knightsc/CoreServicesUIAgentClient.m

## CoreServicesUIAgentClient.m
//
//  main.m
//
//  Created by Scott Knight on 12/12/19.
//  Copyright © 2019 Scott Knight. All rights reserved.
//

#import <Foundation/Foundation.h>
#import <os/log.h>

@interface _LSRemoteOpenCall : NSObject <NSSecureCoding>

+ (BOOL)supportsSecureCoding;
+ (BOOL)canInvokeLocally;
+ (void)invokeWithXPCConnection:(id)arg1 object:(id)arg2;
- (id)initWithCoder:(id)arg1;
- (void)encodeWithCoder:(id)arg1;
- (void)getOutAppWasLaunched:(char *)arg1;
- (void)getOutAppURL:(id *)arg1;
- (void)getOutPSNs:(struct ProcessSerialNumber *)arg1;
- (BOOL)invokeWithError:(id *)arg1;
- (BOOL)invokeWithXPCConnection:(id)arg1 error:(id *)arg2;
- (void)setInPSNCount:(unsigned long long)arg1;
- (void)setInOptions2:(id)arg1;
- (void)setInAnnotations:(const struct AEDesc *)arg1;
//- (void)setInAppParams:(const struct LSApplicationParameters_V1 *)arg1;
- (void)setInAEParam:(const struct AEKeyDesc *)arg1;
- (void)setInRoleMask:(unsigned int)arg1;
- (void)setInURLs:(struct __CFArray *)arg1;
- (id)initWithXPCConnection:(id)arg1;
- (id)init;

@end

xpc_connection_t _LSAgentGetConnection() {
    static xpc_connection_t agentConnection;
    static dispatch_once_t onceToken;

    dispatch_once(&onceToken, ^{
        agentConnection = xpc_connection_create_mach_service("com.apple.coreservices.quarantine-resolver", NULL, 0);
        xpc_connection_set_event_handler(agentConnection, ^(xpc_object_t  _Nonnull object) {
            // Do nothing
        });
        xpc_connection_resume(agentConnection);
    });

    return agentConnection;
}

void send_message(xpc_object_t dict) {
    xpc_connection_t agentConnection = _LSAgentGetConnection();
    if (agentConnection != NULL) {
        if (dict) {
            xpc_object_t reply = xpc_connection_send_message_with_reply_sync(agentConnection, dict);
            if (xpc_get_type(reply) == XPC_TYPE_DICTIONARY) {
                int64_t status = xpc_dictionary_get_int64(reply, "com.apple.coreservices.uiagent.status");
                os_log(OS_LOG_DEFAULT, "com.apple.coreservices.uiagent.status %lli", status);
            } else {
                char *reply_description = xpc_copy_description(reply);
                NSLog([NSString stringWithUTF8String:reply_description]);
            }
        }
    }
}

void send_quarantine_message() {
    xpc_object_t dict = xpc_dictionary_create(NULL, NULL, 0);
    if (dict) {
        xpc_dictionary_set_int64(dict, "cmd", 0x1);

        AuthorizationRef authorization;
        AuthorizationExternalForm authExt;

        AuthorizationCreate(NULL, NULL, kAuthorizationFlagInteractionAllowed, &authorization);
        AuthorizationMakeExternalForm(authorization, &authExt);
        NSData *auth = CFBridgingRelease(CFDataCreate(kCFAllocatorDefault, (UInt8 *)authExt.bytes, sizeof(authExt)));

        NSArray *array = @[@{
            @"LSQAllowUnsigned" : @0,
            @"LSQAppPSN" : @843982,
            @"LSQAppPath" : @"/Users/fakeuser/Downloads/tool/tool",
            @"LSQAuthorization" : auth,
            @"LSQItemSandboxExtensions" : @{},
            @"LSQRiskCategory" : @"LSRiskCategoryUnsafeExecutable"
        }];

        CFPropertyListRef plist = (__bridge CFArrayRef)(array);
        CFDataRef data = CFPropertyListCreateData(kCFAllocatorDefault, plist, kCFPropertyListBinaryFormat_v1_0, 0, NULL);
        const UInt8 *pData = CFDataGetBytePtr(data);
        CFIndex dataLength = CFDataGetLength(data);


        xpc_dictionary_set_data(dict, "data", pData, dataLength);
        xpc_dictionary_set_uint64(dict, "flags", 0x1); // What should this really be?
        xpc_dictionary_set_uint64(dict, "firstLaunchPSN", 0x1);

        // Apple Events related parameters
        // xpc_dictionary_set_data(dict, "aeParam.descContent", *(_QWORD *)v316, *(_QWORD *)v332);
        // xpc_dictionary_set_uint64(dict, "aeParam.descKey", *v187);

        send_message(dict);
    }
}

void send_launch_error() {
    xpc_object_t dict = xpc_dictionary_create(NULL, NULL, 0);
    if (dict) {
        xpc_dictionary_set_int64(dict, "cmd", 0x2);

        NSDictionary *nsdict = @{
            @"Action" : @"GURL",
            @"ErrorCode" : @-1200,
            @"AppPath" : @"/Users/fakeuser/Downloads/tool/tool",
            @"AppMimimumSystemVersion" : @"10.14",
            @"AppMaximumSystemVersion" : @"10.15"
        };

        CFPropertyListRef plist = (__bridge CFDictionaryRef)(nsdict);
        CFDataRef data = CFPropertyListCreateData(kCFAllocatorDefault, plist, kCFPropertyListBinaryFormat_v1_0, 0, NULL);
        const UInt8 *pData = CFDataGetBytePtr(data);
        CFIndex dataLength = CFDataGetLength(data);

        xpc_dictionary_set_data(dict, "data", pData, dataLength);

        send_message(dict);
    }
}

void send_open() {
    xpc_object_t dict = xpc_dictionary_create(NULL, NULL, 0);
    if (dict) {
        xpc_dictionary_set_int64(dict, "cmd", 0x3);

        Class class = NSClassFromString(@"_LSRemoteOpenCall");
        _LSRemoteOpenCall *call = [[class alloc] init];

        NSURL *file = [NSURL fileURLWithPath:@"/System/Applications/Calculator.app"];
        NSURL *url = [NSURL URLWithString:@"https://www.google.com"];
        [call setInURLs:(__bridge CFArrayRef)@[file]];

        NSError *error;
        NSData *data = [NSKeyedArchiver archivedDataWithRootObject:call requiringSecureCoding:YES error:&error];

        xpc_dictionary_set_data(dict, "call", data.bytes, data.length);

        send_message(dict);
    }
}

void send_check_access() {
    xpc_object_t dict = xpc_dictionary_create(NULL, NULL, 0);
    if (dict) {
        xpc_dictionary_set_int64(dict, "cmd", 0x5);

        xpc_dictionary_set_string(dict, "path", "/Users/fakeuser/Downloads/tool/tool");

        send_message(dict);
    }
}

void send_get_display_name() {
    xpc_object_t dict = xpc_dictionary_create(NULL, NULL, 0);
    if (dict) {
        xpc_dictionary_set_int64(dict, "cmd", 0x7);

        xpc_dictionary_set_string(dict, "path", "/System/Applications/Calculator.app");

        // Missing preferred localizations returns a status of -10810
        // Not clear on what the localization string below is or what it's used for
        xpc_dictionary_set_value(dict, "com.apple.coreservices.uiagent.localizations", nil);

        send_message(dict);
    }
}

void send_change_default_handler() {
    xpc_object_t dict = xpc_dictionary_create(NULL, NULL, 0);
    if (dict) {
        xpc_dictionary_set_int64(dict, "cmd", 0x8);

        xpc_dictionary_set_string(dict, "scheme", "someweirdscheme");
        xpc_dictionary_set_string(dict, "bundleidentifier", "com.test");
        xpc_dictionary_set_string(dict, "bundleversion", "1.0.1");
        xpc_dictionary_set_bool(dict, "remove", 0);

        send_message(dict);
    }
}

void send_recommended_safari_handler() {
    xpc_object_t dict = xpc_dictionary_create(NULL, NULL, 0);
    if (dict) {
        xpc_dictionary_set_int64(dict, "cmd", 0x9);

        send_message(dict);
    }
}

int main(int argc, const char * argv[]) {
    @autoreleasepool {
        send_launch_error();
    }

    return 0;
}
	//
	// main.m
	//
	// Created by Scott Knight on 12/12/19.
	// Copyright © 2019 Scott Knight. All rights reserved.
	//

