Created
December 24, 2019 16:49
-
-
Save knightsc/a22967814423934ef4e7a3f3c235dd11 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// | |
// main.m | |
// | |
// Created by Scott Knight on 12/12/19. | |
// Copyright © 2019 Scott Knight. All rights reserved. | |
// | |
#import <Foundation/Foundation.h> | |
#import <os/log.h> | |
@interface _LSRemoteOpenCall : NSObject <NSSecureCoding> | |
+ (BOOL)supportsSecureCoding; | |
+ (BOOL)canInvokeLocally; | |
+ (void)invokeWithXPCConnection:(id)arg1 object:(id)arg2; | |
- (id)initWithCoder:(id)arg1; | |
- (void)encodeWithCoder:(id)arg1; | |
- (void)getOutAppWasLaunched:(char *)arg1; | |
- (void)getOutAppURL:(id *)arg1; | |
- (void)getOutPSNs:(struct ProcessSerialNumber *)arg1; | |
- (BOOL)invokeWithError:(id *)arg1; | |
- (BOOL)invokeWithXPCConnection:(id)arg1 error:(id *)arg2; | |
- (void)setInPSNCount:(unsigned long long)arg1; | |
- (void)setInOptions2:(id)arg1; | |
- (void)setInAnnotations:(const struct AEDesc *)arg1; | |
//- (void)setInAppParams:(const struct LSApplicationParameters_V1 *)arg1; | |
- (void)setInAEParam:(const struct AEKeyDesc *)arg1; | |
- (void)setInRoleMask:(unsigned int)arg1; | |
- (void)setInURLs:(struct __CFArray *)arg1; | |
- (id)initWithXPCConnection:(id)arg1; | |
- (id)init; | |
@end | |
xpc_connection_t _LSAgentGetConnection() { | |
static xpc_connection_t agentConnection; | |
static dispatch_once_t onceToken; | |
dispatch_once(&onceToken, ^{ | |
agentConnection = xpc_connection_create_mach_service("com.apple.coreservices.quarantine-resolver", NULL, 0); | |
xpc_connection_set_event_handler(agentConnection, ^(xpc_object_t _Nonnull object) { | |
// Do nothing | |
}); | |
xpc_connection_resume(agentConnection); | |
}); | |
return agentConnection; | |
} | |
void send_message(xpc_object_t dict) { | |
xpc_connection_t agentConnection = _LSAgentGetConnection(); | |
if (agentConnection != NULL) { | |
if (dict) { | |
xpc_object_t reply = xpc_connection_send_message_with_reply_sync(agentConnection, dict); | |
if (xpc_get_type(reply) == XPC_TYPE_DICTIONARY) { | |
int64_t status = xpc_dictionary_get_int64(reply, "com.apple.coreservices.uiagent.status"); | |
os_log(OS_LOG_DEFAULT, "com.apple.coreservices.uiagent.status %lli", status); | |
} else { | |
char *reply_description = xpc_copy_description(reply); | |
NSLog([NSString stringWithUTF8String:reply_description]); | |
} | |
} | |
} | |
} | |
void send_quarantine_message() { | |
xpc_object_t dict = xpc_dictionary_create(NULL, NULL, 0); | |
if (dict) { | |
xpc_dictionary_set_int64(dict, "cmd", 0x1); | |
AuthorizationRef authorization; | |
AuthorizationExternalForm authExt; | |
AuthorizationCreate(NULL, NULL, kAuthorizationFlagInteractionAllowed, &authorization); | |
AuthorizationMakeExternalForm(authorization, &authExt); | |
NSData *auth = CFBridgingRelease(CFDataCreate(kCFAllocatorDefault, (UInt8 *)authExt.bytes, sizeof(authExt))); | |
NSArray *array = @[@{ | |
@"LSQAllowUnsigned" : @0, | |
@"LSQAppPSN" : @843982, | |
@"LSQAppPath" : @"/Users/fakeuser/Downloads/tool/tool", | |
@"LSQAuthorization" : auth, | |
@"LSQItemSandboxExtensions" : @{}, | |
@"LSQRiskCategory" : @"LSRiskCategoryUnsafeExecutable" | |
}]; | |
CFPropertyListRef plist = (__bridge CFArrayRef)(array); | |
CFDataRef data = CFPropertyListCreateData(kCFAllocatorDefault, plist, kCFPropertyListBinaryFormat_v1_0, 0, NULL); | |
const UInt8 *pData = CFDataGetBytePtr(data); | |
CFIndex dataLength = CFDataGetLength(data); | |
