OS X and iOS Internals - The Reverse Engineer's Perspective
Duration: 5 days

Back to course list Home
Synopsis This course accompanies Jonathan Levin's highly praised trilogy, "*OS Internals" with deeper discussions and hands-on examples. The focus is on MacOS High Sierra (10.13) and Mojave (10.14) as well as iOS 11 and 12, with a focus on the significant changes put into the later versions. This is your chance to learn about the nooks and crannies of Apple's operating systems - from the man who literally wrote the book. The course will also present the book's tools with in depth coverage, as well as introduce more bonus materials and updates.
Target Audience Reverse Engineers, Security and/or Malware Researchers and Forensics Experts - both Mac and iOS - interested in getting to know Apple's Operating Systems intimately, and obtaining reverse engineering techniques and paradigms.
  • Knowledge of OS X at a user level, and user mode programming.
  • Familiarity with x86_64 and/or ARM32/64 is highly recommended
  • Bring your own Mac/jailbroken i-Device - or ask us about renting one for class!
  • Understand the process of binary linking and loading
  • Reverse engineer and analyze Mach-O Binaries
  • Reverse engineer Objective-C and Swift code
  • Use Apple's own documented and undocumented APIs for tracing and debugging
  • Explain, interface with and hook Kernel system calls
  • Explain common malware techniques
  • Understand attack surfaces in OS X and iOS (and its derivatives), particularly those of the kernel, kexts (I/O Kit) and system daemons.
Exercises This course contains quite a few hands-on practice (shown in parentheses). Most modules are accompanied by the exercises (often in the form of guided instructor demos - and quite a bit of homework!), as shown below; Participants are encouraged to bring malware samples to class, or inquire in advance for specific binaries/subsystems to analyze!
Suggested Reading: The following books are suggested as additional references for this course:
1. Architectural Overview
3 hours
Introduction to the Architecture of OS X and iOS
  • Apple's Architectural Diagrams - and why they are so far from the truth
    • iOS and its derivatives - TvOS, WatchOS
      • A tour of some interesting private frameworks
        • The Darwin environment
          • XNU: The Kernel
            • Hardware
              • OS X: x86, x86_64, x86_64h
                • iOS: armv7k (WatchOS), armv8 (A7+) and armv8e (A11)
                  • Using sysctl for hardware details
                    • Using MobileGestalt for hardware and software details
                    • Review of prerequisites
                      2. Binaries
                      2(+1) hours
                      The Mach-O file format, up close and personal. Explaining the venerable format and its evolution from NextSTEP throughout Yosemite, and how it is loaded from disk onto the virtual memory of a newly formed or existing process. Special emphasis is given to malware techniques using DYLD, such as dynamic loading, obfuscating, patching import tables, and more.
                      • What's in a Binary/Fat Binaries
                        • Intorducing: Mach-O
                          • Mach-O Types: Executables, bundles, dylibs, kexts, cores, and more
                            • The Mach-O Load commands
                              • LC_SEGMENT[64] and setting up the process virtual memory
                                • Code Signing
                                  • Code Encryption
                                    • Understanding dylib dependencies
                                      • LC_FUNCTION_STARTS and DATA_IN_CODE
                                        • Static Analysis: with otool(1) - and JTool

                                          Exercises include:
                                          • Using JTool. Analyzing a sample user-mode malware or other binary
                                          • Defeating Code encryption (iOS)
                                          Day 2
                                          3. Advanced Mach-O and DYLD
                                          2(+2) hours
                                          The lesser known and entirely undocumented aspects of Apple's proprietary binary format and loader, including
                                          • DYLD: The Mach-O Loader
                                            • Interfacing with DYLD
                                              • dyld opcodes, binding and linking
                                                • Dynamically interfacing with DYLD through Callbacks and structures
                                                  • Extending/Hacking DYLD
                                                    4. Runtime Environments
                                                    1(+1) hours
                                                    Detailing the two prominent runtimes of OS X and iOS: Objective C and the newcomer, Swift
                                                    • Understanding the Objective-C runtime from the Mach-O perspective
                                                      • Compiler generated code for Objective-C
                                                        • Reverse engineering Objective-C code to the point of decompilation
                                                          • Introduction to Swift binaries
                                                            • Reverse Engineering Swift 3 Binaries

