A simple utility for bypassing amfid signature verification

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for zqxwce from gravatar.com zqxwce

Unverified details

These details have not been verified by PyPI
Meta
  • License: GNU General Public License v3 or later (GPLv3+) (GNU GENERAL PUBLIC LICENSE)
  • Author: zqxwce
  • Maintainer: zqxwce
  • Tags macos , cli , amfi , amfidont , entitlements , codesign , amfid
  • Requires: Python >=3.9
Classifiers
Report project as malware

Project description

amfidont

Description

A macOS utility that attaches to amfid with LLDB and bypasses app signature validation for explicitly allowed binaries. Allowed targets are matched by executable path prefix and/or cdhash.

Requirements

  • SIP configuration that allows debugging system processes by either:
    • fully disable SIP
    • disable only debugging restrictions (csrutil enable --without debug)

Installation

xcrun python3 -m pip install -U amfidont

Usage

Usage: amfidont [OPTIONS] COMMAND [ARGS]...

A simple utility for bypassing amfid signature verification

Options:
  --path, -p TEXT      path of executable to allow (can be specified multiple times, merged with ~/.amfidont/paths)
  --cdhash, -c TEXT    cdhash of executable to allow (can be specified multiple times, merged with ~/.amfidont/cdhashes)
  --verbose, -v        enable verbose output
  --allow-all          allow all validations to pass
  --install-completion Install completion for the current shell.
  --show-completion    Show completion for the current shell, to copy it or customize the installation.
  --help               Show this message and exit.

Commands:
  daemon        Start amfidont in daemon mode.
  add-path      Add an allowed path prefix to persistent configuration.
  remove-path   Remove an allowed path prefix from persistent configuration.
  add-cdhash    Add an allowed cdhash to persistent configuration.
  remove-cdhash Remove an allowed cdhash from persistent configuration.

Example

  1. Add a persistent allowed path:

    sudo amfidont add-path /Users/user/dev/myapp/build/Release/MyApp.app/

  2. Start bypass mode (foreground):

    sudo amfidont --verbose

  3. (Optional) Start as daemon instead:

    sudo amfidont daemon --verbose

  4. Stop foreground mode with Ctrl-C (this detaches amfidont and leaves amfid running).

Inner implementation details

  • amfidont attaches to /usr/libexec/amfid using LLDB.
  • It sets a breakpoint on:
-[AMFIPathValidator_macos validateWithError:]
  • On each breakpoint hit, it inspects validator fields:
    • code path (codePath)
    • cdhash (cdhashAsData)
    • validation state (isValid)
  • If the validator is invalid but the path/cdhash matches configured allow-rules, the return register is patched to success and execution continues.
  • Persistent configuration is stored in:
    • ~/.amfidont/paths
    • ~/.amfidont/cdhashes

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for zqxwce from gravatar.com zqxwce

Unverified details

These details have not been verified by PyPI
Meta
  • License: GNU General Public License v3 or later (GPLv3+) (GNU GENERAL PUBLIC LICENSE)
  • Author: zqxwce
  • Maintainer: zqxwce
  • Tags macos , cli , amfi , amfidont , entitlements , codesign , amfid
  • Requires: Python >=3.9
Classifiers

Release history Release notifications | RSS feed

0.0.3

This version

0.0.2

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

amfidont-0.0.2.tar.gz (52.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

amfidont-0.0.2-py3-none-any.whl (39.0 kB view details)

Uploaded Python 3

File details

Details for the file amfidont-0.0.2.tar.gz.

File metadata

  • Download URL: amfidont-0.0.2.tar.gz
  • Upload date:
  • Size: 52.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for amfidont-0.0.2.tar.gz
Algorithm Hash digest
SHA256 0a9b6061e81ff03da922047ff6c1b1f39cdf7adf118c65824a8850e8139cc740
MD5 96a5385b51b0166fa5e2c1d2f8d7bb2d
BLAKE2b-256 c2526f34b77e0ddf78fb4bd89420124284a3de0edcc04c026cc4e64e6ad264f5

See more details on using hashes here.

Provenance

The following attestation bundles were made for amfidont-0.0.2.tar.gz:

Publisher: python-publish.yml on zqxwce/amfidont

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file amfidont-0.0.2-py3-none-any.whl.

File metadata

  • Download URL: amfidont-0.0.2-py3-none-any.whl
  • Upload date:
  • Size: 39.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for amfidont-0.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 972cd72b49e612bae5c4097b5215c30978d6caa79426347198850d93de714d12
MD5 5e864335f8105611e64e22e87d31b94f
BLAKE2b-256 4c272eb7a77275461e85d9f7f4b26ea7c66b305104774b31e1871ba50e4ec5ba

See more details on using hashes here.

Provenance

The following attestation bundles were made for amfidont-0.0.2-py3-none-any.whl:

Publisher: python-publish.yml on zqxwce/amfidont

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page