mirror of
https://github.com/Karmaz95/Snake_Apple.git
synced 2026-03-30 14:00:16 +02:00
45 lines
1.3 KiB
Python
45 lines
1.3 KiB
Python
import sys
|
|
import lief
|
|
|
|
def extract_sandbox_operations(binary):
|
|
"""Extract sandbox operations from the Sandbox.kext file."""
|
|
extracted_strings = []
|
|
|
|
# Get strings from the __cstring (string table)
|
|
for section in binary.sections:
|
|
if section.type == lief.MachO.SECTION_TYPES.CSTRING_LITERALS:
|
|
strings_bytes = section.content.tobytes()
|
|
strings = strings_bytes.decode('utf-8', errors='ignore')
|
|
extracted_strings.extend(strings.split('\x00'))
|
|
|
|
operations = []
|
|
capture = False
|
|
|
|
# Extract operations based on specific markers
|
|
for string in extracted_strings:
|
|
if string == 'default':
|
|
capture = True
|
|
if capture:
|
|
operations.append(string)
|
|
if string == 'xpc-message-send':
|
|
capture = False
|
|
|
|
return operations
|
|
|
|
def main(file_path):
|
|
# Load the Mach-O binary using LIEF
|
|
binary = lief.parse(file_path)
|
|
|
|
# Extract and print sandbox operations
|
|
operations = extract_sandbox_operations(binary)
|
|
for operation in operations:
|
|
print(operation)
|
|
|
|
if __name__ == "__main__":
|
|
if len(sys.argv) != 2:
|
|
print("Usage: python sandbox_operations.py <path_to_sandbox_kext>")
|
|
sys.exit(1)
|
|
|
|
file_path = sys.argv[1]
|
|
main(file_path)
|