                                                              Exercises include:
                                                              • Reversing an Objective-C Binary
                                                              5. Debugging and Tracing Techniques
                                                              2(+1) hours
                                                              Describing the built-in tools for debugging and profiing in OS X and iOS, as well as those introduced in the book, with a special focus on analyzing process activity, both in and out of a Virtual Machine.
                                                              • Auditing
                                                                • FSEvents
                                                                  • malloc_history, vmmap, and friends
                                                                    • sc_usage, fs_usage, latency, and Kdebug
                                                                      • syslog and ASL
                                                                        • DTrace (OS X)
                                                                          • GDB/LLDB
                                                                            • DYLD_INSERT_LIBRARIES and interposing
                                                                              • Corpses (XNU 3248+)

                                                                                Exercises include:
                                                                                • Creating a KDebug filter
                                                                                • Using (k)DebugView
                                                                                • Using Process Explorer
                                                                                Day 3
                                                                                6. Launchd and XPC
                                                                                2(+1) hours
                                                                                Describing the OS X and iOS user mode startup, via LaunchD , the LaunchDaemons, and LaunchAgents.
                                                                                • Launchd vs. Init
                                                                                  • The roles of launchd
                                                                                    • LaunchAgents and LaunchDaemons
                                                                                      • Launchd as an enabler for malware persistence
                                                                                        • Launchd reverse engineering - iOS 8-9-10/OS X 10.11-10.12 (launchd v2, v3)
                                                                                          • Mach ports (an introduction) and the bootstrap services
                                                                                            • Mach services and XPC
                                                                                              • Undocumented XPC APIs
                                                                                                • XPC message wire format
                                                                                                  • XPC subsystems

                                                                                                  Exercises include:
                                                                                                  • Listing Mach and XPC endpoints
                                                                                                  • Adding a LaunchDaemon and a LaunchAgent
                                                                                                  7. Mach primitives and IPC
                                                                                                  3(+2) hours
                                                                                                  At its very core, XNU contains Mach, the Carnegie Mellon project. Being a microkernel by design, Mach is not a "traditional" Kernel like Windows or Linux. What more, Apple has made significant modifications since Mach 3.0. In this module, we delve deep into Mach, and explain its key concepts, backing their implementations by looking at the actual source code. Exercises specifically demonstrate malware remote code injection by using the lesser known Mach APIs.
                                                                                                  • (re)Introducing Mach
                                                                                                    • The Mach Interface Generator (MIG)
                                                                                                      • Mach Tasks
                                                                                                        • Mach Threads
                                                                                                          • Mach Ports
                                                                                                            • Mach Messages & IPC
                                                                                                              • Mach Virtual Memory

                                                                                                                Exercises include:
                                                                                                                • Enumerating Mach Tasks and Threads
                                                                                                                • Decompiling MIG
                                                                                                                • Using Mach APIs for remote thread injection
                                                                                                                Day 4
                                                                                                                8. XNU, up close
                                                                                                                1 hours
                                                                                                                XNU is still (largely) open source, which provides great benefits when exploring the kernel. In this module we discuss:
                                                                                                                • The kernel source tree layout
                                                                                                                  • Obtaining and compiling XNU, with various options
                                                                                                                    • The Kernel Debug Kit
                                                                                                                      • Reverse engineering without the XNU source (iOS)
                                                                                                                        9. Programming KEXTs
                                                                                                                        1(+1) hours
                                                                                                                        Kernel Extensions, or "KEXTs", are the Mac OS equivalent of Kernel modules. In this module, we detail the architecture of KEXTs, commands used to manipulate them, and the process of creating one.
                                                                                                                        • Anatomy of a Kernel Extension
                                                                                                                          • KEXT code signatures (10.9+) and why they don't work (till 10.11.1)
                                                                                                                            • KEXT related commands:
                                                                                                                              • kextstat/jkextstat
                                                                                                                                • kextload/kextutil
                                                                                                                                  • kextfind
                                                                                                                                  • The OSKext* APIs
                                                                                                                                    • kextd, in detail
                                                                                                                                      • Building a KEXT:
                                                                                                                                        • The Entry and exit
                                                                                                                                          • The Info.plist
                                                                                                                                            • Handling dependencies

