| 1. |
Architectural Overview |
|
3 hours |
|
Introduction to the Architecture of macOS and iOS
- Apple's Architectural Diagrams - and why they are so far from the truth
- iOS and its derivatives - TvOS, WatchOS
- A tour of some interesting private frameworks
- The Darwin environment
- XNU: The Kernel
- Hardware
- macOS: x86, x86_64, x86_64h
- iOS: armv8 (A7+) and armv8e (A11)
- Apple Silicon and Rosetta II
- Using sysctl for hardware details
- Using MobileGestalt for hardware and software details
- Review of prerequisites
|
|
The Mach-O file format, up close and personal. Explaining the venerable format and its evolution from NextSTEP throughout Yosemite, and how it is loaded from disk onto the virtual memory of a newly formed or existing process. Special emphasis is given to malware techniques using DYLD, such as dynamic loading, obfuscating, patching import tables, and more.
- What's in a Binary/Fat Binaries
- Intorducing: Mach-O
- Mach-O Types: Executables, bundles, dylibs, kexts, cores, and more
- The Mach-O Load commands
- LC_SEGMENT[64] and setting up the process virtual memory
- LC_FILESETs
- Code Signing
- Code Encryption
- Understanding dylib dependencies
- LC_FUNCTION_STARTS and DATA_IN_CODE
- Static Analysis: with otool(1) - and JTool2
Exercises include:
- Using JTool2. Analyzing a sample user-mode malware or other binary
- Defeating Code encryption (iOS)
|
| Day 2 |
| 3. |
Advanced Mach-O and DYLD |
|
2(+2) hours |
|
The lesser known and entirely undocumented aspects of Apple's proprietary binary format and loader, including
- DYLD: The Mach-O Loader
- Interfacing with DYLD
- dyld opcodes, binding and linking
- LC_CHAINED_FIXUPS
- dyld rebase chains
- Dynamically interfacing with DYLD through Callbacks and structures
- Extending/Hacking DYLD
|
| 5. |
Debugging and Tracing Techniques |
|
2(+1) hours |
|
Describing the built-in tools for debugging and profiing in macOS and iOS, as well as those introduced in the book, with a special focus on analyzing process activity, both in and out of a Virtual Machine.
- Auditing (deprecated in Ventura)
- Endpoint Security Framework
- FSEvents
- malloc_history, vmmap, and friends
- sc_usage, fs_usage, latency, and Kdebug
- syslog and ASL
- DTrace (macOS)
- LLDB
- DYLD_INSERT_LIBRARIES and interposing
- Corpses
Exercises include:
- Creating a KDebug filter
- Using (k)DebugView
- Using Process Explorer
|
| Day 3 |
| 6. |
Launchd and XPC |
|
2(+1) hours |
|
Describing the macOS and iOS user mode startup, via LaunchD , the LaunchDaemons, and LaunchAgents.
- Launchd vs. Init
- The roles of launchd
- LaunchAgents and LaunchDaemons
- Launchd as an enabler for malware persistence
- Launchd reverse engineering
- Mach ports (an introduction) and the bootstrap services
- Mach services and XPC
- Undocumented XPC APIs
- XPC message wire format
- XPC subsystems
Exercises include:
- Listing Mach and XPC endpoints
- Adding a LaunchDaemon and a LaunchAgent
|
| 7. |
Mach primitives and IPC |
|
3(+2) hours |
|
At its very core, XNU contains Mach, the Carnegie Mellon project. Being a microkernel by design, Mach is not a "traditional" Kernel like Windows or Linux. What more, Apple has made significant modifications since Mach 3.0. In this module, we delve deep into Mach, and explain its key concepts, backing their implementations by looking at the actual source code. Exercises specifically demonstrate malware remote code injection by using the lesser known Mach APIs.
- (re)Introducing Mach
- The Mach Interface Generator (MIG)
- Mach Tasks
- Mach Threads
- Mach Ports
- Mach Messages & IPC
- Mach Virtual Memory
Exercises include:
- Enumerating Mach Tasks and Threads
- Decompiling MIG
- Using Mach APIs for remote thread injection
|
| Day 4 |
|
XNU is still (largely) open source, which provides great benefits when exploring the kernel. In this module we discuss:
- The kernel source tree layout
- Obtaining and compiling XNU, with various options
- The Kernel Debug Kit
- Reverse engineering without the XNU source (iOS)
|
| 9. |
Programming KEXTs and DEXTs |
|
1(+1) hours |
|
Kernel Extensions, or "KEXTs", are the Mac OS equivalent of Kernel modules. In this module, we detail the architecture of KEXTs, commands used to manipulate them, and the process of creating one. With Apple's move to deprecate KEXTs (in 10.15) we also consider "Driver Extensions" (DEXTs)
- Anatomy of a Kernel Extension
- KEXT code signatures
- KEXT related commands:
- kextstat/jkextstat
- kextload/kextutil/kmutil
- The OSKext* APIs
- kextd, in detail
- Building a KEXT:
- The Entry and exit
- The Info.plist
- Handling dependencies
- Driver Extensions
Exercises include:
- Using OSKext APIs to display loaded extensions
- Using Xn00p to inspect kernel memory
|
|
The I/O Kit is a complete driver runtime environment contained in XNU. I/O Kit is object oriented, and makes the development of drivers easier and, in many ways safer, by relying on object oriented concepts such as inheritance and overloading.
In this module, we investigate the I/O Kit in depth, examine several IOKit drivers as case studies
- Introducing I/O Kit
- The I/O Kit base classes
- Navigating the I/O Registry
- I/O Kit as an Attack surface
- IOUserClients
- IOConnectCall* methods and the io_user_client_trap
Exercises include:
- Reverse Engineer an I/O Kit kernel module
- Creating a simple I/O Kit fuzzer
|
| Day 5 |
| 11. |
The Network Stack (optional) |
|
1 (+1) hours |
|
With a heavy flavor of the BSD network stack, Apple took networking in macOS and iOS to the next level. We describe the stack layer by layer, focusing on each layer's implementation and callout APIs (for example, for network security modules, firewall extensions, etc). The detailed discussion includes:
- The underlying implementation of sockets and address families
- Socket filtering in XNU
- Protocol implementations of IPv4, IPv6, and AppleTalk
- IP protocol filters
- Networking Interfaces and DLIL
- Interface Filters
- Berkeley Packet Filter (BPF)
- System sockets
Exercises include:
- Installing packet filters for traffic inspection
- Intercepting and forwarding User mode connections
|
|
A detailed discussion of security mechanisms in both macOS and iOS. Dissecting the AppleMobileFileIntegrity and Sandbox kernel extensions. Topics include:
- The Mandatory Access Control Framework (MACF)
- KAuth
- Code Signing, revisited
- macOS: Sandboxing and Containers
- Reversing the sandbox kext and daemon
- iOS: containermanagerd
- macOS: Quarantine and GateKeeper
- Entitlements
- iOS & 10.10: AppleMobileFileIntegrity
- Detailed deconstruction of amfid
- The AMFI.kext in macOS (10.10+) and iOS
- iOS:lockdownd, and the iOS Jail
- macOS 10.11 "rootless" (System Integrity Protection)
- iOS: Jailbreaking
- Jailbreak exploit path
- Jailbreak detection methods and heuristics
- Analysis of classic jailbreaks
- MacOS and iOS: Malware
- MacOS: Example of malware analysis (students welcome to bring samples!)
- iOS: NSO Group's "Pegasus"
|