MacOS Apps - Inspecting, debugging and Fuzzing
Last updated
Was this helpful?
Last updated
Was this helpful?
**** is a tool useful to inspect .pkg files (installers) and see what is inside before installing it.
These installers have preinstall and postinstall bash scripts that malware authors usually abuse to persist the malware.
This tool allows to mount Apple disk images (.dmg) files to inspect them before running anything:
It will be mounted in /Volumes
When a function is called in a binary that uses objective-C, the compiled code instead of calling that function, it will call objc_msgSend. Which will be calling the final function:
The params this function expects are:
The first parameter (self) is "a pointer that points to the instance of the class that is to receive the message". Or more simply put, it’s the object that the method is being invoked upon. If the method is a class method, this will be an instance of the class object (as a whole), whereas for an instance method, self will point to an instantiated instance of the class as an object.
The second parameter, (op), is "the selector of the method that handles the message". Again, more simply put, this is just the name of the method.
The remaining parameters are any values that are required by the method (op).
Argument
Register
(for) objc_msgSend
1st argument
rdi
self: object that the method is being invoked upon
2nd argument
rsi
op: name of the method
3rd argument
rdx
1st argument to the method
4th argument
rcx
2nd argument to the method
5th argument
r8
3rd argument to the method
6th argument
r9
4th argument to the method
7th+ argument
rsp+ (on the stack)
5th+ argument to the method
Check for high entropy
Check the strings (is there is almost no understandable string, packed)
The UPX packer for MacOS generates a section called "__XHDR"
Note that in order to instrument system binaries, (such as cloudconfigurationd) on macOS, SIP must be disabled (just removing the signature won't work).
You can use this one even with SIP activated
It allows users access to applications at an extremely low level and provides a way for users to trace programs and even change their execution flow. Dtrace uses probes which are placed throughout the kernel and are at locations such as the beginning and end of system calls.
The available probes of dtrace can be obtained with:
The probe name consists of four parts: the provider, module, function, and name (fbt:mach_kernel:ptrace:entry). If you not specifies some part of the name, Dtrace will apply that part as a wildcard.
In line
script
Allows to follow actions performed by processes:
lldb is the de facto tool for macOS binary debugging.
(lldb) Command
Description
run (r)
Starting execution, which will continue unabated until a breakpoint is hit or the process terminates.
continue (c)
Continue execution of the debugged process.
nexti (n)
Execute the next instruction. This command will skip over function calls.
stepi (s)
Execute the next instruction. Unlike the nexti command, this command will step into function calls.
finish (f)
Execute the rest of the instructions in the current function (“frame”) return and halt.
control + c
Pause execution. If the process has been run (r) or continued (c), this will cause the process to halt ...wherever it is currently executing.
breakpoint (b)
b main
b -[NSDictionary objectForKey:]
b 0x0000000100004bd9
br l #Breakpoint list
br e/dis <num> #Enable/Disable breakpoint
breakpoint delete <num>
help
help breakpoint #Get help of breakpoint command
help memory write #Get help to write into the memory
reg
reg read $rax
reg write $rip 0x100035cc0
x/s <reg/memory address>
Display the memory as a null-terminated string.
x/i <reg/memory address>
Display the memory as assembly instruction.
x/b <reg/memory address>
Display the memory as byte.
print object (po)
This will print the object referenced by the param
po $raw
{
dnsChanger = {
"affiliate" = "";
"blacklist_dns" = ();
Note that most of Apple’s Objective-C APIs or methods return objects, and thus should be displayed via the “print object” (po) command. If po doesn't produce a meaningful output use x/b
memory write
memory write 0x100600000 -s 4 0x41414141 #Write AAAA in that address
The command sysctl hw.model returns "Mac" when the host is a MacOS but something different when it's a VM.
Playing with the values of hw.logicalcpu and hw.physicalcpu some malwares try to detect if it's a VM.
Some malwares can also detect if the machine is VMware based on the MAC address (00:50:56).
It's also possible to find if a process is being debugged with a simple code such us:
if(P_TRACED == (info.kp_proc.p_flag & P_TRACED)){ //process being debugged }
It can also invoke the ptrace system call with the PT_DENY_ATTACH flag. This prevents a debugger from attaching and tracing.
You can check if the sysctl orptrace function is being imported (but the malware could import it dynamically)
ReportCrash analyzes crashing processes and saves a crash report to disk. A crash report contains information that can help a developer diagnose the cause of a crash.
For applications and other processes running in the per-user launchd context, ReportCrash runs as a LaunchAgent and saves crash reports in the user's ~/Library/Logs/DiagnosticReports/
For daemons, other processes running in the system launchd context and other privileged processes, ReportCrash runs as a LaunchDaemon and saves crash reports in the system's /Library/Logs/DiagnosticReports
If you are worried about crash reports being sent to Apple you can disable them. If not, crash reports can be useful to figure out how a server crashed.
While fuzzing in a MacOS it's important to not allow the Mac to sleep:
systemsetup -setsleep Never
pmset, System Preferences
If you are fuzzing via a SSH connection it's important to make sure the session isn't going to day. So change the sshd_config file with:
TCPKeepAlive Yes
ClientAliveInterval 0
ClientAliveCountMax 0
This interesting to find processes that are managing network data:
Or use netstat or lsof
Note that in order to debug binaries, SIP needs to be disabled (csrutil disable or csrutil enable --without debug) or to copy the binaries to a temporary folder and remove the signature with codesign --remove-signature <binary-path> or allow the debugging of the binary (you can use )
A more detailed explanation and more examples can be found in
**** is a very useful tool to check the process related actions a process is performing (for example, monitor which new processes a process is creating).
**** allows to monitor file events (such as creation, modifications, and deletions) providing detailed information about such events.
**** is useful to see the libraries used by a binary, the files it's using and the network connections. It also checks the binary processes against virustotal and show information about the binary.
As noted in this writeup, “” : “The message Process # exited with status = 45 (0x0000002d) is usually a tell-tale sign that the debug target is using PT_DENY_ATTACH”
**to find out how you can find which app is responsible of handling the specified scheme or protocol**.
****
********
********