                                                                                                                                            Exercises include:
                                                                                                                                            • Using OSKext APIs to display loaded extensions
                                                                                                                                            • Loading a Kext with and without kextd
                                                                                                                                            • Hiding a Kernel Extension
                                                                                                                                            • Using a kext to monitor kernel API hooking
                                                                                                                                            10. I/O Kit
                                                                                                                                            2 (+2) hours
                                                                                                                                            The I/O Kit is a complete driver runtime environment contained in XNU. I/O Kit is object oriented, and makes the development of drivers easier and, in many ways safer, by relying on object oriented concepts such as inheritance and overloading. In this module, we investigate the I/O Kit in depth, examine several IOKit drivers as case studies
                                                                                                                                            • Introducing I/O Kit
                                                                                                                                              • The I/O Kit base classes
                                                                                                                                                • Navigating the I/O Registry
                                                                                                                                                  • I/O Kit as an Attack surface
                                                                                                                                                    • IOUserClients
                                                                                                                                                      • IOConnectCall* methods and the io_user_client_trap

                                                                                                                                                        Exercises include:
                                                                                                                                                        • Reverse Engineer an I/O Kit kernel module
                                                                                                                                                        • Creating a simple I/O Kit fuzzer
                                                                                                                                                        Day 5
                                                                                                                                                        11. The Network Stack (optional)
                                                                                                                                                        1 (+1) hours
                                                                                                                                                        With a heavy flavor of the BSD network stack, Apple took networking in OS X and iOS to the next level. We describe the stack layer by layer, focusing on each layer's implementation and callout APIs (for example, for network security modules, firewall extensions, etc). The detailed discussion includes:
                                                                                                                                                        • The underlying implementation of sockets and address families
                                                                                                                                                          • Socket filtering in XNU
                                                                                                                                                            • Protocol implementations of IPv4, IPv6, and AppleTalk
                                                                                                                                                              • IP protocol filters
                                                                                                                                                                • Networking Interfaces and DLIL
                                                                                                                                                                  • Interface Filters
                                                                                                                                                                    • Berkeley Packet Filter (BPF)
                                                                                                                                                                      • System sockets

                                                                                                                                                                        Exercises include:
                                                                                                                                                                        • Installing packet filters for traffic inspection
                                                                                                                                                                        • Intercepting and forwarding User mode connections
                                                                                                                                                                        12. Security
                                                                                                                                                                        4 hours
                                                                                                                                                                        A detailed discussion of security mechanisms in both OS X and iOS. Dissecting the AppleMobileFileIntegrity and Sandbox kernel extensions. Topics include:
                                                                                                                                                                        • The Mandatory Access Control Framework (MACF)
                                                                                                                                                                          • KAuth
                                                                                                                                                                            • Code Signing, revisited
                                                                                                                                                                              • OS X: Sandboxing and Containers
                                                                                                                                                                                • Reversing the sandbox kext and daemon
                                                                                                                                                                                  • iOS: containermanagerd
                                                                                                                                                                                  • OS X: Quarantine and GateKeeper
                                                                                                                                                                                    • Entitlements
                                                                                                                                                                                      • iOS & 10.10: AppleMobileFileIntegrity
                                                                                                                                                                                        • Detailed deconstruction of amfid
                                                                                                                                                                                          • The AMFI.kext in OS X (10.10+) and iOS
                                                                                                                                                                                          • iOS:lockdownd, and the iOS Jail
                                                                                                                                                                                            • OS X 10.11 "rootless" (System Integrity Protection)
                                                                                                                                                                                              • iOS: Jailbreaking
                                                                                                                                                                                                • Jailbreak exploit path
                                                                                                                                                                                                  • Jailbreak detection methods and heuristics
                                                                                                                                                                                                    • Analysis of classic jailbreaks
                                                                                                                                                                                                    • MacOS and iOS: Malware
                                                                                                                                                                                                      • MacOS: Example of malware analysis (students welcome to bring samples!)
                                                                                                                                                                                                        • iOS: NSO Group's "Pegasus"

                                                                                                                                                                                                        Frequently Asked Questions