site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com I just tried on a native OS 10.13.N. The behavior I see is that the cups ( debug build with bonafide App signature , and using xattr -c cupsd on the debug build ) it does not get loaded using Keep Alive ). As soon as I replaced with the original one ( Apple signed ) it automatically gets loaded & running. So I don’t know if this is really hardened or not. Any hint ? Thanks, Prokash

On Dec 21, 2017, at 8:42 AM, Prokash Sinha <prokash@garlic.com> wrote:

Thanks much! SIP is always disabled on my test machine. I did basically did the some steps and I see sometime it is able to start the new cupsd debug binary, some other time it does not ( that I need to figure out ). Also after attaching it, I need to break into it. I put lots of Xcode break points, still not able to break into it. Somehow I’m missing something.

Need to read more code paths …

-Pro

...

On Dec 20, 2017, at 7:14 PM, nawcom <nawcom@gmail.com> wrote:

assuming you have system integrity protection disabled for /usr/sbin write access, just rename the binary to something else (cupsd.orig) while it's still running and place your compiled version in its place. then run "sudo pkill cupsd" and when launchd attempts to restart its process (due to its KeepAlive plist key) it'll be running your version in its place. you don't necessarily need to have the program killed in order to modify or replace its binary since you loaded it into memory by executing it.

...

On Dec 20, 2017, at 17:27, Prokash Sinha <prokash@garlic.com> wrote:

Folks,

How do I debug cupsd ?

Basically I need to find some path of execution of the daemon.

What I’m trying to do is to have a debug build from the Apple source, and replace it in /usr/sbin after stoping the service first. Is this possible ? If so, then I can debug using Xcode.

otherwise I will have to use lldb ( to attach to the process and look thru back traces of release code — harder approach !!

Looking for a way to stop using launchctl command, replace the binary, restart.

Thanks, Prokash

_______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/darwin-kernel/nawcom%40nawcom.com

This email sent to nawcom@nawcom.com

_______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.... This email sent to site_archiver@lists.apple.com