Unexpected but expected behavior
AMFI logic inconsistency for restricted binaries on macOS
INTRO
I tested different things while learning how the AMFI works. This is not only in the context of security but also in learning about the logic that is implemented behind it. The article with my notes you can find here:
I wrote a small script that utilises CrimsonUroboros
to check how the flags behave during this learning process. Its source code is provided at the bottom of the article. The part of the output from the tool looks like this:
./hello_2000 # Executable with 0x2000 Code Signature bit set being tested
After finishing, I could upload the results to Excel and check without looking at the kext code, which flags exclude each other. Such a situation could indicate potential irregularities in the AMFI logic: