A Mach-O object file is a file format used for executables, libraries, object code, and core dumps. These are binary files. There’s a Mach-O header and then load commands and segments of up to 255 sections with references to symbols encoded into objects and symbol names. Many of those symbols are APIs that Apple makes available that the code uses. We can see those APIs by extracting a list of symbols, but not really the logic underlying it. Tools like Hopper Disassembler can be used to look at these files and extract symbols, or a command like nm. Per the man page of nm, “nm displays the name list (symbol…
-
-
macOS Script To List System Extensions And Their State
Yesterday I posted https://krypted.com/mac-security/script-to-list-extensions-running-on-a-mac/ to scriptify some research on App Extensions and System Extensions. I mentioned that it’s also possible to loop through /Applications or /Applications/Utilities and look for any .systemextension bundles (which includes network extensions as those are .networkextension.systemextension – and ultimately they’re all kinda’ auxiliary kext’s ‘even though’cause kexts are bad – but I digress). So here’s a script that loops through the file hierarchy supplied by $1 and then checks any found against systemextensionsctl to make sure they’re running: https://github.com/krypted/extensionslist/blob/main/systemextensions.sh In action, here are a couple of outputs of what it can look like. Per developer documentation (and with a little experience writing them), the two locations…
-
Script to List Extensions Running on a Mac
I wrote an article about extensions on macOS a few weeks ago, and have since written a couple of other extensions. The interesting thing about modern extensions is that different types of extensions can live in different places on a file system, become instantiated in different ways or with different mechanisms, and due to the way message traverse XPC, operate in very different ways. The tools Apple has made available make it possible to see what’s running are primarily geared towards protecting privacy. This leaves a small gap for those interested more in securing machines and preventing exfiltration. There isn’t a single binary that can provide a simple listing of…
-
Bouncing Files From Classic Macs To Ventura
I recently had two or three different projects that involved taking files from classic Apple computers and getting them up to modern Apple hardware; notably to my MacBook that runs Ventura. A few things make this a challenge. Let’s start with the file system on disks: If a volume (usually a floppy) has an HFS filesystem then it can be mounted on some Macs without much fanfare, but not the latest. There is a collection of hfs tools that can be used to mount HFS on a Mac from Bob Leslie, at https://www.mars.org/home/rob/proj/hfs/. These can easily be installed through homebrew if that’s on a computer: brew install hfsutils From there,…
-
ASCII Banners on macOS
There’s a cute little command in /usr/bin/banner to produce… ASCII art banners. Since it’s the holiday season, let’s make a greeting ready to be printed and taped over someone’s monitors: banner -w 100 “Happy Holidays” Change the 100 to a smaller integer to make it smaller or a larger to make it, er, larger.
-
Use networkQuality for Simple Bandwidth Tests on Mac
macOS has a built-in, simple bandwidth analysis tool that tests access to Apple’s CDN to check upload and download speeds. The /usr/bin/networkQuality command can be run with no flags and will produce output that appears as follows: /usr/bin/networkQuality ==== SUMMARY ==== Uplink capacity: 7.259 Mbps Downlink capacity: 157.597 Mbps Responsiveness: Low (118 RPM) Idle Latency: 56.333 milliseconds networkQuality can also bind to a specific port, useful in testing devices that might have multiple interfaces. To do that, use the -I flag: networkQuality -I en0 Finally, to parse the output to just see the floating point result of a given field, we can pip it into awk, so for upload we’d…
-
Create Disk Images of Floppy, CD, DVD, or Disk Storage To Recover Data On A Mac
We’re going to make a disk image of a floppy in this article. Before we start it’s best to use what we call a write blocker. These are devices that can block the ability to write to a volume. This prevents accidentally erasing potentially sensitive information. The Wiebetech https://wiebetech.com/products/usb-3-1-writeblocker/ works with the Mac but ymmv. There are also software tools like Mac Forensics Lab, but many require someone be in law enforcement to buy all or part of. There are also a few tools out on the old GitHub that can be used to kill and track the disk arbitration daemon that attempts to mount volumes. Next, run diskutil with…
-
Swift, Shells In The 1960s, And Some Swift Scripting Examples For Admins
The reason Ken Thompson wrote the Thompson Shell (/bin/sh) when he and the team at Bell Labs developed Unix was that they didn’t want to have to teach programming to people in the patent office, who funded the PDP they used to write Unix. Shell environments evolved over the years with tcsh, bash, and zsh to name a few. These added more concepts from programming environments, like the environment from C that the binaries they exposed were compiled in. Other languages emerged that were simpler than a language like C but added new techniques – and so perl, python, ruby, and others evolved. Some of those were either object-oriented from…
-
Interact With Shortcuts Via Scripts
The /usr/bin/shortcuts command can be used to run, well, shortcuts. Shortcuts are small scripts that are interpreted by the Shortcuts app. They can run shell scripts, JavaScripts, and even SSH into other hosts to fire off more complex automations. These can be fairly complex automations programmatically by importing shortcuts from the Gallery of those Apple provides. This allows for what might not even be a possible atomic operation to run and daisy chain scripts to provide input or output to shortcuts. The scripting might be considered dangerous and so is disabled by default. To enable scripts to be run from a shortcut, open the Shortcuts app and select Settings from…
-
Use The Shazam Binary To Capture Signatures Of Audio Tracks In Batches
One of my favorite moments at Apple’s WWDC was when I got to see the developers of Shazam show off their new creation. A few years later, in 2017, Apple acquired Shazam. In the few years since, they have released ShazamKit, an API that Apple documented at https://developer.apple.com/documentation/shazamkit. ShazamKit allows independent developers to harness the abilities of Shazam to create their own audio pattern-matching services. One small part of Shazam is important in that it’s the input the powerful signature analysis capabilities of the platform. This is fed by .shazamsignature files that can be captured and then compared to other signatures. The APIs are integral to developing apps that can…