https://github.com/hot3eed/xpcspy

Bidirectional XPC message interception and more. Powered by Frida
https://github.com/hot3eed/xpcspy

frida ios macos xnu xpc

Last synced: about 2 months ago
JSON representation

Bidirectional XPC message interception and more. Powered by Frida

• Host: GitHub
• URL: https://github.com/hot3eed/xpcspy
• Owner: hot3eed
• License: apache-2.0
• Created: 2020-11-04T18:46:00.000Z (almost 4 years ago)
• Default Branch: main
• Last Pushed: 2022-11-09T15:31:26.000Z (almost 2 years ago)
• Last Synced: 2024-07-05T15:35:44.468Z (3 months ago)
• Topics: frida, ios, macos, xnu, xpc
• Language: TypeScript
• Homepage:
• Size: 453 KB
• Stars: 371
• Watchers: 11
• Forks: 47
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# xpcspy - Bidirectional XPC message interception and more

## Features:

* Bidirectional XPC message interception.

* iOS and macOS support.

* `bplist00`, and the infamous `bplist15` [deserialization].

* Filter by message direction (incoming or outgoing) and service name.

* More to come?

## Showcase

```

Usage: xpcspy [options] target

Options:

  --version             show program's version number and exit

  -h, --help            show this help message and exit

  -D ID, --device=ID    connect to device with the given ID

  -U, --usb             connect to USB device

  -R, --remote          connect to remote frida-server

  -H HOST, --host=HOST  connect to remote frida-server on HOST

  -f FILE, --file=FILE  spawn FILE

  -F, --attach-frontmost

                        attach to frontmost application

  -n NAME, --attach-name=NAME

                        attach to NAME

  -p PID, --attach-pid=PID

                        attach to PID

  --stdio=inherit|pipe  stdio behavior when spawning (defaults to “inherit”)

  --aux=option          set aux option when spawning, such as “uid=(int)42”

                        (supported types are: string, bool, int)

  --runtime=qjs|v8      script runtime to use

  --debug               enable the Node.js compatible script debugger

  --squelch-crash       if enabled, will not dump crash report to console

  -O FILE, --options-file=FILE

                        text file containing additional command line options

  -t FILTER, --filter=FILTER

                        Filter by message direction and service name. 'i'

                        denotes incoming and 'o' denotes outgoing. Service

                        name can include the wildcard character '*'. For

                        exmaple 'i:com.apple.*' or 'o:com.apple.apsd'.

  -r, --parse           Parse XPC dictionary keys that include `bplist` data.

                        Currently `bplist00` and `bplist16` are officially

                        supported, while `bplist15` and `bplist17` support is

                        still experimental..

  -d, --print-date      Print a current timestamp before every XPC message

```

![screenshot_1.png](assets/screenshot_1.png)

## Installation

`pip3 install xpcspy`

## TODO:

* Deserialize data within the parsed `bplist`s recursively.

* Improve script loading performance, kinda slow for some reason.

* Add an option to get the address, perhaps ASLR adjusted, for the XPC event handler, by spawning the process and hooking `xpc_connection_set_event_handler`.

* Add fancy colors.

* More pretty printing?

## FAQ 

* Why are you reinventing the [wheel]?

    * I'm not; XPoCe doesn't intercept incoming messages, and doesn't support `bplist00` or `bplist15`. 

    `

## License

[Apache License 2.0](LICENSE)

[wheel]: http://newosxbook.com/tools/XPoCe2.html

[deserialization]: http://newosxbook.com/bonus/bplist.pdf