Ivan Vučica  committed 11a31a3

Public release

  • Participants
  • Parent commits 0f56a87
  • Branches master

Comments (0)

Files changed (4)

File Ideas on disabling the signature check.rtf

 {\fonttbl\f0\fswiss\fcharset0 Helvetica;\f1\fnil\fcharset0 Menlo-Regular;}
-\f0\fs24 \cf0 First kill process, with kill -9. Then use gdb\
+\f0\b\fs24 \cf0 NOTE\
+\b0 The following notes 
+\b NOT 
+\b0 intended as instructions, but as research notes. Treat these notes as such.\
+First kill process, with kill -9. Then use gdb\
 killall -9\
+# ShareKitTest: Research into injecting custom sharing services for OS X
+OS X 10.8 Mountain Lion has introduced a share button as a concept. This was
+integrated into various applications shipping with the OS, and was exposed as
+a public API for application developers.
+It's a very handy way to share content for users, and easy to implement for
+The trouble is, some of us don't use just the "proscribed" services such as
+Twitter or Facebook. OS X 10.9 Mavericks has introduced LinkedIn and more,
+but some services are sorely missing.
+**Note:** The code was developed under OS X 10.8, which is why I am
+releasing it. I am uninterested in further exploration on how to write sharing
+plugins, since I have never went into working on the Google+ plugin that was
+the motivation behind the search (aside from the fact that Apple actively
+blocked something so trivial).
+I am not a security researcher nor do I ordinarily play with defeating systems.
+This has piqued my interest because I was being blocked from using trivial
+services on *my own machine*. And having upgraded to 10.9, and this method 
+still working, but me no longer being motivated to continue exploration of the
+APIs, I release this in hope someone else will play with it. 
+Hopefully, Apple will not be inspired to block people completely off. I really
+like the deep integration of something that works more elegantly than 
+NeXT-style Services. Please, Apple, open ShareKit up.
+## Research
+OS X 10.8 has a helper process that actually provides the sharing service
+to applications. Access to this helper process is provided solely through
+a simple API. This is alright. What's even better is that there are bundles
+with extension `.sharingservice` implementing individual services.
+Surely we could just implement a plugin and have it loaded by `ShareKit`,
+as this entire framework is fondly named by Apple?
+Of course not. If you try that, first you find out that the plugin is not
+even looked for in the expected location such as `/Library/ShareKit/PlugIns`,
+which would be analogous to where these are looked for in the System domain's
+`Library` folder. Not wanting to dig into `/System` (which is a big no-no),
+you figure out that you can put the framework in 
+Hurray? Of course not! You get informed that:
+[2646]: --error: [ShareKit-Plugin] ShareKit plugin is not signed by Apple: file:///AppleInternal/Library/ShareKit/PlugIns/ShareKitTest.sharingservice/
+[2646]: ShareKit plugin is not signed by Apple: file:///AppleInternal/Library/ShareKit/PlugIns/ShareKitTest.sharingservice/
+Thanks so much, for first not documenting this and then blocking enterprising
+developers and hackers from even trying to figure out how to load their
+own plugins. Oh well -- there must be reasons for not disclosing a way
+to access ShareKit.
+## Workaround
+You can use a debugger such as `gdb` or `lldb` to attach to the
+`` process as soon as it launches. When it launches,
+you tell the process to break as soon as it enters `NSApplicationMain()`;
+you want some setup to be done and some essential frameworks to be loaded
+before loading your own code.
+Then you load your plugin. Inside this code, we abuse the fact that Objective-C
+categories override the base class methods. That is, if we extend an
+Objective-C class with a category (those not familiar with the language:
+a category is not a subclass), we actually replace the implementation of the
+ShareKit has an interesting class `SHKServicesManager` with an even more
+interesting method: `- (BOOL)isFileSignedByAppleAtURL:(id)arg1`. Accepting an
+`NSURL`, we can trivially return `YES` and every single plugin will be loaded
+by ShareKitHelper. (Our plugin is already loaded, so no problem there.)
+Next we have to implement a `SHKShareWindowServiceProvider`. Our subclass
+will return services in appropriate contexts, window controller class,
+service images, etc.
+We also need to implement a `SHKShareWindowController` subclass, which will
+contain our actual user interface.
+## On the xcode project
+The Xcode project contains a custom 'Run Script' build step which deploys
+the plugin into `/AppleInternal` path. It also contains a 'shared schema'
+which is configured to, before running, `killall -9`.
+Then it waits for 'something' (your click on a Share button) to run 
+Service should then be loaded and the Share button should show two new
+options, the second of which actually has some user interface.
+(Looking back, I don't know why my original instructions include breaking
+at `NSApplicationMain()`. Obviously because otherwise the plugin didn't work.
+However, looking at the Xcode project's configuration, obviously this is not
+## Future
+My research into injecting an extra service has stopped once I succeeded in
+injecting custom dummy services into ShareKit.
+When today I was researching whether the project still works under OS X 10.9,
+initially it didn't work. I didn't know why; fiddling around, it started to
+work as if nothing happened.
+Everything is an experiment created during 10.8. Apple might block off
+attaching a debugger from `ShareKitHelper` in the future, which is why I
+still would advise people not to create finished products based on this
+knowledge. You may want to keep your plugin and application and what-not
+for other hackers. It's your choice, of course.
+-- Ivan Vucica <> - Oct 5 2013

