Welcome to Part 4 of our Advanced Frida Usage series. In part three of our Frida blog posts, we went over what is XPC, how to use it, and how to intercept it with Frida.
This blog post will discuss how to use XPC tools for this job, some of them are and . xpcspy tool is already well covered with tutorials, while the gxpc is a new tool inspired by xpcspy. It behaves the same as the xpcspy with small additions, such as recursively parsing messages (if the dictionary contain some other dictionary, it will be parsed as well), additionally it supports
xpc_connection_set_event_handler which prints the address of the block implementation.
As with , gxpc supports macOS, Linux and Android. We will use macOS as a host machine. We first need to install and download for our machine.
For our machine, we will download
macos-arm64 since we are working on M1 which for the Frida version 16.0.19 is
After downloading the devkit, we will move
frida-core.h files to appropriate locations.
Now that we have everything ready, we can now run
go install github.com/nsecho/gxpc@latest.
How gxpc works ?
gxpc works by using frida bindings that are written in Go using frida-go. Frida bindings enable the user to use Frida’s functionality using other languages, such as Python, Swift, node.js, Go, etc. Go has the option to interact with C code using cgo. In order to link the frida-go, we need to have frida-core dynamic libraries installed on the system as well as frida-core.h header file which is included inside the frida-core-devkit which we need to install.
Internally, gxpc traces specific xpc_* functions which we can see inside the source.js file.
We can see the comment Intercept these functions which immediately tells us what will be done with these variables. It is using
Module.findExportByName API which we have seen in previous blog posts.
It is then followed by a bunch of functions that are used to extract data out of the dictionary or array, such as
For each of the functions that should be intercepted,
Interceptor.attach is called to intercept it. Once these functions are called, function
parseAndSendDictData is called with the function name as a first parameter,
xpc_connection_t as a second parameter and
xpc_object_t as a third argument.
parseAndSendDictData creates a JSON dictionary and extracts the data out of
send Frida’s function.
Now that we have installed gxpc and went over how it works, let’s connect our iPhone using a USB cable, and to confirm that the device is connected we will use
gxpc -l to list devices.
We can see that we have our standard
socket devices available as well as newly connected
iPhone device of type
By default, gxpc will connect to the USB device if one is connected. We can also attach to the process by name(
SpringBoard) or by PID. We also have an option to spawn the binary where the process is resumed once the script is loaded.
We will attach to
locationd, which is the primary daemon responsible for location data. To do that, we will use
gxpc -n locationd.
After running, we can see immediately a bunch of xpc_dictionary_set_string functions being intercepted. We can blacklist specific connections, by using -b or –blacklist flag for gxpc. In this case, we will blacklist DICT CREATION.
The tool will return a lot of functions being hit, to further filter on the data, let’s search in the terminal for the string longitude.
We can see that we have found the match inside the
bplist17 which is sent using
xpc_connection_send_notification function. The data contains a lot of useful information, such as longitude, latitude, accuracy, etc.
Now we can use the same approach to analyse different applications/binaries to analyse to which applications/daemons they are talking to and what that communication looks like. This could gives us a more opportunities to find some vulnerabilities.
GET IN TOUCH
Visit our training page if you’re interested in learning more about these techniques and developing your abilities further. Additionally, you may look through our Events page and sign up for our upcoming Public trainings.
Please don’t hesitate to reach out to us through out Contact Us page or through the Button below if you have any questions or need assistance with Penetration Testing or any other Security-related Services. We will answer in a timely manner within 1 business day.
We are always looking for talented people to join our team. Visit out Careers page to look at the available roles. We would love to hear from you.