├── README.md
├── mythicPrintTCCdb.png
└── printTCCdb.js


/README.md:
--------------------------------------------------------------------------------
 1 | # PrintTCCdb
 2 | JXA script for Mythic that prints the TCC.db\
 3 | Blog Post: https://antman1p-30185.medium.com/who-has-full-disk-access-12a523723d30
 4 | ## Usage:
 5 | 1. In Mythic, use `jsimport` and upload printTCCdb.js
 6 |     -  [Apfell Agent jsimport source code](https://github.com/MythicAgents/apfell/blob/master/Payload_Type/apfell/agent_code/jsimport.js)
 7 | 3. Use `jsimport_call{"command":"print_tccdb()"}` with one of 3 paramerters
 8 |     1.  root - `jsimport_call{"command":"print_tccdb('root')"}` - Lists the contents of the root TCC.db `/Library/Application Support/com.apple.TCC/TCC.db`
 9 |     2.  currUser - `jsimport_call{"command":"print_tccdb('currUser')"}` - Lists the contents of the current user's TCC.db `~/Library/Application Support/com.apple.TCC/TCC.db`
10 |     3.  A specified User - `jsimport_call{"command":"print_tccdb('CarlosSpiceyWiener')"}` - Lists the contents of a specified user's TCC.db `/Users/CarlosSpiceyWiener/Library/Application Support/com.apple.TCC/TCC.db`
11 | ### The TCC.db will print to the Mythic UI
12 | ![alt text](https://github.com/antman1p/PrintTCCdb/blob/main/mythicPrintTCCdb.png?raw=true)
13 | 


--------------------------------------------------------------------------------
/mythicPrintTCCdb.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/antman1p/PrintTCCdb/c54502d24a30dbdf461cfe7c3da3b5b330b38ac0/mythicPrintTCCdb.png


--------------------------------------------------------------------------------
/printTCCdb.js:
--------------------------------------------------------------------------------
 1 | ObjC.import('sqlite3');
 2 | function print_tccdb(context) {
 3 |   var err;
 4 |   var filename = ""
 5 |   var ppDb = Ref();
 6 | 
 7 |   // Change filename var based on params
 8 |   switch(context) {
 9 |     case 'root':
10 |       filename = $('/Library/Application\ Support/com.apple.TCC/TCC.db').stringByStandardizingPath.js;
11 |       break;
12 |     case 'currUser':
13 |       filename = $('/Users/' + $.NSUserName().js + '/Library/Application\ Support/com.apple.TCC/TCC.db').stringByStandardizingPath.js;
14 |       break;
15 |     default:
16 |       filename = $('/Users/' + context + '/Library/Application\ Support/com.apple.TCC/TCC.db').stringByStandardizingPath.js;
17 |   }
18 | 
19 |   err = $.sqlite3_open(filename, ppDb)
20 | 
21 |   var db = ppDb[0]
22 |   if(err != $.SQLITE_OK) throw new Error($.sqlite3_errmsg(db))
23 | 
24 | 
25 |   sql = 'select * from access'
26 |   ppStmt = Ref()
27 |   err = $.sqlite3_prepare(db, sql, -1, ppStmt, Ref())
28 |   if(err != $.SQLITE_OK) throw new Error($.sqlite3_errmsg(db))
29 |   pStmt = ppStmt[0]
30 |   var output = "**** TCC.db at " + filename + " ****\n"
31 |   try {
32 |     while ((err = $.sqlite3_step(pStmt)) == $.SQLITE_ROW) {
33 |       output += $.sqlite3_column_text(pStmt, 0) + "  |  " + $.sqlite3_column_text(pStmt, 1) +
34 |         "  |  " + $.sqlite3_column_text(pStmt, 2) + "  |  " + $.sqlite3_column_text(pStmt, 3) +
35 |         "  |  " + $.sqlite3_column_text(pStmt, 4) + "  |\n";
36 |     }
37 |     return output
38 |   }
39 |     catch(error){
40 |       return error.toString()
41 |     }
42 |     finally {
43 |       err = $.sqlite3_finalize(pStmt)
44 |       err = $.sqlite3_close(db)
45 |       if(err != $.SQLITE_OK) throw new Error($.sqlite3_errmsg(db))
46 |     }
47 | }
48 | 
49 | // print_tccdb('root')
50 | //print_tccdb('currUser')
51 | //print_tccdb('CarlosSpiceyWiener')
52 | 


--------------------------------------------------------------------------------