search

objective-see / KnockKnock

Enumerate persistently installed software
GNU General Public License v3.0
425 stars 32 forks source link

Feature Request: Add GlobalLoginItems plist to LoginItems enumeration #11

Open D00MFist opened 3 years ago

D00MFist commented 3 years ago

Feature Request: to expand existing loginitem enumeration to also include login items written using Launch Services Framework specifying all users ($.kLSSharedFileListGlobalLoginItems). This is the method within the Apfell agent of Mythic Example standalone JXA script adapted from Apfell agent:

testLogItem.js

function loginitem() {
    ObjC.import('CoreServices');
    ObjC.import('Security');
    ObjC.import('SystemConfiguration');
    let auth;
    let result = $.AuthorizationCreate($.nil, $.nil, $.kAuthorizationDefaults, Ref(auth));
    if (result === 0) {
        let temp = $.CFURLCreateFromFileSystemRepresentation($.kCFAllocatorDefault, '/Applications/Safari.app/Contents/MacOS/Safari', '/Applications/Safari.app/Contents/MacOS/Safari'.length, false);
        let items = $.LSSharedFileListCreate($.kCFAllocatorDefault, $.kLSSharedFileListGlobalLoginItems, $.nil);
        $.LSSharedFileListSetAuthorization(items, auth);
        let cfName = $.CFStringCreateWithCString($.nil, 'WebTest', $.kCFStringEncodingASCII);
        let itemRef = $.LSSharedFileListInsertItemURL(items, $.kLSSharedFileListItemLast, cfName, $.nil, temp, $.nil, $.nil);
        return {"user_output": "LoginItem installation successful", "completed": true};
    } else {
        return {"user_output": `LoginItem installation failed: AuthorizationCreate returned ${result}`, "completed": true};
    }
};
loginitem()

When this method is used the GlobalLoginItems.sfl2 is saved to and not backgrounditems.btm like in other instances. If you replace the items line with the following (specifying current session) then the backgrounditems.btm is modified.

let items = $.LSSharedFileListCreate($.kCFAllocatorDefault, $.kLSSharedFileListSessionLoginItems, $.nil);

Also ~/Library/Application\ Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.GlobalLoginItems.sfl2 appears to be formatted similarly to ~/Library/Application\ Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm.

x13a commented 2 years ago

com.apple.LSSharedFileList.GlobalLoginItems.sfl2 is protected, you can not get raw access by default, but using API: LSSharedFileListCreate.