mediaserverd

1、mediaserverd是什么 

  mediaserverd(/usr/sbin/mediaserverd)是被root进程launchd启动的一个后台(daemon)进程,其描述文件为com.apple.mediaserverd.plist存放在
  /System/Library/LaunchDaemon目录下,系统在启动的时候会扫描该目录下面所有的plist文件,分别启动所有后台进程,大概有
  50多个,后台进程是iOS系统实现伪后台的真正原因。

  

  com.apple.mediaserverd.plist 描述了mediaserverd启动、以及服务的相关信息,mediaserverd主要为系统提供音视频编解码的服务,包含声音输出录音,视频解码编码等。

  通过plist中 com.apple.airplay.sender.xpc 的描述,可以看出来mediaserverd提供了一个xpc的服务

  XPC是苹果系统上一种进程间通信的技术,XPC 目的是提高 App 的安全性和稳定性。XPC 让进程间通信变得更容易,让我们能够相对容易地将 App 拆分成多个进程的模式。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
<key>MachServices</key>
    <dict>
        <key>com.apple.BTAudioHALPlugin.xpc</key>
        <true/>
        <key>com.apple.airplay.sender.xpc</key>
        <true/>
        <key>com.apple.audio.AUPBServer</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.audio.AURemoteIOServer</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.audio.AudioConverterServer</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.audio.AudioFileServer</key>
        <true/>
        <key>com.apple.audio.AudioQueueServer</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.audio.AudioSession</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.audio.AudioUnitServer</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.audio.SystemSounds</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.coremedia.admin</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.coremedia.asset</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.coremedia.assetimagegenerator</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.coremedia.audiodeviceclock</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.coremedia.audioprocessingtap</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.coremedia.cpe</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.coremedia.cpeprotector</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.coremedia.endpoint</key>
        <true/>
        <key>com.apple.coremedia.formatreader</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.coremedia.mutablecomposition</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.coremedia.recorder</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.coremedia.remaker</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.coremedia.sandboxserver</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.coremedia.videocompositor</key>
        <true/>
        <key>com.apple.coremedia.videoqueue</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.coremedia.virtualdisplay</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.coremedia.virtualdisplayserver</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.fig.movie</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.mediaserverd</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.videoconference.avconference</key>
        <dict>
            <key>ResetAtClose</key>
            <true/>
        </dict>
        <key>com.apple.videoconference.camera</key>
        <dict/>
    </dict>

 

2、mediaserverd进程的作用和工作原理

  mediaserverd提供音视频服务功能,用户app进程通过调用xpc服务,对视频进行解码编码。

  xpc调用参考:https://objccn.io/issue-14-4/

  音视频的解码涉及到对硬件的操作,mediaserverd中包含大量调用驱动层的代码,通过xpc可以防止用户进行溢出攻击,提高系统的稳定性。因为同一的xpc接口,跨进程,提高了溢出攻击伪造数据的难度。

  在越狱手机上通过对mediaserverd中声音的服务进行hook,可以进行录音,比如通话录音等。

 

3、mediaserverd 中有用的方法

  通过反汇编发现mediaserverd由C编写,不是mach-o格式的二进制文件,反汇编之后暴露出来的符号较少,通过class-dump无法提取有用信息。

  下面是一段播放系统铃音的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
int sub_b4fc() {
    sp = sp - 0x8;
    r0 = *0x23b50;
    if (r0 != 0x0) goto loc_b5fc;
 
loc_b514:
    r0 = dlopen("/System/Library/PrivateFrameworks/MediaToolbox.framework/MediaToolbox", 0x1);
    *(0x23b50 + 0x4) = r0;
    if (r0 != 0x0) goto loc_b54a;
 
loc_b528:
    r1 = dlopen("/System/Library/PrivateFrameworks/Celestial.framework/Celestial", 0x1);
    r0 = 0x21666967;
    *(0x23b50 + 0x4) = r1;
    if (r1 == 0x0) goto .l3;
 
loc_b54a:
    dlerror();
    *0x23b50 = dlsym(*(0x23b50 + 0x4), "FigMediaServerStart");
    r0 = dlerror();
    if ((r0 != 0x0) || (*0x23b50 == 0x0)) goto loc_b600;
 
loc_b56e:
    *(0x23b50 + 0x8) = dlsym(*(0x23b50 + 0x4), "FigMediaServerStop");
    r0 = dlerror();
    if ((r0 != 0x0) || (*(0x23b50 + 0x8) == 0x0)) goto loc_b600;
 
loc_b58e:
    *(0x23b50 + 0xc) = dlsym(*(0x23b50 + 0x4), "FigMediaServerSystemSoundIDShouldPlayWithVolume");
    r0 = dlerror();
    if ((r0 != 0x0) || (*(0x23b50 + 0xc) == 0x0)) goto loc_b600;
 
loc_b5aa:
    *(0x23b50 + 0x10) = dlsym(*(0x23b50 + 0x4), "FigMediaServerVibrateForSystemSoundID");
    r0 = dlerror();
    if ((r0 != 0x0) || (*(0x23b50 + 0x10) == 0x0)) goto loc_b600;
 
loc_b5c6:
    *(0x23b50 + 0x14) = dlsym(*(0x23b50 + 0x4), "FigMediaServerSystemSoundIDActivate");
    r0 = dlerror();
    if ((r0 != 0x0) || (*(0x23b50 + 0x14) == 0x0)) goto loc_b600;
 
loc_b5e2:
    r4 = 0x23b50;
    asm{ ldrd       r0, r1, [r0] };
    asm{ stm.w      sp, {r0, r1} };
    FigRecalcSumIndex();
    r0 = *r4;
    goto loc_b5fc;
 
loc_b5fc:
    r0 = (r0)(r0);
    return r0;
 
.l3:
    return r0;
 
loc_b600:
    r1 = "%s\n";
    r3 = *___stderrp;
    fprintf(r3, r1);
    r0 = 0x21666967;
    return r0;
}

  

posted @   兜兜有糖的博客  阅读(2651)  评论(0编辑  收藏  举报
编辑推荐:
· 10年+ .NET Coder 心语,封装的思维:从隐藏、稳定开始理解其本质意义
· .NET Core 中如何实现缓存的预热?
· 从 HTTP 原因短语缺失研究 HTTP/2 和 HTTP/3 的设计差异
· AI与.NET技术实操系列:向量存储与相似性搜索在 .NET 中的实现
· 基于Microsoft.Extensions.AI核心库实现RAG应用
阅读排行:
· 10年+ .NET Coder 心语 ── 封装的思维:从隐藏、稳定开始理解其本质意义
· 地球OL攻略 —— 某应届生求职总结
· 提示词工程——AI应用必不可少的技术
· Open-Sora 2.0 重磅开源!
· 周边上新:园子的第一款马克杯温暖上架
点击右上角即可分享
微信分享提示