XpcObj_len = last2ins.getRawArgument(1)Įlif last2ins.getRawArgument(0) = 'rdi' and last1ins. If last2ins.getRawArgument(0) = 'rsi' and last1ins.getRawArgument(0) = 'rdi': Indirect_addr = int(last2ins.getRawArgument(1),16)Įlif last2ins.getInstructionString() = 'lea' and last1ins.getInstructionString() = 'lea': If last2ins.getRawArgument(0) = 'rdi' and last1ins.getRawArgument(0) = 'esi': #xpc_object_sizes_list.append(callerinfo)Įlif last2ins.getInstructionString() = 'lea' and last1ins.getInstructionString() = 'mov': Xpc_object_sizes_dict = xpc_object_sizes_dict + ',' + x_symbol Xpc_object_sizes_dict = '#from ' + x_symbol If callerinfo not in xpc_object_sizes_dict.keys(): Indirect_addr = int(last1ins.getRawArgument(1),16)Ĭallerinfo = '_xpc_base_create('+ doc.getNameAtAddress(indirect_addr)+',' + xpcObj_len+ ') ' If last2ins.getRawArgument(0) = 'esi' and last1ins.getRawArgument(0) = 'rdi': Van de ontwikkelaar: Hopper is a binary disassembler, decompiler and debugger for 32bits and 64bits executables. Der eigentliche Entwickler dieses kostenlosen Programms ist Vincent Benony. If last2ins.getInstructionString() = 'mov' and last1ins.getInstructionString() = 'lea': Die Hopper Disassembler Installationsdatei heißt häufig hopper-demo.zip. Ins1 = seg.getInstructionAtAddress(x - 12) Ins0 = seg.getInstructionAtAddress(x - 5) X_symbol = pname + '+' + hex(x - p_entry_addr) Pname = seg.getNameAtAddress(p_entry_addr) Last2ins,last1ins = get_last2instructions_addr(seg,x) _xpc_base_create_addr = doc.getAddressForName('_xpc_base_create')Įachxrefs = seg.getReferencesOfAddress(_xpc_base_create_addr) Print ' Demonstrating XPC ojbect sizes using a hopper diassembler\'s python script' Print hex(last1ins_addr), last1ins.getInstructionString(), last1ins.getRawArgument(0), last1ins.getRawArgument(1) Print hex(last2ins_addr), last2ins.getInstructionString(), last2ins.getRawArgument(0), last2ins.getRawArgument(1)
Last1ins = seg.getInstructionAtAddress(last1ins_addr) Last2ins = seg.getInstructionAtAddress(last2ins_addr) Last2ins_addr = seg.getInstructionStart(last1ins_addr - 1) Last1ins_addr = seg.getInstructionStart(x - 1) XPC provides its own data types through libxpc.dylib. The APIs themselves are divided into an object API and a transport API. In this blog, we only focus on the low level APIs, which are direct exports of xpc_* functions from libxpc.dylib. XPC provides public APIs on two levels: the low level and the Foundation wrappers.
XPC has a fairly large undocumented portion of its functionality, which includes its implementation (the main project libxpc, for example, is closed source). Since its introduction in version 10.7/5.0, its use has exploded. XPC is the enhanced IPC framework used in macOS/iOS. In this blog, I uncover the XPC internals data types to help researchers (myself included) not only quickly analyze the root causes of XPC vulnerabilities, but to also assist with deep analysis of exploits targeted at those vulnerabilities.
I have recently been engaged in deep security research on macOS for FortiGuard Labs focused on the discovery and analysis of IPC vulnerabilities. FortiGuard Labs How-To Guide for Threat Researchers
0 kommentar(er)
