Featured image of post Mac系统下如何抓包unix套接字(Unix Domain Socket)

Mac系统下如何抓包unix套接字(Unix Domain Socket)

普通的抓包工具如 charles 等没法抓取unix套接字数据,需要借助 socat 来抓取。

安装抓包工具 socat

brew install socat

制作抓包脚本

/usr/local/bin下创建一个命名为xdump的 shell 执行脚本,内容如下:

#!/bin/bash
restore(){
    mv $1.original $1
    echo -e "\nSocket $1 \e[33mRESTORED"
}

sock="$1"
trap "restore $sock" EXIT
mv "$sock" "$sock.original"

socat -t100 -v  UNIX-LISTEN:$sock,mode=777,reuseaddr,fork  UNIX-CONNECT:$sock.original

xdump脚本赋执行权限:

chmod +x /usr/local/bin/xdump

开始抓包

需要抓包时执行如下命令:

sudo xdump /path/to/unix_socket_file

例如抓包 xcode 的usbmuxd通信协议:

sudo xdump /var/run/usbmuxd

输出如下:

> 2023/05/22 14:17:23.000982894  length=472 from=0 to=471
........\b.......<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>BundleID</key>
	<string>com.apple.dt.Xcode</string>
	<key>ClientVersionString</key>
	<string>usbmuxd-531.100.1</string>
	<key>MessageType</key>
	<string>ReadBUID</string>
	<key>ProcessID</key>
	<integer>870</integer>
	<key>ProgName</key>
	<string>Xcode</string>
</dict>
</plist>
< 2023/05/22 14:17:23.000985543  length=276 from=0 to=275
........\b.......<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>BUID</key>
	<string>XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX</string>
</dict>
</plist>
Built with Hugo
主题 StackJimmy 设计