XPoCe - library to intercept and dump XPC messages

Used for discussing the various tools in the book as well as encouraging members to share tools

XPoCe - library to intercept and dump XPC messages

Postby morpheus » Thu Feb 02, 2017 8:00 pm

q.v. http://NewOSXBook.com/tools/XPoCe.html

Plenty more to come :-) Be patient.
morpheus
Site Admin
 
Posts: 521
Joined: Thu Apr 11, 2013 6:24 pm

Re: XPoCe - library to intercept and dump XPC messages

Postby backendbilly » Fri Feb 03, 2017 3:28 am

Thank you. Just in time when I need to snoop on securityd :)
backendbilly
Site Admin
 
Posts: 130
Joined: Fri May 29, 2015 5:58 pm

Re: XPoCe - library to intercept and dump XPC messages

Postby backendbilly » Fri Feb 03, 2017 4:23 am

I tried it on securityd by adding the following under /System/Library/LaunchDaemons/com.apple.securityd.plist

Code: Select all
   
<key>EnvironmentVariables</key>
   <dict>
      <key>DYLD_INSERT_LIBRARIES</key>
      <string>/usr/lib/XPoCe.dylib</string>
   </dict>


I tried on iPhone 7 running iOS 10.1.1 and iPhone 6s running 9.3.3. Couldn't get any output under /tmp. I guess I fit the criteria of force injection.
backendbilly
Site Admin
 
Posts: 130
Joined: Fri May 29, 2015 5:58 pm

Re: XPoCe - library to intercept and dump XPC messages

Postby backendbilly » Fri Feb 03, 2017 4:46 am

Works fine on macOS using your example.
backendbilly
Site Admin
 
Posts: 130
Joined: Fri May 29, 2015 5:58 pm

Re: XPoCe - library to intercept and dump XPC messages

Postby backendbilly » Sun Feb 05, 2017 7:40 am

Caveat: as of 9.2.x for some value of x launchd refuses this variable. But there's a clever workaround I'm not sure I can share here because AAPL might plug it.


J, I'm quoting from a different post and I'm assuming using DYLD_INSERT_LIBRARIES won't work on daemons because of that. Do you have any information on this so-called force injection and manual interposing?

Billy
backendbilly
Site Admin
 
Posts: 130
Joined: Fri May 29, 2015 5:58 pm

Re: XPoCe - library to intercept and dump XPC messages

Postby morpheus » Tue Feb 07, 2017 10:44 pm

Yes; You'd have to use my injector sample (old, but good) from http://newosxbook.com/src.jl?tree=listi ... e=inject.c, in order to inject XPoCe, but then since you lose the automatic interposing and many symbols are in the cache, you'd need to patch the symbols yourself (much like fish hook does). It takes special care. I'm working on a pro version of XPoCe that does just that (since coreruption does that anyway), but it will likely not be open source (I mean, seriously, it's a lot of work).
morpheus
Site Admin
 
Posts: 521
Joined: Thu Apr 11, 2013 6:24 pm

Re: XPoCe - library to intercept and dump XPC messages

Postby elist » Wed Jun 21, 2017 9:33 am

Trying the same thing on iOS 10.1.1 + yalu102.
When trying to replace '/Developer/Library/LaunchDaemons/com.apple.testmanagerd.plist' I get "Read-only file system".

Is this an issue with how yalu patches things? can I re-mount or work around it?
elist
 
Posts: 13
Joined: Wed Mar 16, 2016 9:05 am

Re: XPoCe - library to intercept and dump XPC messages

Postby elist » Wed Jun 21, 2017 10:04 am

Ok, just figured it is actually the Developer Disk Image mounted by Xcode...
I will try to edit the DDI, fake sign it and remount via ifuse.
elist
 
Posts: 13
Joined: Wed Mar 16, 2016 9:05 am


Return to Tools

Who is online

Users browsing this forum: No registered users and 2 guests