diff --git a/SUMMARY.md b/SUMMARY.md
index d8963e84..6d9305b5 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -142,7 +142,7 @@
* [macOS Dyld Hijacking & DYLD\_INSERT\_LIBRARIES](macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
* [macOS Architecture](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md)
* [macOS Bundles](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-bundles.md)
- * [macOS IPC](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc.md)
+ * [macOS IPC - Inter Process Communication](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication.md)
* [macOS Function Hooking](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md)
* [Universal binaries & Mach-O Format](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/universal-binaries-and-mach-o-format.md)
* [macOS MDM](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md)
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md
index 30d55e7b..3260b2a8 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md
@@ -84,8 +84,8 @@ kextunload com.apple.iokit.IOReportFamily
### IPC - Inter Process Communication
-{% content-ref url="macos-ipc.md" %}
-[macos-ipc.md](macos-ipc.md)
+{% content-ref url="macos-ipc-inter-process-communication.md" %}
+[macos-ipc-inter-process-communication.md](macos-ipc-inter-process-communication.md)
{% endcontent-ref %}
## Apple Propietary File System (APFS)
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md
index 8d57f3ac..1c04fc02 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md
@@ -62,7 +62,7 @@ DYLD_INSERT_LIBRARIES=./interpose.dylib ./hello
[+] Hello from interpose
```
-### Method Swizzling
+## Method Swizzling
In ObjectiveC this is how a method is called: `[myClassInstance nameOfTheMethodFirstParam:param1 secondParam:param2]`
@@ -72,7 +72,11 @@ The object is **`someObject`**, the method is **`@selector(method1p1:p2:)`** and
Following the object structures, it's possible to reach an **array of methods** where the **names** and **pointers** to the method code are **located**.
-#### Accessing the raw methods
+{% hint style="danger" %}
+Note that because methods and classes are accessed based on their names, this information is store in the binary, so it's possible to retrieve it with `otool -ov ` or [`class-dump `](https://github.com/nygard/class-dump)
+{% endhint %}
+
+### Accessing the raw methods
It's possible to access the information of the methods such as name, number of params or address like in the following example:
@@ -142,7 +146,7 @@ int main() {
}
```
-#### Method Swizzling with method\_exchangeImplementations
+### Method Swizzling with method\_exchangeImplementations
The function method\_exchangeImplementations allows to change the address of one function for the other. So when a function is called what is executed is the other one.
@@ -190,7 +194,7 @@ int main(int argc, const char * argv[]) {
}
```
-#### Method Swizzling with method\_setImplementation
+### Method Swizzling with method\_setImplementation
The previous format is weird because you are changing the implementation of 2 methods one from the other. Using the function **`method_setImplementation`** you can **change** the **implementation** of a **method for the other one**.
@@ -248,6 +252,28 @@ int main(int argc, const char * argv[]) {
}
```
+## Hooking Attack Methodology
+
+In this page different ways to hook functions were discussed. However, they involved **running code inside the process to attack**.
+
+In order to do that the easiest technique to use is to inject a [Dyld via environment variables or hijacking](../macos-dyld-hijacking-and-dyld\_insert\_libraries.md). However, I guess this could also be done via [Dylib process injection](macos-ipc-inter-process-communication.md#dylib-process-injection-via-task-port).
+
+However, both options are **limited** to **unprotected** binaries/processes. Check each technique to learn more about the limitations.
+
+However, a function hooking attack is very specific, an attacker will do this to **steal sensitive information from inside a process** (if not you would just do a process injection attack). And this sensitive information might be located in user downloaded Apps such as MacPass.
+
+So the attacker vector would be to either find a vulnerability or strip the signature of the application, inject the **`DYLD_INSERT_LIBRARIES`** env variable through the Info.plist of the application adding something like:
+
+```xml
+LSEnvironment
+
+ DYLD_INSERT_LIBRARIES
+ /Applications/MacPass.app/Contents/malicious.dylib
+
+```
+
+Add in that library the hooking code to exfiltrate the information: Passwords, messages...
+
## References
* [https://nshipster.com/method-swizzling/](https://nshipster.com/method-swizzling/)
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication.md
similarity index 85%
rename from macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc.md
rename to macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication.md
index 8ca1789d..a62bfca1 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication.md
@@ -1,4 +1,4 @@
-# macOS IPC
+# macOS IPC - Inter Process Communication
@@ -12,9 +12,7 @@
-## IPC - Inter Process Communication
-
-### Ports
+## Mach messaging via Ports
Mach uses **tasks** as the **smallest unit** for sharing resources, and each task can contain **multiple threads**. These **tasks and threads are mapped 1:1 to POSIX processes and threads**.
