Apple Mach-O

Created: 28.09.2020

Binary info


Using otool we can get general info about the Mach-O file:

otool -h [app_name]

> Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
 0xfeedfacf 16777228          0  0x00           2   115      11384 0x00218085

Quick refernce on the meaning:

32-bit (ARMv6, ARMv7) – 0xFEEDFACE 64-bit – 0xFEEDFACF Universal binaries – 0xCAFEBABE



nm WindTail/ - view the APIs used. SMLoginItemSetEnabled - Wardle, Patrick. The Art of Mac Malware (p. 25). No Starch Press. Kindle Edition.

Common functions


snprintf_chk is a function in the C standard library that is used for formatted string output. It is similar to the snprintf function, but includes additional security checks to prevent buffer overflow vulnerabilities. Source code example:

#include <stdio.h>
#define BUFFER_SIZE 20

int main() {
    char buffer[BUFFER_SIZE];
    int value = 42;
    snprintf_chk(buffer, BUFFER_SIZE, BUFFER_SIZE-1, "The answer is %d", value);
    printf("%s\n", buffer);
    return 0;

The third argument BUFFER_SIZE-1 limits the maximum number of characters that can be written to the buffer to BUFFER_SIZE-1 (to leave room for the null terminator). This helps prevent buffer overflow vulnerabilities.




β€œmacOS/iOS (*OS) Internals” trilogy, by Jonathan Levin (Technologeeks Press, 2017) The Art of Computer Virus Research and Defense by Peter Szor (Addison-Wesley Professional, 2005) Reversing: Secrets of Reverse Engineering by Eldad Eilam (Wiley, 2005) OS X Incident Response: Scripting and Analysis by Jaron Bradley (Syngress, 2016) A fairly exhaustive archive of papers and presentations on macOS security topics and malware analysis. The website of the noted macOS security researcher and author, Jaron Bradley, that includes incident response tools and threat hunting knowledge for macOS. My blog, which for the last half decade has published my research and that of fellow security researchers on the topics of macOS malware, exploits, and more.