Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Symbol and Entitlement Search tools
Symbol Cache/Search
I wrote some scripts to help me find symbols on Mac OSOperating System X called Symcache. It does a recursive find on a configurable set of directories looking for Mach-O binaries. Then, it extracts the defined and undefined symbols from the binaries using nm and inserts them into a sqlite database that makes future lookups very quick and easy.
To install the files, just put all of the files in bin/ into your PATH, then you can run the tool as follows:
# generate the symbol cache
# this could take an hour or two...
symcache.sh
# find a symbol definition
findsym.sh _CFCopySystemVersionDictionary
# find all references to mbuf_data
findsym.sh -u mbuf_data
# search for symbols containing the string SOSGetTransportMessages
findsym.sh -l SOSGetTransportMessages
Since building the symbol database takes a long time, I've uploaded the cache for 10.10.5 here. Put it in ~/.symcache.db to make it the default symbol database.
Entitlement Cache/Search
You can also search all mach-o files on a system for entitlements and cache these in a database:
# build the entitlement database
cache_entitlements.sh
# show all %apple% entitlements
findent.sh -l apple