Binary info
otool
Using otool we can get general info about the Mach-O file:
otool -h [app_name]
> Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
0xfeedfacf 16777228 0 0x00 2 115 11384 0x00218085
Quick refernce on the meaning:
32-bit (ARMv6, ARMv7) β 0xFEEDFACE
64-bit β 0xFEEDFACF
Universal binaries β 0xCAFEBABE
robin2
nm
nm WindTail/Final_Presentation.app/Contents/MacOS/usrnode - view the APIs used.
SMLoginItemSetEnabled - Wardle, Patrick. The Art of Mac Malware (p. 25). No Starch Press. Kindle Edition.
Common functions
snprintf_chk
snprintf_chk is a function in the C standard library that is used for formatted string output. It is similar to the snprintf function, but includes additional security checks to prevent buffer overflow vulnerabilities. Source code example:
#include <stdio.h>
#define BUFFER_SIZE 20
int main() {
char buffer[BUFFER_SIZE];
int value = 42;
snprintf_chk(buffer, BUFFER_SIZE, BUFFER_SIZE-1, "The answer is %d", value);
printf("%s\n", buffer);
return 0;
}
The third argument BUFFER_SIZE-1 limits the maximum number of characters that can be written to the buffer to BUFFER_SIZE-1 (to leave room for the null terminator). This helps prevent buffer overflow vulnerabilities.
getenv
References
OpenAI
βmacOS/iOS (*OS) Internalsβ trilogy, by Jonathan Levin (Technologeeks Press, 2017) The Art of Computer Virus Research and Defense by Peter Szor (Addison-Wesley Professional, 2005) Reversing: Secrets of Reverse Engineering by Eldad Eilam (Wiley, 2005) OS X Incident Response: Scripting and Analysis by Jaron Bradley (Syngress, 2016)
https://papers.put.as/: A fairly exhaustive archive of papers and presentations on macOS security topics and malware analysis. https://themittenmac.com/: The website of the noted macOS security researcher and author, Jaron Bradley, that includes incident response tools and threat hunting knowledge for macOS. https://objective-see.com/blog.html: My blog, which for the last half decade has published my research and that of fellow security researchers on the topics of macOS malware, exploits, and more.