xpc_dictionary_set_data(dict, "data", pData, dataLength); | |
xpc_dictionary_set_uint64(dict, "flags", 0x1); // What should this really be? | |
xpc_dictionary_set_uint64(dict, "firstLaunchPSN", 0x1); | |
// Apple Events related parameters | |
// xpc_dictionary_set_data(dict, "aeParam.descContent", *(_QWORD *)v316, *(_QWORD *)v332); | |
// xpc_dictionary_set_uint64(dict, "aeParam.descKey", *v187); | |
send_message(dict); | |
} | |
} | |
void send_launch_error() { | |
xpc_object_t dict = xpc_dictionary_create(NULL, NULL, 0); | |
if (dict) { | |
xpc_dictionary_set_int64(dict, "cmd", 0x2); | |
NSDictionary *nsdict = @{ | |
@"Action" : @"GURL", | |
@"ErrorCode" : @-1200, | |
@"AppPath" : @"/Users/fakeuser/Downloads/tool/tool", | |
@"AppMimimumSystemVersion" : @"10.14", | |
@"AppMaximumSystemVersion" : @"10.15" | |
}; | |
CFPropertyListRef plist = (__bridge CFDictionaryRef)(nsdict); | |
CFDataRef data = CFPropertyListCreateData(kCFAllocatorDefault, plist, kCFPropertyListBinaryFormat_v1_0, 0, NULL); | |
const UInt8 *pData = CFDataGetBytePtr(data); | |
CFIndex dataLength = CFDataGetLength(data); | |
xpc_dictionary_set_data(dict, "data", pData, dataLength); | |
send_message(dict); | |
} | |
} | |
void send_open() { | |
xpc_object_t dict = xpc_dictionary_create(NULL, NULL, 0); | |
if (dict) { | |
xpc_dictionary_set_int64(dict, "cmd", 0x3); | |
Class class = NSClassFromString(@"_LSRemoteOpenCall"); | |
_LSRemoteOpenCall *call = [[class alloc] init]; | |
NSURL *file = [NSURL fileURLWithPath:@"/System/Applications/Calculator.app"]; | |
NSURL *url = [NSURL URLWithString:@"https://www.google.com"]; | |
[call setInURLs:(__bridge CFArrayRef)@[file]]; | |
NSError *error; | |
NSData *data = [NSKeyedArchiver archivedDataWithRootObject:call requiringSecureCoding:YES error:&error]; | |
xpc_dictionary_set_data(dict, "call", data.bytes, data.length); | |
send_message(dict); | |
} | |
} | |
void send_check_access() { | |
xpc_object_t dict = xpc_dictionary_create(NULL, NULL, 0); | |
if (dict) { | |
xpc_dictionary_set_int64(dict, "cmd", 0x5); | |
xpc_dictionary_set_string(dict, "path", "/Users/fakeuser/Downloads/tool/tool"); | |
send_message(dict); | |
} | |
} | |
void send_get_display_name() { | |
xpc_object_t dict = xpc_dictionary_create(NULL, NULL, 0); | |
if (dict) { | |
xpc_dictionary_set_int64(dict, "cmd", 0x7); | |
xpc_dictionary_set_string(dict, "path", "/System/Applications/Calculator.app"); | |
// Missing preferred localizations returns a status of -10810 | |
// Not clear on what the localization string below is or what it's used for | |
xpc_dictionary_set_value(dict, "com.apple.coreservices.uiagent.localizations", nil); | |
send_message(dict); | |
} | |
} | |
void send_change_default_handler() { | |
xpc_object_t dict = xpc_dictionary_create(NULL, NULL, 0); | |
if (dict) { | |
xpc_dictionary_set_int64(dict, "cmd", 0x8); | |
xpc_dictionary_set_string(dict, "scheme", "someweirdscheme"); | |
xpc_dictionary_set_string(dict, "bundleidentifier", "com.test"); | |
xpc_dictionary_set_string(dict, "bundleversion", "1.0.1"); | |
xpc_dictionary_set_bool(dict, "remove", 0); | |
send_message(dict); | |
} | |
} | |
void send_recommended_safari_handler() { | |
xpc_object_t dict = xpc_dictionary_create(NULL, NULL, 0); | |
if (dict) { | |
xpc_dictionary_set_int64(dict, "cmd", 0x9); | |
send_message(dict); | |
} | |
} | |
int main(int argc, const char * argv[]) { | |
@autoreleasepool { | |
send_launch_error(); | |
} | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment