Logo
RSS Feed

Apple Mach-O

Created: 28.09.2020

Binary info

otool

Using otool we can get general info about the Mach-O file:


otool -h [app_name]

> Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
 0xfeedfacf 16777228          0  0x00           2   115      11384 0x00218085

Quick refernce on the meaning:

32-bit (ARMv6, ARMv7) – 0xFEEDFACE 64-bit – 0xFEEDFACF Universal binaries – 0xCAFEBABE

robin2

nm

nm WindTail/Final_Presentation.app/Contents/MacOS/usrnode - view the APIs used. SMLoginItemSetEnabled - Wardle, Patrick. The Art of Mac Malware (p. 25). No Starch Press. Kindle Edition.

Common functions

snprintf_chk

snprintf_chk is a function in the C standard library that is used for formatted string output. It is similar to the snprintf function, but includes additional security checks to prevent buffer overflow vulnerabilities. Source code example:

#include <stdio.h>
#define BUFFER_SIZE 20

int main() {
    char buffer[BUFFER_SIZE];
    int value = 42;
    snprintf_chk(buffer, BUFFER_SIZE, BUFFER_SIZE-1, "The answer is %d", value);
    printf("%s\n", buffer);
    return 0;
}

The third argument BUFFER_SIZE-1 limits the maximum number of characters that can be written to the buffer to BUFFER_SIZE-1 (to leave room for the null terminator). This helps prevent buffer overflow vulnerabilities.

getenv

References

OpenAI

https://chat.openai.com/chat

β€œmacOS/iOS (*OS) Internals” trilogy, by Jonathan Levin (Technologeeks Press, 2017) The Art of Computer Virus Research and Defense by Peter Szor (Addison-Wesley Professional, 2005) Reversing: Secrets of Reverse Engineering by Eldad Eilam (Wiley, 2005) OS X Incident Response: Scripting and Analysis by Jaron Bradley (Syngress, 2016)

https://papers.put.as/: A fairly exhaustive archive of papers and presentations on macOS security topics and malware analysis. https://themittenmac.com/: The website of the noted macOS security researcher and author, Jaron Bradley, that includes incident response tools and threat hunting knowledge for macOS. https://objective-see.com/blog.html: My blog, which for the last half decade has published my research and that of fellow security researchers on the topics of macOS malware, exploits, and more.

https://malpedia.caad.fkie.fraunhofer.de/