I'm trying to reverse the way dpsconfigad extracting the current active directory domain.
Notice : It's rather simple query that can be performed using OpenDirectory public framework but it requires a username from this domain as an input, whereas dpsconfigad doesn't require any inputs.
So It appears that the framework which responsible for this functionality of retrieving the AD is : /System/Library/PrivateFrameworks/OpenDirectoryConfig.framework/Versions/A/OpenDirectoryConfig which I've linked with my project.
After looking at assembly code of dpsconfigad, I was able to trace the specific method that extract this information is readCurrentADSettings from class ODCAction and here's the function invocation:
int sub_100004316(int arg0, int arg1, int arg2) {
var_28 = 0x0;
--> rax = [ODCAction readCurrentADSettings:0x0 error:rcx];
I've tried to imitate it with my own program using reflection :
#import <objc/runtime.h>
int main(int argc, const char * argv[]) {
Class ODCAction_cls = NSClassFromString(@"ODCAction");
NSObject *currentADSettings_obj = [ODCAction_cls performSelector:@selector(readCurrentADSettings:error:)
withObject:nil withObject:nil];
NSLog(@"AD settings: %@", currentADSettings_obj);
}
I did get the class properly, but the invocation itself returned nil.. Perhaps it's because I put nil instead of 0x0 and probably a pointer value which represented by Rcx in the original call.
Can anyone help me make this call return non-null value (from the assembly code it seems to be a dictionary with "active directory domain" as one of it's keys)
Aucun commentaire:
Enregistrer un commentaire