site_archiver(a)lists.apple.com
Delivered-To: darwin-kernel(a)lists.apple.com
I just tried on a native OS 10.13.N. The behavior I see is that the cups (
debug build with bonafide App signature , and using xattr -c cupsd on the debug
build ) it does not get loaded using Keep Alive ). As soon as I replaced with
the original one ( Apple signed ) it automatically gets loaded & running.
So I don’t know if this is really hardened or not.
Any hint ?
Thanks,
Prokash
> On Dec 21, 2017, at 8:42 AM, Prokash Sinha <prokash(a)garlic.com> wrote:
>
> Thanks much!
> SIP is always disabled on my test machine. I did basically did the some steps
> and I see sometime it is able to start the new cupsd debug binary, some other
> time it does not ( that I need to figure out ). Also after attaching it, I
> need to break into it. I put lots of Xcode break points, still not able to
> break into it. Somehow I’m missing something.
>
> Need to read more code paths …
>
> -Pro
>> On Dec 20, 2017, at 7:14 PM, nawcom <nawcom(a)gmail.com> wrote:
>>
>> assuming you have system integrity protection disabled for /usr/sbin write
>> access, just rename the binary to something else (cupsd.orig) while it's
>> still running and place your compiled version in its place. then run "sudo
>> pkill cupsd" and when launchd attempts to restart its process (due to its
>> KeepAlive plist key) it'll be running your version in its place. you don't
>> necessarily need to have the program killed in order to modify or replace
>> its binary since you loaded it into memory by executing it.
>>
>>> On Dec 20, 2017, at 17:27, Prokash Sinha <prokash(a)garlic.com> wrote:
>>>
>>> Folks,
>>>
>>> How do I debug cupsd ?
>>>
>>> Basically I need to find some path of execution of the daemon.
>>>
>>> What I’m trying to do is to have a debug build from the Apple source, and
>>> replace it in /usr/sbin after stoping the service first. Is this possible
>>> ? If so, then I can debug using Xcode.
>>>
>>> otherwise I will have to use lldb ( to attach to the process and look thru
>>> back traces of release code — harder approach !!
>>>
>>> Looking for a way to stop using launchctl command, replace the binary,
>>> restart.
>>>
>>> Thanks,
>>> Prokash
>>>
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Darwin-kernel mailing list (Darwin-kernel(a)lists.apple.com)
>>> Help/Unsubscribe/Update your Subscription:
>>> https://lists.apple.com/mailman/options/darwin-kernel/nawcom%40nawcom.com
>>>
>>> This email sent to nawcom(a)nawcom.com
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (Darwin-kernel(a)lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists…
This email sent to site_archiver(a)lists.apple.com
site_archiver(a)lists.apple.com
Delivered-To: darwin-kernel(a)lists.apple.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=pFy+HUx7shoVxCJpRA4Pf21b3sQK2wB6DSTVGjZOSMk=; b=BRRzXfBrUkNOp6AVxLeYzmnoyIU4yl2OcA2iib3utY+WrMOZPmPSOeamZasQaFWyZW Iw/cTRLJDVQs7+XWn5h3zM5uiSy6eOOs3uCAEYI70VfR16NrNkbm+wlKW8G8lAos5skL 2f6TKOqtcVRILKltci7Nzh78j2l2s5cG91NO0wqWahLWgWwQG0MGcywjSTCgHELJgwq8 SpXBbtetcvvfEv6JEIT0/87ib+TNdqZuVEjXsj7dzOcxf8pr2DMX333ufT2JC/oM3TI3 GmBmBIv80pd2fTncrt+lK5ME+ci2xqPEpMQyGkYn1uqSIJMvw5YwZtDy9/kIR0fQoA8B n9zw==
assuming you have system integrity protection disabled for /usr/sbin write
access, just rename the binary to something else (cupsd.orig) while it's
still running and place your compiled version in its place. then run "sudo
pkill cupsd" and when launchd attempts to restart its process (due to its
KeepAlive plist key) it'll be running your version in its place. you don't
necessarily need to have the program killed in order to modify or replace
its binary since you loaded it into memory by executing it.
On Wed, Dec 20, 2017 at 5:27 PM, Prokash Sinha <prokash(a)garlic.com> wrote:
> Folks,
>
> How do I debug cupsd ?
>
> Basically I need to find some path of execution of the daemon.
>
> What I’m trying to do is to have a debug build from the Apple source, and
> replace it in /usr/sbin after stoping the service first. Is this possible
> ? If so, then I can debug using Xcode.
>
> otherwise I will have to use lldb ( to attach to the process and look thru
> back traces of release code — harder approach !!
>
> Looking for a way to stop using launchctl command, replace the binary,
> restart.
>
> Thanks,
> Prokash
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Darwin-kernel mailing list (Darwin-kernel(a)lists.apple.com)
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/darwin-kernel/nawcom%40nawcom.com
>
> This email sent to nawcom(a)nawcom.com
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (Darwin-kernel(a)lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists…
This email sent to site_archiver(a)lists.apple.com
site_archiver(a)lists.apple.com
Delivered-To: darwin-kernel(a)lists.apple.com
Folks,
How do I debug cupsd ?
Basically I need to find some path of execution of the daemon.
What I’m trying to do is to have a debug build from the Apple source, and
replace it in /usr/sbin after stoping the service first. Is this possible ? If
so, then I can debug using Xcode.
otherwise I will have to use lldb ( to attach to the process and look thru back
traces of release code — harder approach !!
Looking for a way to stop using launchctl command, replace the binary, restart.
Thanks,
Prokash
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (Darwin-kernel(a)lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists…
This email sent to site_archiver(a)lists.apple.com