Aleksei Kulaev flatz

amfid-allow

This script hooks into macOS amfid to grant restricted entitlements to selected executables. Tested on macOS 15.4.

Prerequisites

Only disabling Debugging Restrictions (ALLOW_TASK_FOR_PID) is required and other SIP restrictions can be left enabled:

Getting serial on modern Macs

Modern devices default to serial output over DockChannel by default, which is why macvdmtool serial doesn't work. In order to use legacy UART:

On the target device:

Disable SIP
Disable boot-arg filtering
Set the following boot args:

serial=3 (or serial=7 or whatever)

BIND 9 Cache Poisoning via Unsolicited Answer Records (CVE-2025-40778)

Overview

A vulnerable BIND 9 resolver (version 9.18.39) accepts and caches resource records that were not requested in the original DNS query. An off-path attacker who can race or spoof responses may inject forged address data into the resolver cache. Once poisoned, subsequent clients are redirected to attacker-controlled infrastructure without triggering fresh lookups. The issue is tracked as CVE-2025-40778 and carries a published CVSS v3.1 score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N).

Affected Software

Product: BIND 9 recursive resolver
Version tested: 9.18.39 (affected)
Known affected ranges:
9.11.0 – 9.16.50

Syscall Provider

Background

SyscallProvider is a feature available from Windows 11 22H2, that allows for inline hooking of syscalls.
This unfinished research was done on Windows 11 22H2. The feature is fully undocumented at the moment and it looks like it's locked to Microsoft-signed drivers.
All of the information here was gathered by manual reverse engineering of securekernel.exe, skci.dll and ntoskrnl.exe.
The kernel exports three functions to work with the new feature: PsRegisterSyscallProvider, PsQuerySyscallProviderInformation, PsUnregisterSyscallProvider.
This writeup will explore how this feature is initialized, how it works internally, and how to interact with it and use it.

	#!/usr/bin/env bash

	# Bash script to complile LLVM

	# @hoyhoy
	# 11/18/2025

	# Installs to /opt/llvm-${LLVM_VERSION} i.e. /opt/llvm-21.1.6
	# and then symbolically link /opt/llvm-latest to /opt/llvm-21.1.6

	# Note
	# I am using Raspberry pi 4 to send CEC commands
	# /dev/cec1 is pi's second HDMI port
	# '4' is PS5 address that TV assigned, change if you need

	# Turn on PS5 (You need to enable "Power off Link" at PS5 HDMI settings to turn on from rest mode)
	cec-ctl -d /dev/cec1 --to 4 --user-control-pressed ui-cmd=power-on-function

	# Turn on PS5 from rest mode (When you didn't enable "Power off Link" at PS5 HDMI settings)
	cec-ctl -d /dev/cec1 --to 4 --user-control-pressed ui-cmd=power-toggle-function

	#!/usr/bin/env python3
	import sys
	import json
	import requests
	import feedparser
	import re

	BUG_ID = sys.argv[1] if len(sys.argv) > 1 else None
	if not BUG_ID or not BUG_ID.isdigit():
	print("Usage: python3 chrome-bug-commit-tracker.py <bug_id>")


	// color1 and color2 are R4G4B4 12bit RGB color values, alpha is 0-255
	uint16_t blend_12bit( uint16_t color1, uint16_t color2, uint8_t alpha ) {
	uint64_t c1 = (uint64_t) color1;
	uint64_t c2 = (uint64_t) color2;
	uint64_t a = (uint64_t)( alpha >> 4 );
	// bit magic to alpha blend R G B with single mul
	c1 = ( c1 \| ( c1 << 12 ) ) & 0x0f0f0f;
	c2 = ( c2 \| ( c2 << 12 ) ) & 0x0f0f0f;
	uint32_t o = ( ( ( ( c2 - c1 ) * a ) >> 4 ) + c1 ) & 0x0f0f0f;

	//
	// ViewController.m
	// JBDetectTest
	//
	// Created by seo on 3/27/25.
	//

	#import "ViewController.h"
	#import <dlfcn.h>

	S3_3_c4_c5_0 at min EL0: DSPSR
	S3_3_c4_c5_1 at min EL0: DLR
	S3_6_c4_c0_0 at min EL3: SPSR_EL3
	S3_6_c4_c0_1 at min EL3: ELR_EL3
	S3_1_c0_c0_0 at min EL1: CCSIDR_EL1
	S3_6_c1_c0_0 at min EL3: SCTLR_EL3
	S3_6_c1_c0_1 at min EL3: ACTLR_EL3
	S3_6_c1_c1_2 at min EL3: CPTR_EL3
	S3_6_c1_c1_0 at min EL3: SCR_EL3
	S3_6_c1_c3_1 at min EL3: MDCR_EL3