| 1. |
Architectural Overview |
|
3 hours |
|
Introduction to the Architecture of macOS and iOS
- Apple's Architectural Diagrams - and why they are so far from the truth
- iOS and its derivatives - TvOS, WatchOS
- A tour of some interesting private frameworks
- The Darwin environment
- XNU: The Kernel
- Hardware
- macOS: x86, x86_64, x86_64h
- iOS: armv8 (A7+) and armv8e (A11)
- Apple Silicon and (macOS) Rosetta II
- Using sysctl for hardware details
- Using MobileGestalt for hardware and software details
- Review of prerequisites
|
| 2. |
What's in an IPSW |
|
2(+1) hours |
|
Apple's ecosystems are far more than just "macOS" or "iOS". The platform consists not just of the main Application Processor (AP), which runs Darwin, but also numerous coprocessors which handle hardware devices. These are not only critical to system function, but also to its security. And they're entirely (purposely) undocumented..
- Unpacking an IPSW or macOS OTA
- DMGs and .aea (Apple Encrypted Archives)
- The .im4p (DER) format
- iBoot
- Coprocessor firmwares and RTKit
- Brief overview of SPTM and TXM (Darwin 24+)
- RTKit images
- Putting it together - the boot sequence
Exercises include:
- hands-on unpacking and exploiring an IPSW
|
|
The Mach-O file format, up close and personal. Explaining the venerable format and its evolution from NextSTEP throughout Yosemite, and how it is loaded from disk onto the virtual memory of a newly formed or existing process. Special emphasis is given to malware techniques using DYLD, such as dynamic loading, obfuscating, patching import tables, and more.
- What's in a Binary/Fat Binaries
- Intorducing: Mach-O
- Mach-O Types: Executables, bundles, dylibs, kexts, cores, and more
- The Mach-O Load commands
- LC_SEGMENT[64] and setting up the process virtual memory
- LC_FILESETs
- Code Signing
- Code Encryption
- Understanding dylib dependencies
- LC_FUNCTION_STARTS and DATA_IN_CODE
- Static Analysis: with otool(1) - and disarm(j)
Exercises include:
- Using disarm(j) Analyzing a sample user-mode malware or other binary
- Defeating Code encryption (iOS)
|
| 4. |
Advanced Mach-O and DYLD |
|
2(+2) hours |
|
The lesser known and entirely undocumented aspects of Apple's proprietary binary format and loader, including
- DYLD: The Mach-O Loader
- Interfacing with DYLD
- dyld opcodes, binding and linking
- LC_CHAINED_FIXUPS
- dyld rebase chains
- Dynamically interfacing with DYLD through Callbacks and structures
- Extending/Hacking DYLD
|
| 5. |
Processes & Threads Internals |
|
2(+1) hours |
|
Darwin's process management uses advanced proprietary APIs, which go above and beyond those of POSIX. Its libsystem_malloc allows for various memory management strategies. The Grand Central Dispatcher (GCD), introduced way back in 10.6, has become the de facto standard for thread management, entirely obviating the need for complicated synchronization in favor of blocks and dispatch queues. This module discusses these two aspects in detail, along with other interesting, useful , but often undocumented interfaces.
- The Darwin stack layout
- Heap Management using
libmalloc APIs - libmalloc zone
- The scalablle magazine allocator
- Darwin 24+: The xzone allocator
- Grand Central Dispatcher & Blocks
Exercises include:
- Memory inspection using custom core dumps and the
memento(j) tool
|
| 6. |
Debugging and Tracing Techniques |
|
2(+1) hours |
|
Describing the built-in tools for debugging and profiing in macOS and iOS, as well as those introduced in the book, with a special focus on analyzing process activity, both in and out of a Virtual Machine.
- Auditing (deprecated in Ventura)
- Endpoint Security Framework
- FSEvents
- malloc_history, vmmap, and friends
- sc_usage, fs_usage, latency, and Kdebug
- syslog and ASL
- DTrace (macOS)
- LLDB
- Interfacing directly with
debugserver
- DYLD_INSERT_LIBRARIES and interposing
- Corpses
Exercises include:
- Creating a KDebug filter
- Using (k)DebugView
- Using Process Explorer
|
| 7. |
Launchd and XPC |
|
2(+1) hours |
|
Describing the macOS and iOS user mode startup, via LaunchD , the LaunchDaemons, and LaunchAgents.
- Launchd vs. Init
- The roles of launchd
- LaunchAgents and LaunchDaemons
- Launchd as an enabler for malware persistence
- Launchd reverse engineering
- Mach ports (an introduction) and the bootstrap services
- Mach services and XPC
- Undocumented XPC APIs
- XPC message wire format
- XPC subsystems
Exercises include:
- Listing Mach and XPC endpoints
- Adding a LaunchDaemon and a LaunchAgent
|
| 8. |
Mach primitives and IPC |
|
4(+2) hours |
|
At its very core, XNU contains Mach, the Carnegie Mellon project. Being a microkernel by design, Mach is not a "traditional" Kernel like Windows or Linux. What more, Apple has made significant modifications since Mach 3.0. In this module, we delve deep into Mach, and explain its key concepts, backing their implementations by looking at the actual source code. Exercises specifically demonstrate malware remote code injection by using the lesser known Mach APIs.
- (re)Introducing Mach
- The Mach Interface Generator (MIG)
- Mach Tasks
- Mach Threads
- Mach Ports
- Mach Messages & IPC
- Mach Virtual Memory
Exercises include:
- Enumerating Mach Tasks and Threads
- Decompiling MIG
- Using Mach APIs for remote thread injection
|
-----------
|
A detailed discussion of security mechanisms in both macOS and iOS. Dissecting the AppleMobileFileIntegrity and Sandbox kernel extensions. Topics include:
- The Mandatory Access Control Framework (MACF)
- KAuth
- Code Signing, revisited
- macOS: Sandboxing and Containers
- Reversing the sandbox kext and daemon
- iOS: containermanagerd
- macOS: Quarantine and GateKeeper
- Entitlements
- iOS & 10.10: AppleMobileFileIntegrity
- Detailed deconstruction of amfid
- The AMFI.kext in macOS (10.10+) and iOS
- iOS:lockdownd, and the iOS Jail
- macOS 10.11 "rootless" (System Integrity Protection)
- iOS: Jailbreaking
- Jailbreak exploit path
- Jailbreak detection methods and heuristics
- Analysis of classic jailbreaks
- MacOS and iOS: Malware
- MacOS: Example of malware analysis (students welcome to bring samples!)
- iOS: NSO Group's "Pegasus"
|