普通的抓包工具如 charles 等没法抓取unix套接字数据,需要借助 socat 来抓取。
安装抓包工具 socat
brew install socat
制作抓包脚本
在/usr/local/bin下创建一个命名为xdump的 shell 执行脚本,内容如下:
#!/bin/bash
restore(){
mv $1.original $1
echo -e "\nSocket $1 \e[33mRESTORED"
}
sock="$1"
trap "restore $sock" EXIT
mv "$sock" "$sock.original"
socat -t100 -v UNIX-LISTEN:$sock,mode=777,reuseaddr,fork UNIX-CONNECT:$sock.original
为xdump脚本赋执行权限:
chmod +x /usr/local/bin/xdump
开始抓包
需要抓包时执行如下命令:
sudo xdump /path/to/unix_socket_file
例如抓包 xcode 的usbmuxd通信协议:
sudo xdump /var/run/usbmuxd
输出如下:
> 2023/05/22 14:17:23.000982894 length=472 from=0 to=471
........\b.......<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>BundleID</key>
<string>com.apple.dt.Xcode</string>
<key>ClientVersionString</key>
<string>usbmuxd-531.100.1</string>
<key>MessageType</key>
<string>ReadBUID</string>
<key>ProcessID</key>
<integer>870</integer>
<key>ProgName</key>
<string>Xcode</string>
</dict>
</plist>
< 2023/05/22 14:17:23.000985543 length=276 from=0 to=275
........\b.......<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>BUID</key>
<string>XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX</string>
</dict>
</plist>