KnockKnock icon indicating copy to clipboard operation
KnockKnock copied to clipboard
verified publisher icon objective-see

Feature Request: Add GlobalLoginItems plist to LoginItems enumeration

Open D00MFist opened this issue 4 years ago • 1 comments

Feature Request: to expand existing loginitem enumeration to also include login items written using Launch Services Framework specifying all users ($.kLSSharedFileListGlobalLoginItems). This is the method within the Apfell agent of Mythic Example standalone JXA script adapted from Apfell agent:

testLogItem.js

function loginitem() {
    ObjC.import('CoreServices');
    ObjC.import('Security');
    ObjC.import('SystemConfiguration');
    let auth;
    let result = $.AuthorizationCreate($.nil, $.nil, $.kAuthorizationDefaults, Ref(auth));
    if (result === 0) {
        let temp = $.CFURLCreateFromFileSystemRepresentation($.kCFAllocatorDefault, '/Applications/Safari.app/Contents/MacOS/Safari', '/Applications/Safari.app/Contents/MacOS/Safari'.length, false);
        let items = $.LSSharedFileListCreate($.kCFAllocatorDefault, $.kLSSharedFileListGlobalLoginItems, $.nil);
        $.LSSharedFileListSetAuthorization(items, auth);
        let cfName = $.CFStringCreateWithCString($.nil, 'WebTest', $.kCFStringEncodingASCII);
        let itemRef = $.LSSharedFileListInsertItemURL(items, $.kLSSharedFileListItemLast, cfName, $.nil, temp, $.nil, $.nil);
        return {"user_output": "LoginItem installation successful", "completed": true};
    } else {
        return {"user_output": `LoginItem installation failed: AuthorizationCreate returned ${result}`, "completed": true};
    }
};
loginitem()

When this method is used the GlobalLoginItems.sfl2 is saved to and not backgrounditems.btm like in other instances. If you replace the items line with the following (specifying current session) then the backgrounditems.btm is modified.

let items = $.LSSharedFileListCreate($.kCFAllocatorDefault, $.kLSSharedFileListSessionLoginItems, $.nil);

Also ~/Library/Application\ Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.GlobalLoginItems.sfl2 appears to be formatted similarly to ~/Library/Application\ Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm.

D00MFist avatar May 21 '21 18:05 D00MFist

com.apple.LSSharedFileList.GlobalLoginItems.sfl2 is protected, you can not get raw access by default, but using API: LSSharedFileListCreate.

x13a avatar Dec 18 '21 18:12 x13a