Page 1 of 1

XPoCe - library to intercept and dump XPC messages

PostPosted: Thu Feb 02, 2017 8:00 pm
by morpheus
q.v. http://NewOSXBook.com/tools/XPoCe.html

Plenty more to come :-) Be patient.

Re: XPoCe - library to intercept and dump XPC messages

PostPosted: Fri Feb 03, 2017 3:28 am
by backendbilly
Thank you. Just in time when I need to snoop on securityd :)

Re: XPoCe - library to intercept and dump XPC messages

PostPosted: Fri Feb 03, 2017 4:23 am
by backendbilly
I tried it on securityd by adding the following under /System/Library/LaunchDaemons/com.apple.securityd.plist

Code: Select all
   
<key>EnvironmentVariables</key>
   <dict>
      <key>DYLD_INSERT_LIBRARIES</key>
      <string>/usr/lib/XPoCe.dylib</string>
   </dict>


I tried on iPhone 7 running iOS 10.1.1 and iPhone 6s running 9.3.3. Couldn't get any output under /tmp. I guess I fit the criteria of force injection.

Re: XPoCe - library to intercept and dump XPC messages

PostPosted: Fri Feb 03, 2017 4:46 am
by backendbilly
Works fine on macOS using your example.

Re: XPoCe - library to intercept and dump XPC messages

PostPosted: Sun Feb 05, 2017 7:40 am
by backendbilly
Caveat: as of 9.2.x for some value of x launchd refuses this variable. But there's a clever workaround I'm not sure I can share here because AAPL might plug it.


J, I'm quoting from a different post and I'm assuming using DYLD_INSERT_LIBRARIES won't work on daemons because of that. Do you have any information on this so-called force injection and manual interposing?

Billy

Re: XPoCe - library to intercept and dump XPC messages

PostPosted: Tue Feb 07, 2017 10:44 pm
by morpheus
Yes; You'd have to use my injector sample (old, but good) from http://newosxbook.com/src.jl?tree=listi ... e=inject.c, in order to inject XPoCe, but then since you lose the automatic interposing and many symbols are in the cache, you'd need to patch the symbols yourself (much like fish hook does). It takes special care. I'm working on a pro version of XPoCe that does just that (since coreruption does that anyway), but it will likely not be open source (I mean, seriously, it's a lot of work).

Re: XPoCe - library to intercept and dump XPC messages

PostPosted: Wed Jun 21, 2017 9:33 am
by elist
Trying the same thing on iOS 10.1.1 + yalu102.
When trying to replace '/Developer/Library/LaunchDaemons/com.apple.testmanagerd.plist' I get "Read-only file system".

Is this an issue with how yalu patches things? can I re-mount or work around it?

Re: XPoCe - library to intercept and dump XPC messages

PostPosted: Wed Jun 21, 2017 10:04 am
by elist
Ok, just figured it is actually the Developer Disk Image mounted by Xcode...
I will try to edit the DDI, fake sign it and remount via ifuse.