mediaserverd

1、mediaserverd是什么 

  mediaserverd(/usr/sbin/mediaserverd)是被root进程launchd启动的一个后台(daemon)进程,其描述文件为com.apple.mediaserverd.plist存放在
  /System/Library/LaunchDaemon目录下,系统在启动的时候会扫描该目录下面所有的plist文件,分别启动所有后台进程,大概有
  50多个,后台进程是iOS系统实现伪后台的真正原因。

  

  com.apple.mediaserverd.plist 描述了mediaserverd启动、以及服务的相关信息,mediaserverd主要为系统提供音视频编解码的服务,包含声音输出录音,视频解码编码等。

  通过plist中 com.apple.airplay.sender.xpc 的描述,可以看出来mediaserverd提供了一个xpc的服务

  XPC是苹果系统上一种进程间通信的技术,XPC 目的是提高 App 的安全性和稳定性。XPC 让进程间通信变得更容易,让我们能够相对容易地将 App 拆分成多个进程的模式。

<key>MachServices</key>
	<dict>
		<key>com.apple.BTAudioHALPlugin.xpc</key>
		<true/>
		<key>com.apple.airplay.sender.xpc</key>
		<true/>
		<key>com.apple.audio.AUPBServer</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.audio.AURemoteIOServer</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.audio.AudioConverterServer</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.audio.AudioFileServer</key>
		<true/>
		<key>com.apple.audio.AudioQueueServer</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.audio.AudioSession</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.audio.AudioUnitServer</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.audio.SystemSounds</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.coremedia.admin</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.coremedia.asset</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.coremedia.assetimagegenerator</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.coremedia.audiodeviceclock</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.coremedia.audioprocessingtap</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.coremedia.cpe</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.coremedia.cpeprotector</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.coremedia.endpoint</key>
		<true/>
		<key>com.apple.coremedia.formatreader</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.coremedia.mutablecomposition</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.coremedia.recorder</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.coremedia.remaker</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.coremedia.sandboxserver</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.coremedia.videocompositor</key>
		<true/>
		<key>com.apple.coremedia.videoqueue</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.coremedia.virtualdisplay</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.coremedia.virtualdisplayserver</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.fig.movie</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.mediaserverd</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.videoconference.avconference</key>
		<dict>
			<key>ResetAtClose</key>
			<true/>
		</dict>
		<key>com.apple.videoconference.camera</key>
		<dict/>
	</dict>

 

2、mediaserverd进程的作用和工作原理

  mediaserverd提供音视频服务功能,用户app进程通过调用xpc服务,对视频进行解码编码。

  xpc调用参考:https://objccn.io/issue-14-4/

  音视频的解码涉及到对硬件的操作,mediaserverd中包含大量调用驱动层的代码,通过xpc可以防止用户进行溢出攻击,提高系统的稳定性。因为同一的xpc接口,跨进程,提高了溢出攻击伪造数据的难度。

  在越狱手机上通过对mediaserverd中声音的服务进行hook,可以进行录音,比如通话录音等。

 

3、mediaserverd 中有用的方法

  通过反汇编发现mediaserverd由C编写,不是mach-o格式的二进制文件,反汇编之后暴露出来的符号较少,通过class-dump无法提取有用信息。

  下面是一段播放系统铃音的代码

int sub_b4fc() {
    sp = sp - 0x8;
    r0 = *0x23b50;
    if (r0 != 0x0) goto loc_b5fc;

loc_b514:
    r0 = dlopen("/System/Library/PrivateFrameworks/MediaToolbox.framework/MediaToolbox", 0x1);
    *(0x23b50 + 0x4) = r0;
    if (r0 != 0x0) goto loc_b54a;

loc_b528:
    r1 = dlopen("/System/Library/PrivateFrameworks/Celestial.framework/Celestial", 0x1);
    r0 = 0x21666967;
    *(0x23b50 + 0x4) = r1;
    if (r1 == 0x0) goto .l3;

loc_b54a:
    dlerror();
    *0x23b50 = dlsym(*(0x23b50 + 0x4), "FigMediaServerStart");
    r0 = dlerror();
    if ((r0 != 0x0) || (*0x23b50 == 0x0)) goto loc_b600;

loc_b56e:
    *(0x23b50 + 0x8) = dlsym(*(0x23b50 + 0x4), "FigMediaServerStop");
    r0 = dlerror();
    if ((r0 != 0x0) || (*(0x23b50 + 0x8) == 0x0)) goto loc_b600;

loc_b58e:
    *(0x23b50 + 0xc) = dlsym(*(0x23b50 + 0x4), "FigMediaServerSystemSoundIDShouldPlayWithVolume");
    r0 = dlerror();
    if ((r0 != 0x0) || (*(0x23b50 + 0xc) == 0x0)) goto loc_b600;

loc_b5aa:
    *(0x23b50 + 0x10) = dlsym(*(0x23b50 + 0x4), "FigMediaServerVibrateForSystemSoundID");
    r0 = dlerror();
    if ((r0 != 0x0) || (*(0x23b50 + 0x10) == 0x0)) goto loc_b600;

loc_b5c6:
    *(0x23b50 + 0x14) = dlsym(*(0x23b50 + 0x4), "FigMediaServerSystemSoundIDActivate");
    r0 = dlerror();
    if ((r0 != 0x0) || (*(0x23b50 + 0x14) == 0x0)) goto loc_b600;

loc_b5e2:
    r4 = 0x23b50;
    asm{ ldrd       r0, r1, [r0] };
    asm{ stm.w      sp, {r0, r1} };
    FigRecalcSumIndex();
    r0 = *r4;
    goto loc_b5fc;

loc_b5fc:
    r0 = (r0)(r0);
    return r0;

.l3:
    return r0;

loc_b600:
    r1 = "%s\n";
    r3 = *___stderrp;
    fprintf(r3, r1);
    r0 = 0x21666967;
    return r0;
}

  

posted @ 2017-04-07 14:17  兜兜有糖的博客  阅读(2618)  评论(0编辑  收藏  举报