-
Notifications
You must be signed in to change notification settings - Fork 13
Output Format
boko has two forms of output when used as a standalone tool, CSV (-oC) and standard output log (-oS). Both can be used with the -oA flag.
The CSV flag will output two CSV files, one dedicated to vulnerabilities (outputfile-vulnerabilities.csv) and one for any interesting files that were discovered by the scan (outputfile-interesting-files.csv).
Below is a brief description of the vulnerabilities CSV columns:
| Column Header | Description |
|---|---|
| Filename | Name of affected file |
| Full path | Full path to affected file |
| File type | Whether the affected file is a main executable, dylib, bundle, Kext bundle, or script (boko may pull the type of script from file header otherwise will be labeled as Script) |
| Discovery Mode | Shows which discovery method was used, Passive or Active |
| Vulnerability | One of the three types of vulnerabilities boko looks for: Dylib Hijack, Weak Dylib, or Backdoorable Script |
| Certainty | How certain boko is of the vulnerability: Definite, High, Potential, Low |
| Read Only Partition (SIP) | If the affected hijackable path is within a default read-only path |
| Write permission | If the user context that ran the script has write permission to the hijackable path |
| Hijack This Path | File path that a malicious dylib may be placed to exploit vulnerability |
| Dylib Load Order | The order in which the dylib rpath is expanded by the executable |
boko will scrape all files while searching for executables, so this output contains anything that may be interesting for later analysis. Any files on the system that are not marked as executable will end up in this file, as well as executable files that do not meet the criteria of a typical script extension or do not have file headers that indicate they are a real executable binary, dylib, bundle, or kext bundle.
By default, boko removes files such as audio files, images, and other typically reoccuring files in macOS that won't provide help. If you don't like the fact that it removes files just remove the contents of the self.uninterestingexts list in the ExecutableScanner class. Also, if certain files come up often, feel free to send a pull request to add to that list.
Below is a brief description of the interesting file CSV columns:
| Column Header | Description |
|---|---|
| Filename | Name of affected file |
| Full path | Full path to affected file |
| File type | Scrapes the file extension, otherwise marked as Misc |
| Write permission | If the user context that ran the script has write permission to file |
If verbose mode is used (-v) boko will output everything it finds including files it's scanning, all rpaths it discovers (both expanded and the relative path), and which executable files are vulnerable with certainty and read/write permissions. Without verbose mode, boko will only output "Definite" certainty vulnerabilities and will omit all other output.
Output of the files it finds is in the following format (Vulnerability Type and Certainty are omitted for interesting files):
[<Indicator for easy viewing>] [<File type>] [<File name>] [<Vulnerability Type>] [<Certainty>] [<SIP ReadOnlyPartition/Read/Write permission>] <Full Path>