These aren't found in the book, but as I continue my exploration of OS X and iOS, I'll add here:
- Guesstalt - A
libMobileGestaltexample for iOS (only), accompanying this article.
- procexp - Process Explorer - for Mac OS X and iOS! This tool attempts to A) replace Apple's terrible top(1) and B) provide as close a level of detail to Mark Russinovich's tool for Windows, though I'm still far off (working on it). This is a text mode, curses driven application (which makes it more useful than Activity Monitor, since it can be run over SSH). It's also runnable as a command line, to pipe for easily grep-able output. Constantly updated for new features I find in OS X 10.11 and iOS9. Includes WiFi signal strength indicator! You can move your iDevice or Mac around and ProcExp automatically shows and updates your connected SSID and RSSI)
Latest feature (10/02/15): Customizable display, Updated network statistics, power management
Process chart is fully navigable (with up-down arrow keys), sortable (with left-right and 'r' keys), configurale (with shift and left-right keys, or '-' to remove column), and hitting <enter> will provide more detail on each process.
- jurpleConsole - a clone of Apple's purple_console tool, used to connect from your Mac to services on the i-Device (jailbroken or not) via lockdownd using the private MobileDevice.framework. The service started on the device is syslog_relay (from /usr/libexec). Source code is here
Book extra content
- Chapter 3: FileMon - a tool presented in Chapter 3, to demonstrate the functionality of the FSEvents formerly documented interface. Apple now wraps this with the FSEventStream abstraction, but if you want the low level C code, you now have the original in here, and a universal binary (with the updated source) in here. As simple as the tool is, it is just as invaluable, since you can peek behind the scenes what iOS Daemons are doing! It will look something like this:
- Chapter 4: JTool (Mach-O Analyzer)
jtool is a drop in replacement for
otool(1), nm(1), strings(1), and
segedit(1). It also has functionality not found in any of these tools, like a quick search for a binary string in file and memory simultaneously. The tool is undergoing constant revisions, and the latest one includes a custom disassembler with limited emulation functionality. Unlike otool and its Apple-supplied ilk, it won't break on "unknown load commands". Now also in a Linux ELF64 version.
For example, consider:
Pretty darn useful, especially now that iOS 6 uses PC-relative addresses and no longer has DCDs (which confuses IDA..). Also resolves symbols, and parses import tables, etc. Effectively replaces and extends Apple's own tools, including nm, dyldinfo, and pagestuff - all in one.
- Chapter 5: Stack Snapshot
System call #365 is an undocumented, but really useful method to dump the stack backtraces of all threads in OS X and iOS, including kernel threads. OS X still contains
/usr/libexec/stackshot, though Apple has removed it from iOS. This tool, which is a beefed up version of listing 5-2 in the book, returns the stackshot functionality to iOS, and along the way demonstrates both how to call syscalls directly (using syscall) as well as some work with sysctl(2). I have provided the source code
- Chapter 6: Imagine iOS images make heavy use of the IMG3 format. This tool can dump the various fields of a decrypted IMG3 file, and in particular can display the device tree files pertaining to various i-Devices. I have provided the source code for this
- Chapter 8: Joker
This tool (which shares some logic with the JTool) is custom designed for OS X and iOS kernels. It offers such features as automatically finding the Mach Trap Table and System Call Table (sysent) in the kernel - invaluable in the case of iOS, wherein these are hidden. You can also get an idea of
sysctl(2)MIBs exported by the kernel. The beta version also allows you to extract kexts from the kernelcache, as well as symbolify (by editing the Mach-O LC_[D]SYMTAB)
Joker now has its own page
- Chapter 12: vmmap(1) for iOS
This is a simple implementation of
vmmap(1)for iOS, based loosely on GDB's
macx_info_regions()function. I wrote this because (a) it's not included in any Cydia package I saw and (b) it's darn useful! Note, this will need the entitlements listed in chapter 3, since it relies on
task_for_pid(). This binary is also available in source form version, and forms the basis for the corerupt tool.
- Chapter 16: HFSleuth Completely revised from the book, now as an interactive tool for OS X, iOS, and even Linux! (yep - on raw devices or DMG files only, though!). This tool enables you to explore the HFS+ B-Trees (attributes and catalog) interactively. Since I'm rewriting this (faced some iOS-related bugs which I have now resolved) I've been forced to square one, and still need to readd the cool functionality - such as fragmentation info, undelete, and low-level file access. So check this space often! Now supports DMG files, as well as pulling files from DMGs. Now comes with its own manual page. HFSleuth will not need root privileges when working on DMGs.
- Chapter 17: lsock
Using the poorly documented
com.apple.network.statistics PF_SYSTEMprovider, you can get real time notifications of socket activity - much like Windows TCPView from SysInternals. This simple tool blocks until socket activity is registered, and displays it in a
Example: Output 17-3 from the book, running lsock on iOS (and catching apsd red-handed):
Since then, I've added a full screen (curses) interface and colors, making the tool a whole lot more useful:
The binary supplied is a universal one (i.e. both Intel and ARM), but you can also get the source and compile it yourself. For full screen support on iOS, you will need to copy /usr/share/terminfo from OS X.
- Chapter 18: JKextStat for iOS
This simple, but efficient
kextstat(8)replacement is the first tool to provide this much needed functionality on iOS. The tool can be used as the normal kextstat on OS X is, but can also output and XML dump, and (beta) a graph based view of all kernel extension dependencies. This binary is also available in source form version.