A Mach-O object file is a file format used for executables, libraries, object code, and core dumps. These are binary files. There’s a Mach-O header and then load commands and segments of up to 255 sections with references to symbols encoded into objects and symbol names. Many of those symbols are APIs that Apple makes available that the code uses. We can see those APIs by extracting a list of symbols, but not really the logic underlying it. Tools like Hopper Disassembler can be used to look at these files and extract symbols, or a command like nm. Per the man page of nm, “nm displays the name list (symbol…
-
-
macOS Script To List System Extensions And Their State
Yesterday I posted https://krypted.com/mac-security/script-to-list-extensions-running-on-a-mac/ to scriptify some research on App Extensions and System Extensions. I mentioned that it’s also possible to loop through /Applications or /Applications/Utilities and look for any .systemextension bundles (which includes network extensions as those are .networkextension.systemextension – and ultimately they’re all kinda’ auxiliary kext’s ‘even though’cause kexts are bad – but I digress). So here’s a script that loops through the file hierarchy supplied by $1 and then checks any found against systemextensionsctl to make sure they’re running: https://github.com/krypted/extensionslist/blob/main/systemextensions.sh In action, here are a couple of outputs of what it can look like. Per developer documentation (and with a little experience writing them), the two locations…
-
Script to List Extensions Running on a Mac
I wrote an article about extensions on macOS a few weeks ago, and have since written a couple of other extensions. The interesting thing about modern extensions is that different types of extensions can live in different places on a file system, become instantiated in different ways or with different mechanisms, and due to the way message traverse XPC, operate in very different ways. The tools Apple has made available make it possible to see what’s running are primarily geared towards protecting privacy. This leaves a small gap for those interested more in securing machines and preventing exfiltration. There isn’t a single binary that can provide a simple listing of…
-
Interact With Shortcuts Via Scripts
The /usr/bin/shortcuts command can be used to run, well, shortcuts. Shortcuts are small scripts that are interpreted by the Shortcuts app. They can run shell scripts, JavaScripts, and even SSH into other hosts to fire off more complex automations. These can be fairly complex automations programmatically by importing shortcuts from the Gallery of those Apple provides. This allows for what might not even be a possible atomic operation to run and daisy chain scripts to provide input or output to shortcuts. The scripting might be considered dangerous and so is disabled by default. To enable scripts to be run from a shortcut, open the Shortcuts app and select Settings from…
-
Use crypt_and_hash to Encrypt Files From A Shell On macOS
One of the packages that can be installed with homebrew is mbedtls, which gives access to a number of cryptographic libraries. To install mbedtls: brew install mbedtls Encrypting a file is then fairly straight forward. Call crypt_and_hash and use a 0 in the first positional parameter to encrypt a file or a 1 to decrypt. Then provide the path to the file in the second position (in this example, mac.json, the target file name (mac.aes in the example), the hash in the fourth (CAMELLIA-256-CBC in the example command), the digest (SHA1 here), and the key to encrypt the information (hex:ABCD123456789 in this example) crypt_and_hash 0 mac.json mac.aes CAMELLIA-256-CBC SHA1 hex:ABCD123456789…
-
Get Telemetry on App and System Extensions in macOS
Application extensions allow developers to import common SDKs into projects so they can build increasingly interesting apps without developing a lot of code for those things vendors expose. The Apple extensions typically allow a developer to bring in various Apple libraries and then call them in their code. For example, com.apple.quicklook.thumbnail is used to produce thumbnails in quicklook; therefore Apple apps like iBooks and Shortcuts and any 3rd party developer like MindNode that wants to use Quicklook can provide a known and so somewhat seamless user experience. Click on the Privacy & Security System Preferences and then Extensions and then Quick Look to see the non-Apple apps that use the…
-
Removing Extensions Cruft from macOS
Extensions have gotten a pretty substantial overhaul over the past few years. Traditionally, a kernel extension (or kext for short) would usually be located in /Library/Extensions or /System/Library/Extensions and have a file extension (no pun intended) of .kext. Apple began to move away from Kernel Extensions and towards more purpose-built extensions, which included System Extensions, located at /Library/SystemExtensions. Apple also introduced a number of new extension types that reside in application bundles. An app can load the extension and developers get those features “for free” rather than writing their own code to do what they once had to do with Kernel Extensions. To remove Extensions, Apple has introduced the Extensions…
-
Configure Amazon SNS for Mac and iOS APNs Development
Amazon SNS makes implementing Apple Push Notifications (APNs) a breeze. This might seem like a longer article but it’s really not as many steps as it seems (although buttons on web pages move around a lot so ymmv for specific words in button names). There’s a few main steps that we’ll go through: creating a cert in Keychain, generating a Push Notifications cert with the appropriate bundle ID and team ID, and adding an application instance. Notice that these are different for Mac and iOS so if doing both use iOS and if doing one for each, use the appropriate entry. Create a Cert in Keychain First, we’ll create a…
-
Can’t Schedule Reboots in Ventura: Mac Observer’s Gotcha
I was talking to Jeff Butts at Mac Observer yesterday and he mentioned something I hadn’t noticed: macOS Ventura removes the option to schedule an automatic reboot from the graphical interface. I actually went back a version and couldn’t find it there. I guess since I don’t have servers I hadn’t noticed this oversight. Or I guess it’s more emblematic that it’s not an oversight, it’s how the use of the Mac has shifted over the years. The old power management system preference features are still there – Jeff wrote an article how to use pmset to set the automatic reboot feature at https://www.macobserver.com/tips/how-to/how-to-schedule-your-mac-to-shutdown-or-reboot-in-macos-ventura/. Around 13 years ago, I wrote…
-
Use UTM To Run Virtual Machines of macOS from macOS
UTM is a virtualization tool available on the Mac App Store at https://apps.apple.com/us/app/utm-virtual-machines/id1538878817?mt=12 with a GitHub at https://github.com/osy. UTM uses the new virtualization framework (documented here) from Apple, so runs the most modern virtualization stack currently available on a Mac. It also emulates via the QEMU system emulation. It can run guest operating systems in Windows, Linux, etc – emulating RISC, ARM, Intel, etc. Installation from the App Store is easy. Once installed, open the UTM app and click on the plus sign to create a new virtual machine. Here, there are options to Virtualize or Emulate. Given that we’ll be installing a beta OS from Apple for this example,…