/DumpBTM

And open-source version of % sfltool dumpbtm

Primary LanguageObjective-CGNU General Public License v3.0GPL-3.0

DumpBTM

tl;dr: an open-source version of % sfltool dumpbtm

% ./dumpBTM 
Dumps (unserializes) BackgroundItems-v*.btm

Opened /private/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v7.btm
...

========================
 Records for UID 501 : 1CAA5D2B-A526-49E2-9A6F-58CACBDF0AFB
========================

#1 
  UUID:              68D88F8B-A750-4A4D-AD31-520E2436FE9F
  Name:              LuLu
  Developer Name:    (null)
  Team Identifier:   VBG97UB4TA
  Type:              app  (0x2)
  Disposition:       [enabled allowed visible notified] (11)
  Indentifier:       anchor apple generic and identifier "com.objective-see.lulu.app" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = VBG97UB4TA)
  URL:               file:///Applications/LuLu.app/
  Executable Path:   (null)
  Generation:        2
  Parent Identifier: (null)
  
  #2 
  UUID:              17A60CB8-537A-44D1-A6F8-2EBD22439076
  Name:              AGSService
  Developer Name:    Adobe Creative Cloud
  Team Identifier:   JQ525L2MZD
  Type:              curated legacy daemon  (0x90010)
  Disposition:       [enabled allowed visible notified] (11)
  Indentifier:       Adobe_Genuine_Software_Integrity_Service
  URL:               file:///Library/LaunchDaemons/com.adobe.agsservice.plist
  Executable Path:   /Library/Application Support/Adobe/AdobeGCClient/AGSService
  Generation:        1
  Assoc. Bundle IDs: [com.adobe.acc.AdobeCreativeCloud]
  Parent Identifier: Adobe Creative Cloud

Note: If you're running the pre-built binary, though signed, it's not notarized (Apple doesn't support notarized commandline tools). So after making it executable, remove the quarantine attributue to make it runnable (via Terminal).

% chmod +x dumpBTM
% xattr -rc dumpBTM

Also, make sure you give Terminal "Full Disk Access" (a requirment to read the BackgroundItems-v4.btm file).

In macOS Ventura (13), Apple consolidated persistent items (login items, launch agents/daemons) in a new file: BackgroundItems-v*.btm, found in /private/var/db/com.apple.backgroundtaskmanagement/. On macOS 13.0 this file is named BackgroundItems-v*.btm whereas on macOS 13.1 it's BackgroundItems-v7.btm.

This file is a serialized binary propertly list. You can dump it via Apple's sfltool, specifying the dumpbtm command line flag.

DumpBTM is an open-source version of this, which has the following benefits:

  • Open-source
  • Programmatic access to enumerate (persistent) items in the file

The latter point is most notable as this allow you to now add such logic into security/EDR tools. Specifically you can now easily and programmatically enumerate all (ok most) persistent items on a macOS Ventura system (which will include any persistently installed malware).

You can also then monitor this file for changes to detect new persistence events (as now you can parse/unserialize its contents via this project's code).

Note: Such monitoring was supposed to be accomplished via the Endpoint Security ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD event ...but this event is broken (See: "Endpoint Security Event: ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD is ...broken?" 😓).