Upload date:
  • Size: 39.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for amfidont-0.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 b2377d98568d46529e35b596a45130e6ecd3b07f0732b0d870a46b3ebcaf82c2
MD5 5fdf74890aa0f094a13647906f2d153f
BLAKE2b-256 b0187c5b95f306e92498591a464c118514cf137bd32abcc63d2505939a0a627a

See more details on using hashes here.

Provenance

The following attestation bundles were made for amfidont-0.0.1-py3-none-any.whl:

Publisher: python-publish.yml on zqxwce/amfidont

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page