zhutao100/macos-private-framework-research-skill
GitHub: zhutao100/macos-private-framework-research-skill
Stars: 0 | Forks: 0
# macOS私有框架研究技能
用于研究现代macOS私有框架的可安装智能体技能库,提供可重复、有证据支持的工作流程。
## 技能说明
`macos-private-framework-research` 帮助智能体发现私有框架依赖项、提取dyld共享缓存映像、重建Objective-C/Swift接口、对签名不明确的方法进行分流,并运行LLM辅助的类型推断循环与静态验证。
主要入口点:
```
macos-private-framework-research/SKILL.md
```
## 克隆
参考检出是可选的源标记。避免使用 `git clone --recurse-submodules --shallow-submodules` 初始化它们:Git在运行递归子模块检出时会使用 `--no-single-branch` 参数,这会导致高引用仓库在深度1获取每个分支/标签的尖端。
当需要参考源时,使用两步检出:
```
git clone -o zhutao100 https://github.com/zhutao100/macos-private-framework-research-skill.git
cd macos-private-framework-research-skill
git submodule update --init --recursive --depth 1 --single-branch --jobs 4
```
`reference-checkout/hammerspoon` 是可选启用的,因为递归克隆路径特别大。仅在需要时初始化:
```
git submodule update --init --depth 1 --single-branch --checkout -- reference-checkout/hammerspoon
```
## 安装
面向Codex CLI和其他兼容Open Agent Skills客户端的用户级安装:
```
macos-private-framework-research/scripts/install_codex_skill.sh --replace
```
仓库级安装:
```
macos-private-framework-research/scripts/install_codex_skill.sh --scope repo --replace
```
手动安装:
```
mkdir -p "$HOME/.agents/skills"
cp -R macos-private-framework-research "$HOME/.agents/skills/"
```
## 常用命令
清点主机、dyld缓存和工具:
```
macos-private-framework-research/scripts/macos_private_framework_inventory.py \
--output /tmp/macos-pf-inventory.md \
--json-output /tmp/macos-pf-inventory.json
```
仅在工作流需要时解析可选的非内置工具链:
```
macos-private-framework-research/scripts/resolve_toolchains.py ipsw dyld-shared-cache-extractor
```
发现系统应用或客户端二进制文件对私有框架的使用:
```
macos-private-framework-research/scripts/discover_private_frameworks.py \
--output /tmp/disk-utility-private-frameworks.md \
--json-output /tmp/disk-utility-private-frameworks.json \
"/System/Applications/Utilities/Disk Utility.app"
```
从dyld共享缓存中提取框架:
```
macos-private-framework-research/scripts/extract_dyld_framework.sh \
--framework DiskManagement \
--output-dir /tmp/macos-private-frameworks
```
仅在提取时需要进行信息增强时才使用 `--enrich-objc-stubs`;对于有界的头文件输出,请单独运行 `ipsw class-dump`。
在加载原始依赖项、符号或字符串转储之前,构建一个有上限的框架清单:
```
macos-private-framework-research/scripts/framework_macho_manifest.py \
--framework DiskManagement \
--json-output /tmp/DiskManagement.manifest.json \
--markdown-output /tmp/DiskManagement.manifest.md \
--cache-evidence
```
在加载原始plist转储之前,收集聚焦的权限证据:
```
macos-private-framework-research/scripts/collect_code_entitlements.py \
--focus-pattern 'diskmanagement|mach-lookup|xpc|sandbox' \
--output /tmp/DiskManagement.entitlements.md \
--json-output /tmp/DiskManagement.entitlements.json \
/path/to/candidate-binary
```
探测候选的C符号和Objective-C类而不实际调用它们:
```
macos-private-framework-research/scripts/dlopen_symbol_probe.swift \
--image /System/Library/PrivateFrameworks/DiskManagement.framework/DiskManagement \
--symbol CandidateFunction \
--class CandidateClass \
--json
```
对签名不明确的重建头文件进行分流:
```
macos-private-framework-research/scripts/objc_header_triage.py \
--headers /tmp/DiskManagement.headers \
--output /tmp/DiskManagement.candidates.md \
--json-output /tmp/DiskManagement.candidates.json
```
为便于智能体处理,Markdown报告默认设有长度限制;JSON输出则保持完整。
为单个候选项构建LLM就绪的MOTIF风格推理上下文:
```
macos-private-framework-research/scripts/build_motif_context.py \
--candidate-json /tmp/DiskManagement.candidates.json \
--candidate-id 1 \
--headers /tmp/DiskManagement.headers \
--binary /tmp/macos-private-frameworks/System/Library/PrivateFrameworks/DiskManagement.framework/Versions/A/DiskManagement \
--output /tmp/DiskManagement.candidate-1.context.json \
--prompt-output /tmp/DiskManagement.candidate-1.prompt.md
```
在将候选重建头文件作为证据使用之前,对其进行检查:
```
macos-private-framework-research/scripts/objc_signature_linter.py \
--headers /tmp/DiskManagement.inferred.headers \
--output /tmp/DiskManagement.lint.md \
--json-output /tmp/DiskManagement.lint.json \
--compile
```
## 验证
仓库验证:
```
macos-private-framework-research/scripts/validate_skill_repo.py .
macos-private-framework-research/scripts/resolve_toolchains.py --json-output /tmp/macos-pf-toolchains.json \
>/tmp/macos-pf-toolchains.md
macos-private-framework-research/scripts/framework_macho_manifest.py --framework IntelligenceFlow --cache-evidence \
--json-output /tmp/macos-pf-framework-manifest.json \
--markdown-output /tmp/macos-pf-framework-manifest.md
macos-private-framework-research/scripts/collect_code_entitlements.py --focus-pattern 'intelligenceflow|biome|mach-lookup' \
--output /tmp/macos-pf-entitlements.md \
--json-output /tmp/macos-pf-entitlements.json \
/System/Library/PrivateFrameworks/IntelligenceFlowRuntime.framework/Versions/A/intelligenceflowd
python3 -m py_compile macos-private-framework-research/scripts/*.py
bash -n macos-private-framework-research/scripts/*.sh
macos-private-framework-research/scripts/dlopen_symbol_probe.swift --help >/tmp/macos-pf-dlopen-help.txt
zsh -n framework-surveys/intelligenceflow-agent-survey/scripts/*.zsh
python3 -m py_compile framework-surveys/intelligenceflow-agent-survey/scripts/*.py
zsh -n framework-surveys/skylight-agent-survey/tools/*.zsh
python3 -m py_compile framework-surveys/skylight-agent-survey/tools/*.py
```
在macOS主机上,当涉及调查包时,还应运行清点脚本、一次小规模的应用/二进制文件发现流程以及调查头文件验证器。
```
framework-surveys/intelligenceflow-agent-survey/scripts/verify_intelligenceflow_presence_header.zsh \
/tmp/intelligenceflow-presence-verify.json
swift framework-surveys/skylight-agent-survey/tools/dlopen_probe_symbols.swift --json \
>/tmp/skylight-dlsym-probe.json
framework-surveys/skylight-agent-survey/tools/verify_skylight_readonly_header.zsh \
/tmp/skylight-readonly-verify.json
```
标签:dyld共享缓存提取, Hopper工具, ipsw工作流, LLM引导类型推断, macOS私有框架研究, Objective-C元数据重建, Open Agent Skills, RuntimeBrowser, RuntimeViewer, Swift接口重建, 云安全监控, 云资产清单, 代理技能, 框架依赖分析, 逆向工程, 静态分析