	#import <Foundation/Foundation.h>
	#import <os/log.h>

	@interface _LSRemoteOpenCall : NSObject <NSSecureCoding>

	+ (BOOL)supportsSecureCoding;
	+ (BOOL)canInvokeLocally;
	+ (void)invokeWithXPCConnection:(id)arg1 object:(id)arg2;
	- (id)initWithCoder:(id)arg1;
	- (void)encodeWithCoder:(id)arg1;
	- (void)getOutAppWasLaunched:(char *)arg1;
	- (void)getOutAppURL:(id *)arg1;
	- (void)getOutPSNs:(struct ProcessSerialNumber *)arg1;
	- (BOOL)invokeWithError:(id *)arg1;
	- (BOOL)invokeWithXPCConnection:(id)arg1 error:(id *)arg2;
	- (void)setInPSNCount:(unsigned long long)arg1;
	- (void)setInOptions2:(id)arg1;
	- (void)setInAnnotations:(const struct AEDesc *)arg1;
	//- (void)setInAppParams:(const struct LSApplicationParameters_V1 *)arg1;
	- (void)setInAEParam:(const struct AEKeyDesc *)arg1;
	- (void)setInRoleMask:(unsigned int)arg1;
	- (void)setInURLs:(struct __CFArray *)arg1;
	- (id)initWithXPCConnection:(id)arg1;
	- (id)init;

	@end

	xpc_connection_t _LSAgentGetConnection() {
	static xpc_connection_t agentConnection;
	static dispatch_once_t onceToken;

	dispatch_once(&onceToken, ^{
	agentConnection = xpc_connection_create_mach_service("com.apple.coreservices.quarantine-resolver", NULL, 0);
	xpc_connection_set_event_handler(agentConnection, ^(xpc_object_t _Nonnull object) {
	// Do nothing
	});
	xpc_connection_resume(agentConnection);
	});

	return agentConnection;
	}

	void send_message(xpc_object_t dict) {
	xpc_connection_t agentConnection = _LSAgentGetConnection();
	if (agentConnection != NULL) {
	if (dict) {
	xpc_object_t reply = xpc_connection_send_message_with_reply_sync(agentConnection, dict);
	if (xpc_get_type(reply) == XPC_TYPE_DICTIONARY) {
	int64_t status = xpc_dictionary_get_int64(reply, "com.apple.coreservices.uiagent.status");
	os_log(OS_LOG_DEFAULT, "com.apple.coreservices.uiagent.status %lli", status);
	} else {
	char *reply_description = xpc_copy_description(reply);
	NSLog([NSString stringWithUTF8String:reply_description]);
	}
	}
	}
	}

	void send_quarantine_message() {
	xpc_object_t dict = xpc_dictionary_create(NULL, NULL, 0);
	if (dict) {
	xpc_dictionary_set_int64(dict, "cmd", 0x1);

	AuthorizationRef authorization;
	AuthorizationExternalForm authExt;

	AuthorizationCreate(NULL, NULL, kAuthorizationFlagInteractionAllowed, &authorization);
	AuthorizationMakeExternalForm(authorization, &authExt);
	NSData auth = CFBridgingRelease(CFDataCreate(kCFAllocatorDefault, (UInt8 )authExt.bytes, sizeof(authExt)));

	NSArray *array = @[@{
	@"LSQAllowUnsigned" : @0,
	@"LSQAppPSN" : @843982,
	@"LSQAppPath" : @"/Users/fakeuser/Downloads/tool/tool",
	@"LSQAuthorization" : auth,
	@"LSQItemSandboxExtensions" : @{},
	@"LSQRiskCategory" : @"LSRiskCategoryUnsafeExecutable"
	}];

	CFPropertyListRef plist = (__bridge CFArrayRef)(array);
	CFDataRef data = CFPropertyListCreateData(kCFAllocatorDefault, plist, kCFPropertyListBinaryFormat_v1_0, 0, NULL);
	const UInt8 *pData = CFDataGetBytePtr(data);
	CFIndex dataLength = CFDataGetLength(data);


	xpc_dictionary_set_data(dict, "data", pData, dataLength);
	xpc_dictionary_set_uint64(dict, "flags", 0x1); // What should this really be?
	xpc_dictionary_set_uint64(dict, "firstLaunchPSN", 0x1);

