Add inspector tool

.github/workflows/Builder.yml

@@ -47,7 +47,10 @@ jobs:
       with:
         token: ${{ secrets.TOKEN }}
         tag: latest
-        body: "A macOS dylib project based on the Dobby Hook framework, aimed at enhancing and extending the functionality of target software."
-        artifacts: "dylib_dobby_hook.tar.gz"
+        body: |
+          A macOS dylib project based on the Dobby Hook framework, aimed at enhancing and extending the functionality of target software.
+
+          ## Latest Commit
+          ${{ github.event.head_commit.message }}        artifacts: "dylib_dobby_hook.tar.gz"
         allowUpdates: true
         replacesArtifacts: true

build.sh

@@ -1,5 +1,8 @@
 #!/bin/bash
 
+# xcode build
+# xcodebuild  -scheme dylib_dobby_hook -configuration Release
+
 PROJECT_ROOT=$(pwd)
 BUILD_DIR="$PROJECT_ROOT/cmake-build-release"
 

dylib_dobby_hook.xcodeproj/project.pbxproj

@@ -89,7 +89,6 @@
 		B55407262B653DCB005C08E6 /* NavicatPremiumHack.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = NavicatPremiumHack.m; sourceTree = "<group>"; };
 		B554D7BB2B63F2A300B7EFEA /* DevUtilsHack.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = DevUtilsHack.m; sourceTree = "<group>"; };
 		B56968C62BEA4E2A0022FAC6 /* libdylib_dobby_hook.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; path = libdylib_dobby_hook.dylib; sourceTree = "<group>"; };
-		B56968C72BEA4E4D0022FAC6 /* cmake_debugger.sh */ = {isa = PBXFileReference; lastKnownFileType = text.script.sh; path = cmake_debugger.sh; sourceTree = "<group>"; };
 		B5732BF02C82CD5900EC9E11 /* IDAHack.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = IDAHack.m; sourceTree = "<group>"; };
 		B57AEDBA2C5009E400B9C5FB /* forklift_hack.sh */ = {isa = PBXFileReference; lastKnownFileType = text.script.sh; path = forklift_hack.sh; sourceTree = "<group>"; };
 		B57AEDBB2C5009F200B9C5FB /* dtrace_kill.d */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.dtrace; path = dtrace_kill.d; sourceTree = "<group>"; };
@@ -384,7 +383,7 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "# Apps downloaded from AppStore require root permission to execute\nroot_password=\"363636\"\n\napp_name=\"DevUtils\"  \n# The default is injected into the main program, if you need to customize, please edit the variable inject_bin, otherwise do not touch it\n# inject_bin=\"/Applications/Infuse.app/Contents/Frameworks/Differentiator.framework/Versions/A/Differentiator\"\n# inject_bin=\"/Applications/Surge.app/Contents/Frameworks/MMMarkdown.framework/Versions/A/MMMarkdown\"\n\n\ndylib_name=\"${PRODUCT_NAME}\"\nprefix=\"lib\"\ninsert_dylib=\"${SRCROOT}/tools/insert_dylib\"\n\napp_bundle_path=\"/Applications/${app_name}.app/Contents/MacOS\"\napp_bundle_framework=\"/Applications/${app_name}.app/Contents/Frameworks/\"\n\nif [ -n \"$inject_bin\" ]; then\n    app_executable_path=\"$inject_bin\"\nelse\n    app_executable_path=\"${app_bundle_path}/${app_name}\"\nfi\napp_executable_backup_path=\"${app_executable_path}_Backup\"\n\n\nif [ -w \"/Applications/${app_name}.app\" ]; then\n    echo \"Have the directory write permission\"\nelse\n    echo \"No write permission for the directory\"    \n    echo \"$root_password\" | sudo -S chmod -R 777 \"/Applications/${app_name}.app\"\nfi\n\nif [ ! -d \"$app_bundle_framework\" ]; then\n  mkdir -p \"$app_bundle_framework\"\nfi\n\n\nif [ ! -f \"$app_executable_backup_path\" ]; \nthen\n    cp \"$app_executable_path\" \"$app_executable_backup_path\"\nfi\n\n# cp -f \"${BUILT_PRODUCTS_DIR}/${prefix}${dylib_name}.dylib\" \"${app_bundle_framework}\"\n\nif [ \"${CONFIGURATION}\" = \"Release\" ]; then\n    cp -f \"${BUILT_PRODUCTS_DIR}/${prefix}${dylib_name}.dylib\" \"${SRCROOT}/release/${prefix}${dylib_name}.dylib\"\nfi\n\n\"${insert_dylib}\" --weak --all-yes \"${BUILT_PRODUCTS_DIR}/${prefix}${dylib_name}.dylib\" \"$app_executable_backup_path\" \"$app_executable_path\"\n\n";
+			shellScript = "# If debugging is needed, please remove or comment out the \"exit 0\" line.\n# exit 0\n\n# Apps downloaded from AppStore require root permission to execute\nroot_password=\"363636\"\n\napp_name=\"DevUtils\"  \n# The default is injected into the main program, if you need to customize, please edit the variable inject_bin, otherwise do not touch it\n# inject_bin=\"/Applications/Infuse.app/Contents/Frameworks/Differentiator.framework/Versions/A/Differentiator\"\n# inject_bin=\"/Applications/Surge.app/Contents/Frameworks/MMMarkdown.framework/Versions/A/MMMarkdown\"\n\n\ndylib_name=\"${PRODUCT_NAME}\"\nprefix=\"lib\"\ninsert_dylib=\"${SRCROOT}/tools/insert_dylib\"\n\napp_bundle_path=\"/Applications/${app_name}.app/Contents/MacOS\"\napp_bundle_framework=\"/Applications/${app_name}.app/Contents/Frameworks/\"\n\nif [ -n \"$inject_bin\" ]; then\n    app_executable_path=\"$inject_bin\"\nelse\n    app_executable_path=\"${app_bundle_path}/${app_name}\"\nfi\napp_executable_backup_path=\"${app_executable_path}_Backup\"\n\n\nif [ -w \"/Applications/${app_name}.app\" ]; then\n    echo \"Have the directory write permission\"\nelse\n    echo \"No write permission for the directory\"    \n    echo \"$root_password\" | sudo -S chmod -R 777 \"/Applications/${app_name}.app\"\nfi\n\nif [ ! -d \"$app_bundle_framework\" ]; then\n  mkdir -p \"$app_bundle_framework\"\nfi\n\n\nif [ ! -f \"$app_executable_backup_path\" ]; \nthen\n    cp \"$app_executable_path\" \"$app_executable_backup_path\"\nfi\n\n# cp -f \"${BUILT_PRODUCTS_DIR}/${prefix}${dylib_name}.dylib\" \"${app_bundle_framework}\"\n\nif [ \"${CONFIGURATION}\" = \"Release\" ]; then\n    cp -f \"${BUILT_PRODUCTS_DIR}/${prefix}${dylib_name}.dylib\" \"${SRCROOT}/release/${prefix}${dylib_name}.dylib\"\nfi\n\n\"${insert_dylib}\" --weak --all-yes \"${BUILT_PRODUCTS_DIR}/${prefix}${dylib_name}.dylib\" \"$app_executable_backup_path\" \"$app_executable_path\"\n\n";
 		};
 /* End PBXShellScriptBuildPhase section */
 

dylib_dobby_hook/helpers/ForkLiftHelperHack.m

@@ -37,6 +37,7 @@ - (NSString *)getSupportAppVersion {
 }
 
 
+// Ref: https://book.hacktricks.xyz/v/cn/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization
 - (BOOL)hk_listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection {
 
     NSLog(@">>>>>> hk_listener");

dylib_dobby_hook/utils/CommonRetOC.h

@@ -27,6 +27,8 @@
 + (id)hook_containerWithIdentifier:identifier;
 + (id)hook_defaultContainer;
 
+- (void)startMonitorInjection:processName;
+
 @end
 
 #endif /* CommonRetOC_h */

dylib_dobby_hook/utils/CommonRetOC.m

@@ -9,6 +9,8 @@
 #import "CommonRetOC.h"
 #import <CloudKit/CloudKit.h>
 #import "MockCKContainer.h"
+#import "common_ret.h"
+
 
