| 1. |
Architectural Overview |
|
3 hour |
|
Introduction to the Architecture of OS X and iOS
- Apple's Architectural Diagrams - and why they are so far from the truth
- iOS and its derivatives - TvOS, WatchOS
- A tour of some interesting private frameworks
- The Darwin environment
- XNU: The Kernel
- Hardware
- OS X: x86, x86_64, x86_64h
- iOS: arm, armv7s, armv7k (WatchOS), armv8 (A7+)
- Using sysctl for hardware details
- Review of prerequisites
|
|
The Mach-O file format, up close and personal. Explaining the venerable format and its evolution from NextSTEP throughout Yosemite, and how it is loaded from disk onto the virtual memory of a newly formed or existing process. Special emphasis is given to malware techniques using DYLD, such as dynamic loading, obfuscating, patching import tables, and more.
- What's in a Binary/Fat Binaries
- Intorducing: Mach-O
- Mach-O Types: Executables, bundles, dylibs, kexts, cores, and more
- The Mach-O Load commands
- LC_SEGMENT[64] and setting up the process virtual memory
- Code Signing
- Code Encryption
- Understanding dylib dependencies
- LC_FUNCTION_STARTS and DATA_IN_CODE
- Static Analysis: with otool(1) - and JTool
Exercises include:
- Using JTool. Analyzing a sample user-mode malware or other binary
- Defeating Code encryption (iOS)
|
| Day 2 |
| 3. |
Advanced Mach-O and DYLD |
|
2(+2) hours |
|
The lesser known and entirely undocumented aspects of Apple's proprietary binary format and loader, including
- DYLD: The Mach-O Loader
- Interfacing with DYLD
- dyld opcodes, binding and linking
- Dynamically interfacing with DYLD through Callbacks and structures
- Extending/Hacking DYLD
|
| 4. |
Runtime Environments |
|
1(+1) hours |
|
Detailing the two prominent runtimes of OS X and iOS: Objective C and the newcomer, Swift
- Understanding the Objective-C runtime from the Mach-O perspective
- Compiler generated code for Objective-C
- Reverse engineering Objective-C code to the point of decompilation
- Introduction to Swift binaries
Exercises include:
- Reversing an Objective-C Binary
|
| 5. |
Debugging and Tracing Techniques |
|
2(+1) hours |
|
Describing the built-in tools for debugging and profiing in OS X and iOS, as well as those introduced in the book, with a special focus on analyzing process activity, both in and out of a Virtual Machine.
- Auditing
- FSEvents
- malloc_history, vmmap, and friends
- sc_usage, fs_usage, latency, and Kdebug
- syslog and ASL
- DTrace (OS X)
- GDB/LLDB
- DYLD_INSERT_LIBRARIES and interposing
- Corpses (XNU 3248+)
Exercises include:
- Creating a KDebug filter
- Using (k)DebugView
- Using Process Explorer
|
| Day 3 |
| 6. |
Launchd and XPC |
|
2(+1) hours |
|
Describing the OS X and iOS user mode startup, via LaunchD , the LaunchDaemons, and LaunchAgents.
- Launchd vs. Init
- The roles of launchd
- LaunchAgents and LaunchDaemons
- Launchd as an enabler for malware persistence
- Launchd reverse engineering - iOS 8-9-10/OS X 10.11-10.12 (launchd v2, v3)
- Mach ports (an introduction) and the bootstrap services
- Mach services and XPC
- Undocumented XPC APIs
- XPC message wire format
- XPC subsystems
Exercises include:
- Listing Mach and XPC endpoints
- Adding a LaunchDaemon and a LaunchAgent
|
| 7. |
Mach primitives and IPC |
|
3(+2) hours |
|
At its very core, XNU contains Mach, the Carnegie Mellon project. Being a microkernel by design, Mach is not a "traditional" Kernel like Windows or Linux. What more, Apple has made significant modifications since Mach 3.0. In this module, we delve deep into Mach, and explain its key concepts, backing their implementations by looking at the actual source code. Exercises specifically demonstrate malware remote code injection by using the lesser known Mach APIs.