	// Apple Events related parameters
	// xpc_dictionary_set_data(dict, "aeParam.descContent", (_QWORD )v316, (_QWORD )v332);
	// xpc_dictionary_set_uint64(dict, "aeParam.descKey", *v187);

	send_message(dict);
	}
	}

	void send_launch_error() {
	xpc_object_t dict = xpc_dictionary_create(NULL, NULL, 0);
	if (dict) {
	xpc_dictionary_set_int64(dict, "cmd", 0x2);

	NSDictionary *nsdict = @{
	@"Action" : @"GURL",
	@"ErrorCode" : @-1200,
	@"AppPath" : @"/Users/fakeuser/Downloads/tool/tool",
	@"AppMimimumSystemVersion" : @"10.14",
	@"AppMaximumSystemVersion" : @"10.15"
	};

	CFPropertyListRef plist = (__bridge CFDictionaryRef)(nsdict);
	CFDataRef data = CFPropertyListCreateData(kCFAllocatorDefault, plist, kCFPropertyListBinaryFormat_v1_0, 0, NULL);
	const UInt8 *pData = CFDataGetBytePtr(data);
	CFIndex dataLength = CFDataGetLength(data);

	xpc_dictionary_set_data(dict, "data", pData, dataLength);

	send_message(dict);
	}
	}

	void send_open() {
	xpc_object_t dict = xpc_dictionary_create(NULL, NULL, 0);
	if (dict) {
	xpc_dictionary_set_int64(dict, "cmd", 0x3);

	Class class = NSClassFromString(@"_LSRemoteOpenCall");
	_LSRemoteOpenCall *call = [[class alloc] init];

	NSURL *file = [NSURL fileURLWithPath:@"/System/Applications/Calculator.app"];
	NSURL *url = [NSURL URLWithString:@"https://www.google.com"];
	[call setInURLs:(__bridge CFArrayRef)@[file]];

	NSError *error;
	NSData *data = [NSKeyedArchiver archivedDataWithRootObject:call requiringSecureCoding:YES error:&error];

	xpc_dictionary_set_data(dict, "call", data.bytes, data.length);

	send_message(dict);
	}
	}

	void send_check_access() {
	xpc_object_t dict = xpc_dictionary_create(NULL, NULL, 0);
	if (dict) {
	xpc_dictionary_set_int64(dict, "cmd", 0x5);

	xpc_dictionary_set_string(dict, "path", "/Users/fakeuser/Downloads/tool/tool");

	send_message(dict);
	}
	}

	void send_get_display_name() {
	xpc_object_t dict = xpc_dictionary_create(NULL, NULL, 0);
	if (dict) {
	xpc_dictionary_set_int64(dict, "cmd", 0x7);

	xpc_dictionary_set_string(dict, "path", "/System/Applications/Calculator.app");

	// Missing preferred localizations returns a status of -10810
	// Not clear on what the localization string below is or what it's used for
	xpc_dictionary_set_value(dict, "com.apple.coreservices.uiagent.localizations", nil);

	send_message(dict);
	}
	}

	void send_change_default_handler() {
	xpc_object_t dict = xpc_dictionary_create(NULL, NULL, 0);
	if (dict) {
	xpc_dictionary_set_int64(dict, "cmd", 0x8);

	xpc_dictionary_set_string(dict, "scheme", "someweirdscheme");
	xpc_dictionary_set_string(dict, "bundleidentifier", "com.test");
	xpc_dictionary_set_string(dict, "bundleversion", "1.0.1");
	xpc_dictionary_set_bool(dict, "remove", 0);

	send_message(dict);
	}
	}

	void send_recommended_safari_handler() {
	xpc_object_t dict = xpc_dictionary_create(NULL, NULL, 0);
	if (dict) {
	xpc_dictionary_set_int64(dict, "cmd", 0x9);

	send_message(dict);
	}
	}

	int main(int argc, const char * argv[]) {
	@autoreleasepool {
	send_launch_error();
	}

	return 0;
	}