@@ -699,6 +697,81 @@ gcc -framework Foundation -framework Appkit dylib_injector.m -o dylib_injector
./inject
```
+## XPC
+
+### Basic Information
+
+XPC, which stands for XNU (the kernel used by macOS) inter-Process Communication, is a framework for **communication between processes** on macOS and iOS. XPC provides a mechanism for making **safe, asynchronous method calls between different processes** on the system. It's a part of Apple's security paradigm, allowing for the **creation of privilege-separated applications** where each **component** runs with **only the permissions it needs** to do its job, thereby limiting the potential damage from a compromised process.
+
+XPC uses a form of Inter-Process Communication (IPC), which is a set of methods for different programs running on the same system to send data back and forth.
+
+The primary benefits of XPC include:
+
+1. **Security**: By separating work into different processes, each process can be granted only the permissions it needs. This means that even if a process is compromised, it has limited ability to do harm.
+2. **Stability**: XPC helps isolate crashes to the component where they occur. If a process crashes, it can be restarted without affecting the rest of the system.
+3. **Performance**: XPC allows for easy concurrency, as different tasks can be run simultaneously in different processes.
+
+The only **drawback** is that **separating an application is several processes** making them communicate via XPC is **less efficient**. But in todays systems this isn't almost noticeable and the benefits are much better.
+
+An example can be seen in QuickTime Player, where a component using XPC is responsible for video decoding. The component is specifically designed to perform computational tasks, thus, in the event of a breach, it wouldn't provide any useful gains to the attacker, such as access to files or the network.
+
+### Application Specific XPC services
+
+The XPC components of an applications are **inside the application itself.** For example, in Safari you can find them in **`/Applications/Safari.app/Contents/XPCServices`**. They have extension **`.xpc`** (like **`com.apple.Safari.SandboxBroker.xpc`**) and are **also bundles** with the main binary inside of it: `/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.SandboxBroker.xpc/Contents/MacOS/com.apple.Safari.SandboxBroker`
+
+As you might be thinking a **XPC component will have different entitlements and privileges** than the other XPC components or the main app binary. EXCEPT if an XPC service is configured with [**JoinExistingSession**](https://developer.apple.com/documentation/bundleresources/information\_property\_list/xpcservice/joinexistingsession) set to “True” in its **Info.plist** file. In this case, the XPC service will run in the same security session as the application that called it.
+
+XPC services are **started** by **launchd** when required and **shut down** once all tasks are **complete** to free system resources. **Application-specific XPC components can only be utilized by the application**, thereby reducing the risk associated with potential vulnerabilities.
+
+### System Wide XPC services
+
+**System-wide XPC services** are accessible to all users. These services, either launchd or Mach-type, need to be **defined in plist** files located in specified directories such as **`/System/Library/LaunchDameons`**, **`/Library/LaunchDameons`**, **`/System/Library/LaunchAgents`**, or **`/Library/LaunchAgents`**.
+
+These plists files will have a key called **`MachServices`** with the name of the service, and a key called **`Program`** with the path to the binary:
+
+```xml
+cat /Library/LaunchDaemons/com.jamf.management.daemon.plist
+
+
+
+
+
+ Program
+ /Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon
+ AbandonProcessGroup
+
+ KeepAlive
+
+ Label
+ com.jamf.management.daemon
+ MachServices
+
+ com.jamf.management.daemon.aad
+
+ com.jamf.management.daemon.agent
+
+ com.jamf.management.daemon.binary
+
+ com.jamf.management.daemon.selfservice
+
+ com.jamf.management.daemon.service
+
+
+ RunAtLoad
+
+
+
+```
+
+The ones in **`LaunchDameons`** are run by root. So if an unprivileged process can talk with one of these it could be able to escalate privileges.
+
+### XPC Event Messages
+
+Applications can **subscribe** to different event **messages**, enabling them to be **initiated on-demand** when such events happen. The **setup** for these services is done in l**aunchd plist files**, located in the **same directories as the previous ones** and containing an extra **`LaunchEvent`** key.
+
+\
+
+
## References
* [https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html](https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html)