SwiftParseTCC

example--1-

example2
This tool leverages the research linked below to understand the contents of TCC.db. Uses "Full Disk Access" permissions to read the contents of TCC.db and display it in human-readable format. Can output as a pseudo table viewable in the terminal or as a text table which is viewed best in a text editor.

Usage

  • Dump global TCC.db as a pseudo table
    • ./SwiftParseTCC -p "/Library/Application Support/com.apple.TCC/TCC.db"
  • Dump user TCC.db as a text table (best viewed in a text editor)
    • ./SwiftParseTCC -path "~/Library/Application Support/com.apple.TCC/TCC.db" -table

Note

The base64 encoded blobs are binary blobs that describe the code signing requirement. This is used to prevent spoofing/impersonation if another program uses the same bundle identifier. They can be decoded using the csreq binary as follows:

[email protected] ~ % echo "+t4MAAAAADAAAAABAAAABgAAAAIAAAASY29tLmFwcGxlLlRlcm1pbmFsAAAAAAAD" | base64 -d > lol.bin
[email protected] ~ % csreq -v -r lol.bin -t
identifier "com.apple.Terminal" and anchor apple

GitHub

https://github.com/slyd0g/SwiftParseTCC