macOS and iOS Internals - The Reverse Engineer's Perspective
Duration: 5 days

Back to course list Home
Synopsis This course accompanies Jonathan Levin's highly praised trilogy, "*OS Internals" with deeper discussions and hands-on examples. The focus is on MacOS Monterey (10.17) and the new Ventura (10.18) as well as iOS 15 and 16, with a focus on the significant changes put into the later versions. This is your chance to learn about the nooks and crannies of Apple's operating systems - from the man who literally wrote the book. The course will also present the book's tools with in depth coverage, as well as introduce more bonus materials and updates.
Target Audience Reverse Engineers, Security and/or Malware Researchers and Forensics Experts - both Mac and iOS - interested in getting to know Apple's Operating Systems intimately, and obtaining reverse engineering techniques and paradigms.
  • Knowledge of macOS at a user level, and user mode programming.
  • Familiarity with x86_64 and/or ARM64 is highly recommended
  • Bring your own Mac/jailbroken i-Device - or ask us about renting one for class!
  • Understand the process of binary linking and loading
  • Reverse engineer and analyze Mach-O Binaries
  • Reverse engineer Objective-C and Swift code
  • Use Apple's own documented and undocumented APIs for tracing and debugging
  • Explain, interface with and hook Kernel system calls
  • Explain common malware techniques
  • Understand attack surfaces in macOS and iOS (and its derivatives), particularly those of the kernel, kexts (I/O Kit) and system daemons.
Exercises This course contains quite a few hands-on practice (shown in parentheses). Most modules are accompanied by the exercises (often in the form of guided instructor demos - and quite a bit of homework!), as shown below; Participants are encouraged to bring malware samples to class, or inquire in advance for specific binaries/subsystems to analyze!
Suggested Reading: The following books are suggested as additional references for this course:
1. Architectural Overview
3 hours
Introduction to the Architecture of macOS and iOS
  • Apple's Architectural Diagrams - and why they are so far from the truth
    • iOS and its derivatives - TvOS, WatchOS
      • A tour of some interesting private frameworks
        • The Darwin environment
          • XNU: The Kernel
            • Hardware
              • macOS: x86, x86_64, x86_64h
                • iOS: armv8 (A7+) and armv8e (A11)
                  • Apple Silicon and Rosetta II
                    • Using sysctl for hardware details
                      • Using MobileGestalt for hardware and software details
                      • Review of prerequisites
                        2. Binaries
                        2(+1) hours
                        The Mach-O file format, up close and personal. Explaining the venerable format and its evolution from NextSTEP throughout Yosemite, and how it is loaded from disk onto the virtual memory of a newly formed or existing process. Special emphasis is given to malware techniques using DYLD, such as dynamic loading, obfuscating, patching import tables, and more.
                        • What's in a Binary/Fat Binaries
                          • Intorducing: Mach-O
                            • Mach-O Types: Executables, bundles, dylibs, kexts, cores, and more
                              • The Mach-O Load commands
                                • LC_SEGMENT[64] and setting up the process virtual memory
                                  • LC_FILESETs
                                    • Code Signing
                                      • Code Encryption
                                        • Understanding dylib dependencies
                                          • LC_FUNCTION_STARTS and DATA_IN_CODE
                                            • Static Analysis: with otool(1) - and JTool2

                                              Exercises include:
                                              • Using JTool2. Analyzing a sample user-mode malware or other binary
                                              • Defeating Code encryption (iOS)
                                              Day 2
                                              3. Advanced Mach-O and DYLD
                                              2(+2) hours
                                              The lesser known and entirely undocumented aspects of Apple's proprietary binary format and loader, including
                                              • DYLD: The Mach-O Loader
                                                • Interfacing with DYLD
                                                  • dyld opcodes, binding and linking
                                                    • LC_CHAINED_FIXUPS
                                                      • dyld rebase chains
                                                        • Dynamically interfacing with DYLD through Callbacks and structures
                                                          • Extending/Hacking DYLD
                                                            5. Debugging and Tracing Techniques
                                                            2(+1) hours
                                                            Describing the built-in tools for debugging and profiing in macOS and iOS, as well as those introduced in the book, with a special focus on analyzing process activity, both in and out of a Virtual Machine.
                                                            • Auditing (deprecated in Ventura)
                                                              • Endpoint Security Framework
                                                                • FSEvents
                                                                  • malloc_history, vmmap, and friends
                                                                    • sc_usage, fs_usage, latency, and Kdebug
                                                                      • syslog and ASL
                                                                        • DTrace (macOS)
                                                                          • LLDB
                                                                            • DYLD_INSERT_LIBRARIES and interposing
                                                                              • Corpses

                                                                                Exercises include:
                                                                                • Creating a KDebug filter
                                                                                • Using (k)DebugView
                                                                                • Using Process Explorer
                                                                                Day 3
                                                                                6. Launchd and XPC
                                                                                2(+1) hours
                                                                                Describing the macOS and iOS user mode startup, via LaunchD , the LaunchDaemons, and LaunchAgents.
                                                                                • Launchd vs. Init
                                                                                  • The roles of launchd
                                                                                    • LaunchAgents and LaunchDaemons
                                                                                      • Launchd as an enabler for malware persistence
                                                                                        • Launchd reverse engineering
                                                                                          • Mach ports (an introduction) and the bootstrap services
                                                                                            • Mach services and XPC
                                                                                              • Undocumented XPC APIs
                                                                                                • XPC message wire format
                                                                                                  • XPC subsystems

                                                                                                  Exercises include:
                                                                                                  • Listing Mach and XPC endpoints
                                                                                                  • Adding a LaunchDaemon and a LaunchAgent
                                                                                                  7. Mach primitives and IPC
                                                                                                  3(+2) hours
                                                                                                  At its very core, XNU contains Mach, the Carnegie Mellon project. Being a microkernel by design, Mach is not a "traditional" Kernel like Windows or Linux. What more, Apple has made significant modifications since Mach 3.0. In this module, we delve deep into Mach, and explain its key concepts, backing their implementations by looking at the actual source code. Exercises specifically demonstrate malware remote code injection by using the lesser known Mach APIs.
                                                                                                  • (re)Introducing Mach
                                                                                                    • The Mach Interface Generator (MIG)
                                                                                                      • Mach Tasks
                                                                                                        • Mach Threads
                                                                                                          • Mach Ports
                                                                                                            • Mach Messages & IPC
                                                                                                              • Mach Virtual Memory

                                                                                                                Exercises include:
                                                                                                                • Enumerating Mach Tasks and Threads
                                                                                                                • Decompiling MIG
                                                                                                                • Using Mach APIs for remote thread injection
                                                                                                                Day 4
                                                                                                                8. XNU, up close
                                                                                                                1 hours
                                                                                                                XNU is still (largely) open source, which provides great benefits when exploring the kernel. In this module we discuss:
                                                                                                                • The kernel source tree layout
                                                                                                                  • Obtaining and compiling XNU, with various options
                                                                                                                    • The Kernel Debug Kit
                                                                                                                      • Reverse engineering without the XNU source (iOS)
                                                                                                                        9. Programming KEXTs and DEXTs
                                                                                                                        1(+1) hours
                                                                                                                        Kernel Extensions, or "KEXTs", are the Mac OS equivalent of Kernel modules. In this module, we detail the architecture of KEXTs, commands used to manipulate them, and the process of creating one. With Apple's move to deprecate KEXTs (in 10.15) we also consider "Driver Extensions" (DEXTs)
                                                                                                                        • Anatomy of a Kernel Extension
                                                                                                                          • KEXT code signatures
                                                                                                                            • KEXT related commands:
                                                                                                                              • kextstat/jkextstat
                                                                                                                                • kextload/kextutil/kmutil
                                                                                                                                • The OSKext* APIs
                                                                                                                                  • kextd, in detail
                                                                                                                                    • Building a KEXT:
                                                                                                                                      • The Entry and exit
                                                                                                                                        • The Info.plist
                                                                                                                                          • Handling dependencies
                                                                                                                                          • Driver Extensions

