Skip to content

objective-see/DumpBTM

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

workspace now contains:
a library
a tool (that builds/links against library)

Library exposes two APIs:

//dump to stdout
NSInteger dump(NSURL* path);

//parse into a dictionary
NSDictionary* parse(NSURL* path);
5294417

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
Jan 25, 2023
Jan 18, 2023
Jan 18, 2023

DumpBTM

tl;dr: an open-source version of % sfltool dumpbtm

% ./dumpBTM 
Dumps (unserializes) BackgroundItems-v*.btm

Opened /private/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v7.btm
...

========================
 Records for UID 501 : 1CAA5D2B-A526-49E2-9A6F-58CACBDF0AFB
========================

#1 
  UUID:              68D88F8B-A750-4A4D-AD31-520E2436FE9F
  Name:              LuLu
  Developer Name:    (null)
  Team Identifier:   VBG97UB4TA
  Type:              app  (0x2)
  Disposition:       [enabled allowed visible notified] (11)
  Indentifier:       anchor apple generic and identifier "com.objective-see.lulu.app" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = VBG97UB4TA)
  URL:               file:///Applications/LuLu.app/
  Executable Path:   (null)
  Generation:        2
  Parent Identifier: (null)
  
  #2 
  UUID:              17A60CB8-537A-44D1-A6F8-2EBD22439076
  Name:              AGSService
  Developer Name:    Adobe Creative Cloud
  Team Identifier:   JQ525L2MZD
  Type:              curated legacy daemon  (0x90010)
  Disposition:       [enabled allowed visible notified] (11)
  Indentifier:       Adobe_Genuine_Software_Integrity_Service
  URL:               file:///Library/LaunchDaemons/com.adobe.agsservice.plist
  Executable Path:   /Library/Application Support/Adobe/AdobeGCClient/AGSService
  Generation:        1
  Assoc. Bundle IDs: [com.adobe.acc.AdobeCreativeCloud]
  Parent Identifier: Adobe Creative Cloud

Note: If you're running the pre-built binary, though signed, it's not notarized (Apple doesn't support notarized commandline tools). So after making it executable, remove the quarantine attributue to make it runnable (via Terminal).

% chmod +x dumpBTM
% xattr -rc dumpBTM

Also, make sure you give Terminal "Full Disk Access" (a requirment to read the BackgroundItems-v4.btm file).

In macOS Ventura (13), Apple consolidated persistent items (login items, launch agents/daemons) in a new file: BackgroundItems-v*.btm, found in /private/var/db/com.apple.backgroundtaskmanagement/. On macOS 13.0 this file is named BackgroundItems-v*.btm whereas on macOS 13.1 it's BackgroundItems-v7.btm.

This file is a serialized binary propertly list. You can dump it via Apple's sfltool, specifying the dumpbtm command line flag.

DumpBTM is an open-source version of this, which has the following benefits:

  • Open-source
  • Programmatic access to enumerate (persistent) items in the file

The latter point is most notable as this allow you to now add such logic into security/EDR tools. Specifically you can now easily and programmatically enumerate all (ok most) persistent items on a macOS Ventura system (which will include any persistently installed malware).

You can also then monitor this file for changes to detect new persistence events (as now you can parse/unserialize its contents via this project's code).

Note: Such monitoring was supposed to be accomplished via the Endpoint Security ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD event ...but this event is broken (See: "Endpoint Security Event: ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD is ...broken?" 😓).

About

And open-source version of % sfltool dumpbtm

Resources

License

Stars

Watchers

Forks

Packages

No packages published