uac icon indicating copy to clipboard operation
uac copied to clipboard

Published 20 hours ago verified publisher icon tclahr

Fresh install of macOS lacks dev tools, thus no strings

Open jsdjjsd opened this issue 2 years ago • 3 comments
trafficstars

Annoyingly, Apple doesn't ship the Command Line Developer tools with macOS, thus there is no strings binary to use. When running in a terminal window locally it pops up a message box about this, luckily it does not when using for example EDR.

Screenshot 2023-09-18 at 14 52 07

As a workaround we've taken tbostrings and compiled one for x86_64 and one for arm64 and ship them together with UAC, use a oneliner in the strings_running_processes YAML file with some logic for the artefact to check for the com.apple.quarantine extended attribute, disable it when necessary using xattr, and chmod the executable flag, check CPU architecture, and finally run the appropriate binary with tbostrings %line%. Not perfect, but it works.

jsdjjsd avatar Sep 18 '23 15:09 jsdjjsd

Yeah, I agree that's annoying. I am currently working on UAC version 3 that will provide a property called "condition" in the YAML files. So in order to run the whole YAML file, the condition needs to be true (or false). The idea is to only run strings in macos if strings command is available.

Have you tried to put a copy of the strings command from a macos that has XCode installed into UAC bin directory?

tclahr avatar Sep 19 '23 11:09 tclahr

Yeah, I agree that's annoying. I am currently working on UAC version 3 that will provide a property called "condition" in the YAML files. So in order to run the whole YAML file, the condition needs to be true (or false). The idea is to only run strings in macos if strings command is available.

Have you tried to put a copy of the strings command from a macos that has XCode installed into UAC bin directory?

Yes, this we've also tried, but it's calling a dynamic library that is provided by the Command Line Developer tools, so putting the strings binary from a system that has it, onto a fresh system, it will still generate the same error. You would probably be able to compile it statically, but we went for tbostrings so that we can get all ASCII and UNICODE strings in the same pass, which is nice.

jsdjjsd avatar Sep 19 '23 12:09 jsdjjsd

I will take a look on tbostrings. I will also try to statically compile GNU strings on an Intel and Silicon macs for testing.

tclahr avatar Sep 20 '23 11:09 tclahr

I have pushed a new code to develop that solves this. First, UAC will check if xcode tools is installed in the target system. If not, UAC will use astrings tool (built-in shell function that extracts strings from binary files for any operating system).

Can you download the develop branch and test it, please? Thanks!

tclahr avatar Jul 04 '24 10:07 tclahr

Code has been merged into uac v3.0.0-rc1.

tclahr avatar Jul 24 '24 22:07 tclahr