Gatekeeper CoreServicesUIAgent Analysis in macOS
Reverse Engineering
What is CoreServicesUIAgent?
CoreServicesUIAgent is a system process in macOS for displaying user interface elements related to various system services, particularly those involving security and application permissions. It plays a critical role in macOS e.g Security Gatekeeper and TCC.
When you try to open the application thats you downloaded from the internet or an untrusted source, CoreServicesUIAgent will handles the UI for the security warning.
This is part of the Gatekeeper feature, which ensures that macOS only runs trusted applications with valid signatures or explicit user consent.
In this guide I will Reverse the Executable mach-O file of CoreServiceUIAgent Which is located in:
/System/Library/CoreServices/CoreServicesUIAgent.app
now i will start to disassemble the gatekeeper functions.
what is the quarantine in gatekeeper ?
Com.apple.quarantine is a security feature in macOS used to track files if we download them from the Internet using safari or other browsers.
This feature places new applications in a digital quarantine before opening them, similar to how hospitals isolate individuals suspected of carrying contagious diseases. For example, when someone suspected of being infected with the coronavirus arrives at a hospital, they are placed in quarantine to prevent spreading the infection. Doctors then examine them to ensure they are safe. Gatekeeper applies a similar process by verifying software signatures through Apple’s certification system. If the application has a valid signature, it is allowed to run on the system.
In this Guide I will Show you How the Gatekeeper mechanism work Behind the scenes
frist lets disassemble the CoreServiceUIAgent mach-o file.
Now lets search for any String,Functions Related with quarantine.
This Picture Shows us something interesting for Gatekeeper POP UP window thats you see when you downloaded A DMG pkg for installing a Application out of Apple AppStore.
initWithURL:
An initial function (initializer) used to create a GKQuarantineInfo object using the URL of the file.
URL:A property that returns the URL of the file being handled.
timestamp
timestamp is a property associated with when the file is downloaded or transferred.
setTimestamp : A function for set the timestamp of the file.
dateKind: A property that specifies the type of date stored (such as the download date or the last modified date).
dataURL: A property that returns the URL associated with additional file data (such as the original upload location).
dmgURL: A property returns the URL of a DMG files (if the file is part of a disk image).
Like most Applications.
setDmgURL: A function used to set the URL of a DMG files.
ServerURL: A property that returns the URL of the server that was used to download the files.
GKQuarantineInfo is used to collect and manage data related to files that contain the quarantine attribute.
this properties such as url and originURL, the system can know where to download the files.
Information such as agentName and senderName is used to display details in the Gatekeeper window see the Figure.3 Below.
Here The function’s Stack Frame is set up.
saved (rbp, r15, r14, …) for protect it,This values can be change during the execution of the function.
sub rsp, 0x58
will reserve additional space on the stack to store the variables.
Rdi: carries the first coefficient (the target object — self).
Rdx: carries the second coefficient (URL).
_Objc_retain is called:
This is the part of Objective-C memory management system, where the object passed as rdx is kept to prevent it from being released during execution.
_Objc_retain will be stored in the register R13
test rax, rax It will check if the value is NULL.
If the result is NULL , the address is jumped to the address loc_10000e7c7, which mean the object is invalid.
The value of the r13 is loaded in the rdi register, which is the operator that will be passed to the function sub_10000a449.
When Calling a subfunction The result of the function is returned in rax.
The result value returned from the sub-function is loaded to rdi as the coefficient of the call of the next function.
A subfunction sub_10000a449 is called to process object data.
Memory management is guaranteed via objc_retainAutoreleasedReturnValue.
The Values and transaction preparation are loaded to send a message to the parent object using objc_msgSendSuper2.
The result is checked to ensure that the operation is successful.
Now lets Start with a Dynamic Analysis
We will use Tools Like Frida To Intercepting The GKQuarantineInfo Function.
But Frist i will make a sample Program and i will add the Quarantine Theme using this tool xattr.
frist i will write a C++ code :
#include <stdio.h>
int main() {
printf("Hello, Gatekeeper!\n");
return 0;
}
then i will use g++ to compile.
g++ -o gatetest main.cpp
we will get the mach-O executable file.
file gatetest gatetest: Mach-O 64-bit executable x86_64
then i will add the Quarantine Theme using xattr by typing :
xattr -w com.apple.quarantine “0083;64000000;Safari;D8C1C9C2–1A34–41E3-BEAA-7F0A843AD5D9” gatetest
Now i added the com.apple.quarantine theme for our executable file now the macOS system will but it on the quarantine.
If you have a Mach-O file that has downloaded and has this attribute, CoreServicesUIAgent (which is responsible for the Gatekeeper window) uses the attribute to check the file.
Now i will Write a simple javascript to Intercept the CoreServiceUIAgent Messages when the Gatekeeper Running or Show us the POP UP window.
var initWithURL = ObjC.classes.GKQuarantineInfo["- initWithURL:"];
Interceptor.attach(initWithURL.implementation, {
onEnter: function (args) {
console.log("URL: " + ObjC.Object(args[2]).toString());
}
});
lets look at the CoreServiceUIAgent PID
ps aux | grep CoreServiceUIAgent
run the frida by typeing :
now lets run our test Program.
Now we Got a widnow message that program has no Apple Codesign
and the Function GKQuarantineInfo has been Intercepted
and opened it the Path of the Program.
Summary
We Reverse the UIAgent of the Gatekeeper process.
We reversed UIAgent’s Instructions to understand how gatekeeper works.
We Learn what is GKQuarantineInfo is.
Tools :
frida FrameWork
IDA64
Hopper
g++
..