Gatekeeper CoreServicesUIAgent Analysis in macOS

Abdulrahman Al-Hakami
5 min readJust now

--

Reverse Engineering

What is CoreServicesUIAgent?

CoreServicesUIAgent is a system process in macOS for displaying user interface elements related to various system services, particularly those involving security and application permissions. It plays a critical role in macOS e.g Security Gatekeeper and TCC.

When you try to open the application thats you downloaded from the internet or an untrusted source, CoreServicesUIAgent will handles the UI for the security warning.

This is part of the Gatekeeper feature, which ensures that macOS only runs trusted applications with valid signatures or explicit user consent.

In this guide I will Reverse the Executable mach-O file of CoreServiceUIAgent Which is located in:

/System/Library/CoreServices/CoreServicesUIAgent.app

now i will start to disassemble the gatekeeper functions.

what is the quarantine in gatekeeper ?

Com.apple.quarantine is a security feature in macOS used to track files if we download them from the Internet using safari or other browsers.

This feature places new applications in a digital quarantine before opening them, similar to how hospitals isolate individuals suspected of carrying contagious diseases. For example, when someone suspected of being infected with the coronavirus arrives at a hospital, they are placed in quarantine to prevent spreading the infection. Doctors then examine them to ensure they are safe. Gatekeeper applies a similar process by verifying software signatures through Apple’s certification system. If the application has a valid signature, it is allowed to run on the system.

In this Guide I will Show you How the Gatekeeper mechanism work Behind the scenes

frist lets disassemble the CoreServiceUIAgent mach-o file.

Figure1 CoreServiceUIAgent instrauctions

Now lets search for any String,Functions Related with quarantine.

Figure.2 GK Functions

This Picture Shows us something interesting for Gatekeeper POP UP window thats you see when you downloaded A DMG pkg for installing a Application out of Apple AppStore.

initWithURL:

An initial function (initializer) used to create a GKQuarantineInfo object using the URL of the file.

URL:A property that returns the URL of the file being handled.

timestamp

timestamp is a property associated with when the file is downloaded or transferred.

setTimestamp : A function for set the timestamp of the file.

dateKind: A property that specifies the type of date stored (such as the download date or the last modified date).

dataURL: A property that returns the URL associated with additional file data (such as the original upload location).

dmgURL: A property returns the URL of a DMG files (if the file is part of a disk image).

Like most Applications.

setDmgURL: A function used to set the URL of a DMG files.

ServerURL: A property that returns the URL of the server that was used to download the files.

GKQuarantineInfo is used to collect and manage data related to files that contain the quarantine attribute.

this properties such as url and originURL, the system can know where to download the files.

Information such as agentName and senderName is used to display details in the Gatekeeper window see the Figure.3 Below.

Figure3 Gatekeeper Window POP UP

Here The function’s Stack Frame is set up.

saved (rbp, r15, r14, …) for protect it,This values can be change during the execution of the function.

sub rsp, 0x58

will reserve additional space on the stack to store the variables.

Rdi: carries the first coefficient (the target object — self).

Rdx: carries the second coefficient (URL).

_Objc_retain is called:

This is the part of Objective-C memory management system, where the object passed as rdx is kept to prevent it from being released during execution.

_Objc_retain will be stored in the register R13

test rax, rax It will check if the value is NULL.

If the result is NULL , the address is jumped to the address loc_10000e7c7, which mean the object is invalid.

The value of the r13 is loaded in the rdi register, which is the operator that will be passed to the function sub_10000a449.

When Calling a subfunction The result of the function is returned in rax.

The result value returned from the sub-function is loaded to rdi as the coefficient of the call of the next function.

A subfunction sub_10000a449 is called to process object data.

Memory management is guaranteed via objc_retainAutoreleasedReturnValue.

The Values and transaction preparation are loaded to send a message to the parent object using objc_msgSendSuper2.

The result is checked to ensure that the operation is successful.

Now lets Start with a Dynamic Analysis

We will use Tools Like Frida To Intercepting The GKQuarantineInfo Function.

But Frist i will make a sample Program and i will add the Quarantine Theme using this tool xattr.

frist i will write a C++ code :

#include <stdio.h>

int main() {
printf("Hello, Gatekeeper!\n");
return 0;
}

then i will use g++ to compile.

g++ -o gatetest main.cpp

we will get the mach-O executable file.

file gatetest gatetest: Mach-O 64-bit executable x86_64

then i will add the Quarantine Theme using xattr by typing :

xattr -w com.apple.quarantine “0083;64000000;Safari;D8C1C9C2–1A34–41E3-BEAA-7F0A843AD5D9” gatetest

Now i added the com.apple.quarantine theme for our executable file now the macOS system will but it on the quarantine.

If you have a Mach-O file that has downloaded and has this attribute, CoreServicesUIAgent (which is responsible for the Gatekeeper window) uses the attribute to check the file.

Now i will Write a simple javascript to Intercept the CoreServiceUIAgent Messages when the Gatekeeper Running or Show us the POP UP window.

var initWithURL = ObjC.classes.GKQuarantineInfo["- initWithURL:"];

Interceptor.attach(initWithURL.implementation, {
onEnter: function (args) {
console.log("URL: " + ObjC.Object(args[2]).toString());
}
});

lets look at the CoreServiceUIAgent PID

ps aux | grep CoreServiceUIAgent

run the frida by typeing :

now lets run our test Program.

Now we Got a widnow message that program has no Apple Codesign

and the Function GKQuarantineInfo has been Intercepted

and opened it the Path of the Program.

Summary

We Reverse the UIAgent of the Gatekeeper process.

We reversed UIAgent’s Instructions to understand how gatekeeper works.

We Learn what is GKQuarantineInfo is.

Tools :

frida FrameWork

IDA64

Hopper

g++

..

References:

https://support.apple.com/en-in/102445#:~:text=macOS%20includes%20a%20technology%20called,been%20tampered%20with%20or%20altered

--

--

Abdulrahman Al-Hakami
Abdulrahman Al-Hakami

Written by Abdulrahman Al-Hakami

0 Followers

SecurityResearcher Penetration Tester

No responses yet