                                                                                                                                            Exercises include:
                                                                                                                                            • Using OSKext APIs to display loaded extensions
                                                                                                                                            • Using Xn00p to inspect kernel memory
                                                                                                                                            10. I/O Kit
                                                                                                                                            2 (+2) hours
                                                                                                                                            The I/O Kit is a complete driver runtime environment contained in XNU. I/O Kit is object oriented, and makes the development of drivers easier and, in many ways safer, by relying on object oriented concepts such as inheritance and overloading. In this module, we investigate the I/O Kit in depth, examine several IOKit drivers as case studies
                                                                                                                                            • Introducing I/O Kit
                                                                                                                                              • The I/O Kit base classes
                                                                                                                                                • Navigating the I/O Registry
                                                                                                                                                  • I/O Kit as an Attack surface
                                                                                                                                                    • IOUserClients
                                                                                                                                                      • IOConnectCall* methods and the io_user_client_trap

                                                                                                                                                        Exercises include:
                                                                                                                                                        • Reverse Engineer an I/O Kit kernel module
                                                                                                                                                        • Creating a simple I/O Kit fuzzer
                                                                                                                                                        Day 5
                                                                                                                                                        11. The Network Stack (optional)
                                                                                                                                                        1 (+1) hours
                                                                                                                                                        With a heavy flavor of the BSD network stack, Apple took networking in macOS and iOS to the next level. We describe the stack layer by layer, focusing on each layer's implementation and callout APIs (for example, for network security modules, firewall extensions, etc). The detailed discussion includes:
                                                                                                                                                        • The underlying implementation of sockets and address families
                                                                                                                                                          • Socket filtering in XNU
                                                                                                                                                            • Protocol implementations of IPv4, IPv6, and AppleTalk
                                                                                                                                                              • IP protocol filters
                                                                                                                                                                • Networking Interfaces and DLIL
                                                                                                                                                                  • Interface Filters
                                                                                                                                                                    • Berkeley Packet Filter (BPF)
                                                                                                                                                                      • System sockets

                                                                                                                                                                        Exercises include:
                                                                                                                                                                        • Installing packet filters for traffic inspection
                                                                                                                                                                        • Intercepting and forwarding User mode connections
                                                                                                                                                                        12. Security
                                                                                                                                                                        4 hours
                                                                                                                                                                        A detailed discussion of security mechanisms in both macOS and iOS. Dissecting the AppleMobileFileIntegrity and Sandbox kernel extensions. Topics include:
                                                                                                                                                                        • The Mandatory Access Control Framework (MACF)
                                                                                                                                                                          • KAuth
                                                                                                                                                                            • Code Signing, revisited
                                                                                                                                                                              • macOS: Sandboxing and Containers
                                                                                                                                                                                • Reversing the sandbox kext and daemon
                                                                                                                                                                                  • iOS: containermanagerd
                                                                                                                                                                                  • macOS: Quarantine and GateKeeper
                                                                                                                                                                                    • Entitlements
                                                                                                                                                                                      • iOS & 10.10: AppleMobileFileIntegrity
                                                                                                                                                                                        • Detailed deconstruction of amfid
                                                                                                                                                                                          • The AMFI.kext in macOS (10.10+) and iOS
                                                                                                                                                                                          • iOS:lockdownd, and the iOS Jail
                                                                                                                                                                                            • macOS 10.11 "rootless" (System Integrity Protection)
                                                                                                                                                                                              • iOS: Jailbreaking
                                                                                                                                                                                                • Jailbreak exploit path
                                                                                                                                                                                                  • Jailbreak detection methods and heuristics
                                                                                                                                                                                                    • Analysis of classic jailbreaks
                                                                                                                                                                                                    • MacOS and iOS: Malware
                                                                                                                                                                                                      • MacOS: Example of malware analysis (students welcome to bring samples!)
                                                                                                                                                                                                        • iOS: NSO Group's "Pegasus"

                                                                                                                                                                                                        Frequently Asked Questions