Logo
RSS Feed

πŸ‘ˆπŸΌ Back to
🌞 OS Core Processes

MacOS Core Processes


Created: 29.11.2020

There are two broad categories of core processes. Processes that initialize system environment and those that initialize the user environment. Whatever is the category, you need to know them well in order to detect abnormal things.

Main Processes

There are several core process that are important to examine since malware often drool 🀀 over them. Singleton - one instance running only. If any of these having more than 1 process should be the object of further investigation.

The process tree

  • BootROM
    • POST - Power On Self Test, if all’s ok with hardware - beep.
    • EFI - Extensible Firmware Interface, choose bootable partition and OS.
    • Boot Loader. Either boot.efi or BootX. System/Library/CoreServices/Boot.efi - Apple logo” on the screen. Load kext files (kernel extensions) into RAM from /System/Library/Caches/com.apple.kext.caches/Startup/kernelcache. If this cache is damaged, /System/Library/Extensions is used, each driver enumerated to determine if it’s needed for booting. If FV is enabled, enter password first.
      • Kernel. mach_init. Kernel initialization - Additional drivers, core BSD Unix system, I/O Kit. Dark gray spinning gear right below the Apple logo. Find the root device - Mount system partition as root.
        • Launchd. /sbin/launchd. System Initialization - The login window or the user’s desktop background if the auto login is enabled. The first non-kernel root process.
          • loginwindow
          • SystemStarter
          • user launchd

Main files: mkextcache, launchd, loginwindow, /System/Library/CoreServices.

launchd

Parent 🀱: kernel

Children πŸ‘§ :

Singleton ☝️: Yes

Path to file πŸ›£: /sbin/launchd

Account:

Start time: Boot

PID 1. The first daemon launched. Started up by kernel. Spawns other demons and processes.

WindowServer TouchBarServer

kernel_task UserEventAgent Wi-Fi bluetoothd gamecontrollerd UIKitSystem routined locationd

opendirectoryd launchd cfprefsd - not singleton PerfPowerServices Dock runningboardd analyticsd sysmond powerd Control Centre logd ContextStoreAgent fseventsd sharingd mds airportd launchservicesd iconservicesagent mds_stores corebrightnessd com.apple.WebKit.WebContent contextstored mdworker_shared

Quick Check List

Singletons vs Cloners

Singletons:

Cloners:

Boot vs Varies

Boot:

Varies:

System32 vs Other

System32:

Other:

References