- (re)Introducing Mach
- The Mach Interface Generator (MIG)
- Mach Tasks
- Mach Threads
- Mach Ports
- Mach Messages & IPC
- Mach Virtual Memory
Exercises include:
- Enumerating Mach Tasks and Threads
- Decompiling MIG
- Using Mach APIs for remote thread injection
|
| Day 4 |
|
XNU is still (largely) open source, which provides great benefits when exploring the kernel. In this module we discuss:
- The kernel source tree layout
- Obtaining and compiling XNU, with various options
- The Kernel Debug Kit
- Reverse engineering without the XNU source (iOS)
|
| 9. |
Programming KEXTs |
|
1(+1) hours |
|
Kernel Extensions, or "KEXTs", are the Mac OS equivalent of Kernel modules. In this module, we detail the architecture of KEXTs, commands used to manipulate them, and the process of creating one.
- Anatomy of a Kernel Extension
- KEXT code signatures (10.9+) and why they don't work (till 10.11.1)
- KEXT related commands:
- kextstat/jkextstat
- kextload/kextutil
- kextfind
- The OSKext* APIs
- kextd, in detail
- Building a KEXT:
- The Entry and exit
- The Info.plist
- Handling dependencies
Exercises include:
- Using OSKext APIs to display loaded extensions
- Loading a Kext with and without kextd
- Hiding a Kernel Extension
- Using a kext to monitor kernel API hooking
|
|
The I/O Kit is a complete driver runtime environment contained in XNU. I/O Kit is object oriented, and makes the development of drivers easier and, in many ways safer, by relying on object oriented concepts such as inheritance and overloading.
In this module, we investigate the I/O Kit in depth, examine several IOKit drivers as case studies
- Introducing I/O Kit
- The I/O Kit base classes
- Navigating the I/O Registry
- I/O Kit as an Attack surface
- IOUserClients
- IOConnectCall* methods and the io_user_client_trap
Exercises include:
- Reverse Engineer an I/O Kit kernel module
- Creating a simple I/O Kit fuzzer
|
| Day 5 |
| 11. |
The Network Stack (optional) |
|
1 (+1) hours |
|
With a heavy flavor of the BSD network stack, Apple took networking in OS X and iOS to the next level. We describe the stack layer by layer, focusing on each layer's implementation and callout APIs (for example, for network security modules, firewall extensions, etc). The detailed discussion includes:
- The underlying implementation of sockets and address families
- Socket filtering in XNU
- Protocol implementations of IPv4, IPv6, and AppleTalk
- IP protocol filters
- Networking Interfaces and DLIL
- Interface Filters
- Berkeley Packet Filter (BPF)
- System sockets
Exercises include:
- Installing packet filters for traffic inspection
- Intercepting and forwarding User mode connections
|
|
A detailed discussion of security mechanisms in both OS X and iOS. Dissecting the AppleMobileFileIntegrity and Sandbox kernel extensions. Topics include:
- The Mandatory Access Control Framework (MACF)
- KAuth
- Code Signing, revisited
- OS X: Sandboxing and Containers
- Reversing the sandbox kext and daemon
- iOS: containermanagerd
- OS X: Quarantine and GateKeeper
- Entitlements
- iOS & 10.10: AppleMobileFileIntegrity
- Detailed deconstruction of amfid
- The AMFI.kext in OS X (10.10+) and iOS
- iOS:lockdownd, and the iOS Jail
- OS X 10.11 "rootless" (System Integrity Protection)
- iOS: Jailbreaking
- Jailbreak exploit path
- Jailbreak detection methods and heuristics
- Analysis of classic jailbreaks
- MacOS and iOS: Malware
- MacOS: Example of malware analysis (students welcome to bring samples!)
- iOS: NSO Group's "Pegasus"
|