hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md

5.3 KiB
Raw Blame History

macOS Bundles

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

Basic Information

Basically, a bundle is a directory structure within the file system. Interestingly, by default this directory looks like a single object in Finder.

The common frequent bundle we will encounter is the .app bundle, but many other executables are also packaged as bundles, such as .framework and .systemextension or .kext.

The types of resources contained within a bundle may consist of applications, libraries, images, documentation, header files, etc. All these files are inside <application>.app/Contents/

ls -lR /Applications/Safari.app/Contents
  • Contents/_CodeSignature

    Contains code-signing information about the application (i.e., hashes, etc.).

  • Contents/MacOS

    Contains the applications binary (which is executed when the user double-clicks the application icon in the UI).

  • Contents/Resources

    Contains UI elements of the application, such as images, documents, and nib/xib files (that describe various user interfaces).

  • Contents/Info.plist
    The applications main “configuration file.” Apple notes that “the system relies on the presence of this file to identify relevant information about [the] application and any related files”.

    • Plist files contains configuration information. You can find find information about the meaning of they plist keys in https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Introduction/Introduction.html

    • Pairs that may be of interest when analyzing an application include:\

      • CFBundleExecutable

      Contains the name of the applications binary (found in Contents/MacOS).

      • CFBundleIdentifier

      Contains the applications bundle identifier (often used by the system to globally identify the application).

      • LSMinimumSystemVersion

      Contains the oldest version of macOS that the application is compatible with.

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