Xpc_object_sizes_dict = xpc_object_sizes_dict + ',' + x_symbol Xpc_object_sizes_dict = '#from ' + x_symbol If callerinfo not in xpc_object_sizes_dict.keys(): Indirect_addr = int(last1ins.getRawArgument(1),16)Ĭallerinfo = '_xpc_base_create('+ doc.getNameAtAddress(indirect_addr)+',' + xpcObj_len+ ') ' If last2ins.getRawArgument(0) = 'esi' and last1ins.getRawArgument(0) = 'rdi': If last2ins.getInstructionString() = 'mov' and last1ins.getInstructionString() = 'lea': Ins1 = seg.getInstructionAtAddress(x - 12) Ins0 = seg.getInstructionAtAddress(x - 5) X_symbol = pname + '+' + hex(x - p_entry_addr) Pname = seg.getNameAtAddress(p_entry_addr) Last2ins,last1ins = get_last2instructions_addr(seg,x) _xpc_base_create_addr = doc.getAddressForName('_xpc_base_create')Įachxrefs = seg.getReferencesOfAddress(_xpc_base_create_addr) Print ' Demonstrating XPC ojbect sizes using a hopper diassembler\'s python script' Print hex(last1ins_addr), last1ins.getInstructionString(), last1ins.getRawArgument(0), last1ins.getRawArgument(1) Print hex(last2ins_addr), last2ins.getInstructionString(), last2ins.getRawArgument(0), last2ins.getRawArgument(1) Last1ins = seg.getInstructionAtAddress(last1ins_addr) Last2ins = seg.getInstructionAtAddress(last2ins_addr) Last2ins_addr = seg.getInstructionStart(last1ins_addr - 1) Last1ins_addr = seg.getInstructionStart(x - 1) XPC provides its own data types through libxpc.dylib. The APIs themselves are divided into an object API and a transport API. In this blog, we only focus on the low level APIs, which are direct exports of xpc_* functions from libxpc.dylib. XPC provides public APIs on two levels: the low level and the Foundation wrappers. XPC has a fairly large undocumented portion of its functionality, which includes its implementation (the main project libxpc, for example, is closed source). Since its introduction in version 10.7/5.0, its use has exploded. XPC is the enhanced IPC framework used in macOS/iOS. In this blog, I uncover the XPC internals data types to help researchers (myself included) not only quickly analyze the root causes of XPC vulnerabilities, but to also assist with deep analysis of exploits targeted at those vulnerabilities. I have recently been engaged in deep security research on macOS for FortiGuard Labs focused on the discovery and analysis of IPC vulnerabilities. FortiGuard Labs How-To Guide for Threat Researchers
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |