xpcspy's Introduction

xpcspy - Bidirectional XPC message interception and more

Features:

Bidirectional XPC message interception.
iOS and macOS support.
bplist00, and the infamous bplist15 deserialization.
Filter by message direction (incoming or outgoing) and service name.
More to come?

Showcase

Usage: xpcspy [options] target

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -D ID, --device=ID    connect to device with the given ID
  -U, --usb             connect to USB device
  -R, --remote          connect to remote frida-server
  -H HOST, --host=HOST  connect to remote frida-server on HOST
  -f FILE, --file=FILE  spawn FILE
  -F, --attach-frontmost
                        attach to frontmost application
  -n NAME, --attach-name=NAME
                        attach to NAME
  -p PID, --attach-pid=PID
                        attach to PID
  --stdio=inherit|pipe  stdio behavior when spawning (defaults to “inherit”)
  --aux=option          set aux option when spawning, such as “uid=(int)42”
                        (supported types are: string, bool, int)
  --runtime=qjs|v8      script runtime to use
  --debug               enable the Node.js compatible script debugger
  --squelch-crash       if enabled, will not dump crash report to console
  -O FILE, --options-file=FILE
                        text file containing additional command line options
  -t FILTER, --filter=FILTER
                        Filter by message direction and service name. 'i'
                        denotes incoming and 'o' denotes outgoing. Service
                        name can include the wildcard character '*'. For
                        exmaple 'i:com.apple.*' or 'o:com.apple.apsd'.
  -r, --parse           Parse XPC dictionary keys that include `bplist` data.
                        Currently `bplist00` and `bplist16` are officially
                        supported, while `bplist15` and `bplist17` support is
                        still experimental..
  -d, --print-date      Print a current timestamp before every XPC message

Installation

pip3 install xpcspy

TODO:

Deserialize data within the parsed bplists recursively.
Improve script loading performance, kinda slow for some reason.
Add an option to get the address, perhaps ASLR adjusted, for the XPC event handler, by spawning the process and hooking xpc_connection_set_event_handler.
Add fancy colors.
More pretty printing?

FAQ

Why are you reinventing the wheel?
- I'm not; XPoCe doesn't intercept incoming messages, and doesn't support bplist00 or bplist15. `

License

Apache License 2.0

xpcspy's People

Contributors

Stargazers

Watchers

xpcspy's Issues

Failed to attach: unable to access process with pid 82928 from the current user account

I tried with sudo, but still not working for me.

xpcspy com.apple.dt.SKAgent
# or
xpcspy -p 82928

Bumping frida

Hi there and thanks for the project.
Can you bump frida? I tried to do it without a great success, some errors occur on my build process.

Fails to run since `optparse` is deprecated

Currently xpcspy fails with the following stack trace.

linden@lindens-mbp xpcspy % xpcspy Messages
Traceback (most recent call last):
  File "/opt/homebrew/bin/xpcspy", line 8, in <module>
    sys.exit(main())
  File "/opt/homebrew/lib/python3.9/site-packages/xpcspy/console/cli.py", line 45, in main
    app = XPCSpyApplication()
  File "/opt/homebrew/lib/python3.9/site-packages/frida_tools/application.py", line 140, in __init__
    self._add_options(parser)
  File "/opt/homebrew/lib/python3.9/site-packages/xpcspy/console/cli.py", line 16, in _add_options
    parser.add_option('-t', '--filter',
AttributeError: 'ArgumentParser' object has no attribute 'add_option'

Looks like optparse was deprecated in python 3.2 (now 3.9) and frida_tools has followed suite and moved to argsparse.

Personally don't write a lot of python but I have a PR ready.

Recommend Projects