Skip to content
/ xpcspy Public

Bidirectional XPC message interception and more. Powered by Frida

License

Apache-2.0 license
396 stars 52 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

hot3eed/xpcspy

2 Branches5 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

hot3eedhot3eed
v0.8.3
Aug 14, 2022
5d49d01 · Aug 14, 2022

History

101 Commits
agent
agent
Aug 14, 2022
assets
assets
Nov 9, 2020
xpcspy
xpcspy
Aug 14, 2022
.gitignore
.gitignore
Sep 25, 2021
LICENSE
LICENSE
Nov 9, 2020
MANIFEST.in
MANIFEST.in
Nov 9, 2020
Makefile
Makefile
Nov 9, 2020
README.md
README.md
Oct 4, 2021
requirements.txt
requirements.txt
Aug 14, 2022
setup.py
setup.py
Nov 9, 2020
xpcspy-dev-runner.py
xpcspy-dev-runner.py
Nov 10, 2020

Repository files navigation

xpcspy - Bidirectional XPC message interception and more

Features:

  • Bidirectional XPC message interception.
  • iOS and macOS support.
  • bplist00, and the infamous bplist15 deserialization.
  • Filter by message direction (incoming or outgoing) and service name.
  • More to come?

Showcase

Usage: xpcspy [options] target

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -D ID, --device=ID    connect to device with the given ID
  -U, --usb             connect to USB device
  -R, --remote          connect to remote frida-server
  -H HOST, --host=HOST  connect to remote frida-server on HOST
  -f FILE, --file=FILE  spawn FILE
  -F, --attach-frontmost
                        attach to frontmost application
  -n NAME, --attach-name=NAME
                        attach to NAME
  -p PID, --attach-pid=PID
                        attach to PID
  --stdio=inherit|pipe  stdio behavior when spawning (defaults to “inherit”)
  --aux=option          set aux option when spawning, such as “uid=(int)42”
                        (supported types are: string, bool, int)
  --runtime=qjs|v8      script runtime to use
  --debug               enable the Node.js compatible script debugger
  --squelch-crash       if enabled, will not dump crash report to console
  -O FILE, --options-file=FILE
                        text file containing additional command line options
  -t FILTER, --filter=FILTER
                        Filter by message direction and service name. 'i'
                        denotes incoming and 'o' denotes outgoing. Service
                        name can include the wildcard character '*'. For
                        exmaple 'i:com.apple.*' or 'o:com.apple.apsd'.
  -r, --parse           Parse XPC dictionary keys that include `bplist` data.
                        Currently `bplist00` and `bplist16` are officially
                        supported, while `bplist15` and `bplist17` support is
                        still experimental..
  -d, --print-date      Print a current timestamp before every XPC message

screenshot_1.png

Installation

pip3 install xpcspy

TODO:

  • Deserialize data within the parsed bplists recursively.
  • Improve script loading performance, kinda slow for some reason.
  • Add an option to get the address, perhaps ASLR adjusted, for the XPC event handler, by spawning the process and hooking xpc_connection_set_event_handler.
  • Add fancy colors.
  • More pretty printing?

FAQ

  • Why are you reinventing the wheel?
    • I'm not; XPoCe doesn't intercept incoming messages, and doesn't support bplist00 or bplist15. `

License

Apache License 2.0

About

Bidirectional XPC message interception and more. Powered by Frida

Topics

macos ios frida xpc xnu

Resources

Readme

License

Apache-2.0 license
Activity

Stars

396 stars

Watchers

10 watching

Forks

52 forks
Report repository

Releases 5

v0.8.3 Latest
Aug 14, 2022
+ 4 releases

Packages

No packages published

Contributors 7

Languages