File ShareKitTest.xcodeproj/project.pbxproj

 		7F01681E15D134200024847C /* IVSharingWindowController.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = IVSharingWindowController.m; sourceTree = "<group>"; };
 		7F01681F15D134200024847C /* IVSharingWindowController.xib */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = file.xib; path = IVSharingWindowController.xib; sourceTree = "<group>"; };
 		7F01682215D136720024847C /* ShareKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = ShareKit.framework; path = ../../../../../System/Library/PrivateFrameworks/ShareKit.framework; sourceTree = "<group>"; };
+		7F066A7C1800A21F00C094BD /* sharekit-dev.txt */ = {isa = PBXFileReference; lastKnownFileType = text; path = "sharekit-dev.txt"; sourceTree = "<group>"; };
 		7F1DE58315D6D5C100C2AE2A /* SHKServicesManager+DisableSignatureCheck.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "SHKServicesManager+DisableSignatureCheck.h"; sourceTree = "<group>"; };
 		7F1DE58415D6D5C100C2AE2A /* SHKServicesManager+DisableSignatureCheck.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "SHKServicesManager+DisableSignatureCheck.m"; sourceTree = "<group>"; };
 		7F1DE58615D6E7E000C2AE2A /* Ideas on disabling the signature check.rtf */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.rtf; path = "Ideas on disabling the signature check.rtf"; sourceTree = "<group>"; };
 			children = (
 				7FF0D739172888200071BBBF /* AppKit.framework */,
 				7F1DE58615D6E7E000C2AE2A /* Ideas on disabling the signature check.rtf */,
+				7F066A7C1800A21F00C094BD /* sharekit-dev.txt */,
 				7F01682215D136720024847C /* ShareKit.framework */,
 				7F01680D15D132D40024847C /* ShareKitTest */,
 				7F01680A15D132D40024847C /* Frameworks */,
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "rm -rf /AppleInternal/Library/ShareKit/PlugIns/ShareKitTest.sharingservice\nditto \"/Users/ivucica/Library/Developer/Xcode/DerivedData/ShareKitTest-eetlgbexkbfbkleiklrxxbdknndw/Build/Products/Debug/ShareKitTest.sharingservice\" \"/AppleInternal/Library/ShareKit/PlugIns/ShareKitTest.sharingservice\"\n\n";
+			shellScript = "killall -9\n\nrm -rf /AppleInternal/Library/ShareKit/PlugIns/ShareKitTest.sharingservice\nif ditto \"$BUILT_PRODUCTS_DIR\"/\"$FULL_PRODUCT_NAME\" \"/AppleInternal/Library/ShareKit/PlugIns/$FULL_PRODUCT_NAME\"; then\n  echo \"Deployed sharing service\"\nelse\n  echo \"display dialog \\\"ShareKitTest Xcode project could not deploy $FULL_PRODUCT_NAME.\\n\\nIn Terminal, please run 'sudo mkdir -p /AppleInternal/Library/ShareKit/PlugIns/' and 'sudo chmod 777 /AppleInternal/Library/ShareKit/PlugIns/' to get automatic deployment to work.\\n\\nWhile this has security implications, everything is alright as long as you're aware of them.\\\"\" | osascript\nfi\n\n";
 /* End PBXShellScriptBuildPhase section */

File sharekit-dev.txt

+First kill process, with kill -9.
+Then use gdb
+file "/System/Library/PrivateFrameworks/ShareKit.framework/Versions/A/XPCServices/"
+attach -waitfor
+break -[SHKServicesManager loadPlugin:]
+print (void)[[(id)[NSBundle bundleWithPath:(id)[NSString stringWithUTF8String:"/AppleInternal/Library/ShareKit/PlugIns/ShareKitTest.sharingservice"]] load]
+delete 1