Unexpected but expected behavior

AMFI logic inconsistency for restricted binaries on macOS

Karol Mazurek
7 min readAug 3, 2024

--

INTRO

I tested different things while learning how the AMFI works. This is not only in the context of security but also in learning about the logic that is implemented behind it. The article with my notes you can find here:

I wrote a small script that utilises CrimsonUroboros to check how the flags behave during this learning process. Its source code is provided at the bottom of the article. The part of the output from the tool looks like this:

./hello_2000 # Executable with 0x2000 Code Signature bit set being tested

After finishing, I could upload the results to Excel and check without looking at the kext code, which flags exclude each other. Such a situation could indicate potential irregularities in the AMFI logic:

--

--