电脑安装了 MplayerX，莫名地浏览器就被劫持了，长达一年之久，后面 Safari 更新限制了第三方插件的使用，这里只针对Chrome，打开 Chrome 扩展里面会多出来 Anysearch 的插件。由于对 Mac 系统不是很熟悉，不知道自启动是如何管理的，直到上个星期才找到彻底删除的方案。

保存代码为：

#/usr/bin/bash

killall taskgated
killall finder

# anysearch will hijack browser default search engine
# this script will delete it from firefox and chrome
# run this script by: 
# sudo ~/anysearch.sh

echo Deleting "/Library/LaunchDaemons/com.SearchFunctionDaemon.plist" ...
rm -rf "/Library/LaunchDaemons/com.SearchFunctionDaemon.plist"

echo Deleting "~/Library/LaunchAgents/com.SearchFunction.plist" 
rm -rf "~/Library/LaunchAgents/com.SearchFunction.plist"

# Seachfunction is a executable applications
echo Deleting "/Library/Application Support/com.SearchFunctionDaemon/SearchFunction" ...
rm -rf "/Library/Application Support/com.SearchFunctionDaemon/SearchFunction"

echo Deleting "/Library/Application Support/com.SearchFunctionDaemon/" ...
rm -rf -d "/Library/Application Support/com.SearchFunctionDaemon/"

echo Deleting "/Library/LaunchAgents/com.SearchFunction.plist" ...
rm -rf "/Library/LaunchAgents/com.SearchFunction.plist"

echo Deleting "/Library/Managed Preferences/$USER/com.google.Chrome.plist" ...
rm -rf "/Library/Managed Preferences/$USER/com.google.Chrome.plist"

echo Deleting "/Library/Managed Preferences/$USER/complete.plist" ...
rm -rf "/Library/Managed Preferences/$USER/complete.plist"
id=$(profiles -P | gsed -n '1s/.*Function//gp')

echo Deleting direcory $id ...
cd "/Users/$USER/Library/Application Support/Google/Chrome/Default/Extensions/"
rm -rf '$id'

profiles -D -f ".com.crx.SearchFunction$id"

# remove firefox  default
cd "/Users/qinfengbin/Library/Application Support/Firefox/Profiles"
rm -rf -d .*
# after delete  re-install firefox

手动的方法

首先，涉及到如下路径：

"/Library/LaunchAgents"
"/Library/LaunchDaemons"
"/Users/$USER/Library/Application Support/Google/Chrome/Default/Extensions"
"/Library/Managed Preferences/$USER"
"/Library/Application Support/com.SearchFunctionDaemon"
"~/Library/LaunchAgents"
"/Library/LaunchAgents"
"/Library/LaunchDaemons"
"/System/Library/LaunchAgents"
"/System/Library/LaunchDaemons"

关闭进程并查看 Chrome 的profiles

先进入 Activity Monitor 搜索 any、search、function 等关键字，强制退出进程。

1. 打开 Chrome ，地址栏输入：chrome://policy，如果发现 ExtensionSettings 不为空，且等级为 Mandatory 则说明浏览器被劫持：

level = Mandatory，说明浏览器被劫持

{
   "chromeMetadata": {
      "OS": "macOS Version 10.14.6 (Build 18G95)",
      "application": "Google Chrome",
      "revision": "201e747d032611c5f2785cae06e894cf85be7f8a-refs/branch-heads/3865@{#776}",
      "version": "77.0.3865.75 (Official Build) (64-bit)"
   },
   "chromePolicies": {
      "ExtensionSettings": {
         "level": "mandatory",
         "scope": "machine",
         "source": "platform",
         "value": {
            "ffkjcnnfloopcaibchbfbommdncnilpe": {
               "installation_mode": "allowed",
               "update_url": "https://clients2.google.com/service/update2/crx"
            }
         }
      }
   },
   "extensionPolicies": {
      "ghbmnnjooekpmoecnnnilnnbdlolhkhi": {

      },
      "gighmmpiobklfepjocnamgkkbiglidom": {

      }
   }
}

上面的profiles也可以在 system preferences - profiles 中看到。

2. 删除： /Library/LaunchDaemons/com.SearchFunctionDaemon.plist 其内容：

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.SearchFunctionDaemon</string>
    <key>ProgramArguments</key>
    <array>
        <string>/Library/Application Support/com.SearchFunctionDaemon/SearchFunction</string>
        <string>r</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>StartInterval</key>
    <integer>14400</integer>
</dict>
</plist>

它指向了一个另外一个文件夹的执行文件，也就是恶意软件本身，即：/Library/Application Support/com.SearchFunctionDaemon，到路径里直接删除该文件夹和里面的 SearchFunction 恶意软件。

所以必须删除 /Library/Application Support/com.SearchFunctionDaemon/SearchFunction 如果删除不干净SearchFunction 可能死灰复燃。

3. 到路径：~/Library/LaunchAgents，删除 anysearch 相关的文件

4. 删除
   System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper

5. 最恶心的莫过于软件居然把自己伪装成Profile。
   打开 System Preferences ——Profiles，删除 SearchFunction。

Profiles

6. 用 Terminal 打开路径：/Library/Managed Preferences/$USER ，执行如下命令：

sudo -s

/usr/libexec/PlistBuddy -c \
"Delete :com.google.Chrome" \
complete.plist

/usr/libexec/PlistBuddy -c \
"Delete :com.google.Chrome" \
com.google.Chrome.plist

7. 删除 firefox 的配置文件，到路径：/Users/qinfengbin/Library/Application Support/Firefox/Profiles 删除下面的所有的文件。同时重新安装 firefox。

2020-06-12 更新

DTrace 跟踪软件运行

sudo opensnoop  | grep SearchFunction
_______________________________________________
    0    125 taskgated      3 /Users/xxx/Library/Application Support/com.SearchFunction
    0    125 taskgated      3 /Users/xxx/Library/Application Support/com.SearchFunction
    0    125 taskgated      3 /Users/xxx/Library/Application Support/com.SearchFunction/SearchFunction
  501  21866 SearchFunction   3 /dev/dtracehelper
  501  21866 SearchFunction  -1 /etc/.mens_debug

列表太长不一一列出来，opensnopp 比较直观，可以看到软件通过什么系统调用，访问了什么数据。

如果安装有多个浏览器，软件可以安插到任意浏览器的子目录，因此使用