 @implementation CommonRetOC
 
@@ -106,4 +108,25 @@ + (id)hook_defaultContainer {
 
 }
 
+
+
+// TODO: 监听进程并执行线程注入
+- (void)startMonitorInjection:processName {
+    dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0), ^{
+        while (true) {
+            @autoreleasepool {
+//                pid_t pid = [EncryptionUtils getProcessIDByName:processName];
+//                kern_return_t result = inject_dylib(pid, nil);
+//                if (result == KERN_SUCCESS) {
+//                    NSLog(@">>>>>> Successfully injected dylib into process %d", pid);
+//                    return;
+//                } else {
+//                    NSLog(@">>>>>> Failed to inject dylib into process %d", pid);
+//                }
+            }
+            [NSThread sleepForTimeInterval:5.0];  // 每 5 秒检查一次
+        }
+    });
+}
+
 @end

dylib_dobby_hook/utils/EncryptionUtils.h

@@ -32,5 +32,7 @@
 
 + (BOOL)isCodeSignatureValid;
 
++ (pid_t)getProcessIDByName:(NSString *)name;
+
 @end
 #endif /* encryp_utils_h */

dylib_dobby_hook/utils/EncryptionUtils.m

@@ -17,6 +17,7 @@
 #import <CommonCrypto/CommonDigest.h>
 #import <CommonCrypto/CommonCryptor.h>
 #import <CommonCrypto/CommonCrypto.h>
+#import <Cocoa/Cocoa.h>
 
 @implementation EncryptionUtils
 
@@ -482,20 +483,72 @@ + (NSString *)getTextBetween:(NSString *)startText and:(NSString *)endText inStr
     return [inputString substringWithRange:resultRange];
 }
 
+
 + (BOOL)isCodeSignatureValid {
+
     SecCodeRef code = NULL;
     OSStatus status = SecCodeCopySelf(kSecCSDefaultFlags, &code);
     if (status != errSecSuccess) {
-        NSLog(@">>>>>> Failed to get current app code: %d", (int)status);
+        NSLog(@"[Error] Failed to get current app code: %d", (int)status);
+        return NO;
+    }
+
+    CFDictionaryRef csInfo = NULL;
+    status = SecCodeCopySigningInformation(code, kSecCSSigningInformation, &csInfo);
+    if (status != errSecSuccess) {
+        NSLog(@"[Error] SecCodeCopySigningInformation failed with status = %d", (int)status);
+        if (code) CFRelease(code);
         return NO;
     }
-    status = SecCodeCheckValidity(code, kSecCSDefaultFlags, NULL);
-    if (status == errSecSuccess) {
-        NSLog(@">>>>>> Code signature is valid.");
-    } else {
-        NSLog(@">>>>>> Code signature is invalid: %d", (int)status);
+
+    // 检查签名是否有效
+    SecCSFlags flags = 0;
+    CFNumberRef flagsNumber = (CFNumberRef)CFDictionaryGetValue(csInfo, kSecCodeInfoFlags);
+    if (flagsNumber == NULL) {
+        NSLog(@">>>>>> [Error] kSecCodeInfoFlags is nil");
+        CFRelease(csInfo);
+        CFRelease(code);
+        return NO;
+    }
+
+    CFNumberGetValue(flagsNumber, kCFNumberSInt32Type, &flags);
+    NSLog(@">>>>>> Flags: %d", flags);
+
+    // 常量定义
+    // ref: https://opensource.apple.com/source/xnu/xnu-4903.221.2/osfmk/kern/cs_blobs.h.auto.html
+    const int CS_VALID = 0x00000001;   // 签名是有效的
+    const int CS_RUNTIME = 0x00010000; // 启用了 "hardened runtime" 的应用
+    const int CS_HARD = 0x00000002;    // 强制代码签名（hardened code）
+
+    if (flags & CS_HARD) {
+        NSLog(@">>>>>> App has hardened code signature.");
     }
+
+    if (!(flags & CS_VALID) && !(flags & CS_RUNTIME)) {
+        NSLog(@">>>>>> [Error] App signature is not valid or does not have hardened runtime.");
+        CFRelease(csInfo);
+        CFRelease(code);
+        return NO;
+    }
+
+    NSLog(@">>>>>> Code signature is valid.");
+
+    CFRelease(csInfo);
     CFRelease(code);
-    return (status == errSecSuccess);
+    return YES;
 }
+
+
++ (pid_t)getProcessIDByName:(NSString *)name {
+    NSArray *runningApps = [[NSWorkspace sharedWorkspace] runningApplications];
+    for (NSRunningApplication *app in runningApps) {
+        if ([[app localizedName] isEqualToString:name]) {
+            pid_t pid = [app processIdentifier];
+            NSLog(@">>>>>> pid is %d",pid);
+            return pid;
+        }
+    }
+    return -1; // 进程未找到
+}
+
 @end

dylib_dobby_hook/utils/common_ret.h

@@ -114,4 +114,6 @@ NSString *love69(NSString *input);
 
 //// 声明全局的邮件地址
 //extern char *global_dylib_name;
+int inject_dylib(pid_t pid, const char *lib);
+
 #endif /* common_ret_h */

dylib_dobby_hook/utils/common_ret.m

@@ -151,3 +151,9 @@ OSStatus hk_SecCodeCheckValidityWithErrors(SecCodeRef code, SecCSFlags flags, Se
     return output;
 }
 //char *global_dylib_name = "libdylib_dobby_hook.dylib";
+// 注入函数
+
+int inject_dylib(pid_t pid, const char *lib) {    
+    // Ref: https://juejin.cn/post/7277787934863835171
+    return 0;
+}

tools/Organismo-mac.framework/Headers

@@ -0,0 +1 @@
+Versions/Current/Headers

tools/Organismo-mac.framework/Organismo-mac

@@ -0,0 +1 @@
+Versions/Current/Organismo-mac

tools/Organismo-mac.framework/Resources

@@ -0,0 +1 @@
+Versions/Current/Resources

tools/Organismo-mac.framework/Versions/A/Headers/Organismo.h

@@ -0,0 +1,19 @@
+//
+//  Organismo.h
+//  Organismo
+//
+//  Created by Jon Gabilondo on 12/04/2016.
+//  Copyright © 2016 organismo-mobile. All rights reserved.
+//
+
+#import <UIKit/UIKit.h>
+
+//! Project version number for Organismo.
+FOUNDATION_EXPORT double OrganismoVersionNumber;
+
+//! Project version string for Organismo.
+FOUNDATION_EXPORT const unsigned char OrganismoVersionString[];
+
+// In this header, you should import all the public headers of your framework using statements like #import <Organismo/PublicHeader.h>
+
+

tools/Organismo-mac.framework/Versions/A/Resources/Info.plist

@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>BuildMachineOSBuild</key>
+	<string>18F132</string>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>en</string>
+	<key>CFBundleExecutable</key>
+	<string>Organismo-mac</string>
+	<key>CFBundleIdentifier</key>
+	<string>com.organismo-mobile.Organismo</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>Organismo-mac</string>
+	<key>CFBundlePackageType</key>
+	<string>FMWK</string>
+	<key>CFBundleShortVersionString</key>
+	<string>1.0</string>
+	<key>CFBundleSignature</key>
+	<string>????</string>
+	<key>CFBundleSupportedPlatforms</key>
+	<array>
+		<string>MacOSX</string>
+	</array>
+	<key>CFBundleVersion</key>
+	<string>1</string>
+	<key>DTCompiler</key>
+	<string>com.apple.compilers.llvm.clang.1_0</string>
+	<key>DTPlatformBuild</key>
+	<string>11M392r</string>
+	<key>DTPlatformVersion</key>
+	<string>GM</string>
+	<key>DTSDKBuild</key>
+	<string>19A536d</string>
+	<key>DTSDKName</key>
+	<string>macosx10.15</string>
+	<key>DTXcode</key>
+	<string>1100</string>
+	<key>DTXcodeBuild</key>
+	<string>11M392r</string>
+	<key>LSMinimumSystemVersion</key>
+	<string>10.14</string>
+</dict>
+</plist>