mediaserverd
1、mediaserverd是什么
mediaserverd(/usr/sbin/mediaserverd)是被root进程launchd启动的一个后台(daemon)进程,其描述文件为com.apple.mediaserverd.plist存放在
/System/Library/LaunchDaemon目录下,系统在启动的时候会扫描该目录下面所有的plist文件,分别启动所有后台进程,大概有
50多个,后台进程是iOS系统实现伪后台的真正原因。
com.apple.mediaserverd.plist 描述了mediaserverd启动、以及服务的相关信息,mediaserverd主要为系统提供音视频编解码的服务,包含声音输出录音,视频解码编码等。
通过plist中 com.apple.airplay.sender.xpc 的描述,可以看出来mediaserverd提供了一个xpc的服务
XPC是苹果系统上一种进程间通信的技术,XPC 目的是提高 App 的安全性和稳定性。XPC 让进程间通信变得更容易,让我们能够相对容易地将 App 拆分成多个进程的模式。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 | <key>MachServices</key> <dict> <key>com.apple.BTAudioHALPlugin.xpc</key> <true/> <key>com.apple.airplay.sender.xpc</key> <true/> <key>com.apple.audio.AUPBServer</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.audio.AURemoteIOServer</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.audio.AudioConverterServer</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.audio.AudioFileServer</key> <true/> <key>com.apple.audio.AudioQueueServer</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.audio.AudioSession</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.audio.AudioUnitServer</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.audio.SystemSounds</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.coremedia.admin</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.coremedia.asset</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.coremedia.assetimagegenerator</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.coremedia.audiodeviceclock</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.coremedia.audioprocessingtap</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.coremedia.cpe</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.coremedia.cpeprotector</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.coremedia.endpoint</key> <true/> <key>com.apple.coremedia.formatreader</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.coremedia.mutablecomposition</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.coremedia.recorder</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.coremedia.remaker</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.coremedia.sandboxserver</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.coremedia.videocompositor</key> <true/> <key>com.apple.coremedia.videoqueue</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.coremedia.virtualdisplay</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.coremedia.virtualdisplayserver</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.fig.movie</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.mediaserverd</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.videoconference.avconference</key> <dict> <key>ResetAtClose</key> <true/> </dict> <key>com.apple.videoconference.camera</key> <dict/> </dict> |
2、mediaserverd进程的作用和工作原理
mediaserverd提供音视频服务功能,用户app进程通过调用xpc服务,对视频进行解码编码。
xpc调用参考:https://objccn.io/issue-14-4/
音视频的解码涉及到对硬件的操作,mediaserverd中包含大量调用驱动层的代码,通过xpc可以防止用户进行溢出攻击,提高系统的稳定性。因为同一的xpc接口,跨进程,提高了溢出攻击伪造数据的难度。
在越狱手机上通过对mediaserverd中声音的服务进行hook,可以进行录音,比如通话录音等。
3、mediaserverd 中有用的方法
通过反汇编发现mediaserverd由C编写,不是mach-o格式的二进制文件,反汇编之后暴露出来的符号较少,通过class-dump无法提取有用信息。
下面是一段播放系统铃音的代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 | int sub_b4fc() { sp = sp - 0x8; r0 = *0x23b50; if (r0 != 0x0) goto loc_b5fc;loc_b514: r0 = dlopen("/System/Library/PrivateFrameworks/MediaToolbox.framework/MediaToolbox", 0x1); *(0x23b50 + 0x4) = r0; if (r0 != 0x0) goto loc_b54a;loc_b528: r1 = dlopen("/System/Library/PrivateFrameworks/Celestial.framework/Celestial", 0x1); r0 = 0x21666967; *(0x23b50 + 0x4) = r1; if (r1 == 0x0) goto .l3;loc_b54a: dlerror(); *0x23b50 = dlsym(*(0x23b50 + 0x4), "FigMediaServerStart"); r0 = dlerror(); if ((r0 != 0x0) || (*0x23b50 == 0x0)) goto loc_b600;loc_b56e: *(0x23b50 + 0x8) = dlsym(*(0x23b50 + 0x4), "FigMediaServerStop"); r0 = dlerror(); if ((r0 != 0x0) || (*(0x23b50 + 0x8) == 0x0)) goto loc_b600;loc_b58e: *(0x23b50 + 0xc) = dlsym(*(0x23b50 + 0x4), "FigMediaServerSystemSoundIDShouldPlayWithVolume"); r0 = dlerror(); if ((r0 != 0x0) || (*(0x23b50 + 0xc) == 0x0)) goto loc_b600;loc_b5aa: *(0x23b50 + 0x10) = dlsym(*(0x23b50 + 0x4), "FigMediaServerVibrateForSystemSoundID"); r0 = dlerror(); if ((r0 != 0x0) || (*(0x23b50 + 0x10) == 0x0)) goto loc_b600;loc_b5c6: *(0x23b50 + 0x14) = dlsym(*(0x23b50 + 0x4), "FigMediaServerSystemSoundIDActivate"); r0 = dlerror(); if ((r0 != 0x0) || (*(0x23b50 + 0x14) == 0x0)) goto loc_b600;loc_b5e2: r4 = 0x23b50; asm{ ldrd r0, r1, [r0] }; asm{ stm.w sp, {r0, r1} }; FigRecalcSumIndex(); r0 = *r4; goto loc_b5fc;loc_b5fc: r0 = (r0)(r0); return r0;.l3: return r0;loc_b600: r1 = "%s\n"; r3 = *___stderrp; fprintf(r3, r1); r0 = 0x21666967; return r0;} |
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步