Tool inspired by xpcspy tool to monitor XPC traffic.
gxpc recursively parses types of xpc_object_t as well as unmarshalling the data back to Go types.
Download one of the prebuilt binaries for macOS(x86_64 or arm64) from here or do it manually as described below.
- Follow the instructions for devkit documented here
- Run
go install github.com/ReverseApple/gxpc@latest
XPC sniffer
Usage:
gxpc [spawn_args] [flags]
Flags:
-b, --blacklist strings blacklist connection by name
--blacklistp strings blacklist connection by PID
-f, --file string spawn the file
-h, --help help for gxpc
-i, --id string connect to device with ID
-l, --list list available devices
-n, --name string process name
-o, --output string save output to this file
-p, --pid int PID of wanted process (default -1)
-r, --remote string connect to device at IP address
-w, --whitelist strings whitelist connection by name
--whitelistp strings whitelist connection by PIDIf you do not pass -i flag, default device is USB.
If you want to spawn a file/binary, pass the -f that points to the file/binary you want to spawn along with the arguments.
gxpc -i local -f /bin/cat /tmp/somefile- without some specific flags to the spawned binarygxpc -i local -f /path/to/binary -- -a -b "TEST"- with some specific flags to the spawned binary
Additionally, you can filter on connection names or PIDs, if you pass both filters (name and PID), it will take only name.
--whitelist and --whitelistp along with the --blacklist and --blacklistp accepts the list, such as --blacklistp "89,32,41" which will
blacklist the ports 89, 32 and 41.
