├── 2. BinaryAnalysis ├── Overview ├── Dynamic Analysis │ ├── DTrace │ ├── LLDB │ └── Rules └── Static Analysis Tools ├── README.md ├── 1. macOS Security Introduction ├── Objective-C-Tutorials-YouTube └── Architecture-Resources ├── 3. Crafting Shellcodes ├── MachO-Format ├── XNU-Syscalls ├── x64 Assembly ├── Execve-asm └── HelloWorldLin.s └── 4. Dylib Injection └── DYLIB Injection /2. BinaryAnalysis/Overview: -------------------------------------------------------------------------------- 1 | Dynamic and statis analysis allows us to debug applications and better understand them. 2 | -------------------------------------------------------------------------------- /2. BinaryAnalysis/Dynamic Analysis/DTrace: -------------------------------------------------------------------------------- 1 | DTrace in an Hour (or Two) - First time Through Script: https://www.youtube.com/watch?v=G-vqhmCYqc8 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # macOS-Exploit-Dev 2 | Resources, scripts, and overviews of the knowledge I collect going through Offensive Security's macOS Exploit Development course. 3 | -------------------------------------------------------------------------------- /2. BinaryAnalysis/Dynamic Analysis/LLDB: -------------------------------------------------------------------------------- 1 | LLDB Quick Tutorial: https://www.youtube.com/watch?v=ECDaMUJ4INI 2 | Official LLDB Tutorial Page: https://lldb.llvm.org/use/tutorial.html 3 | -------------------------------------------------------------------------------- /1. macOS Security Introduction/Objective-C-Tutorials-YouTube: -------------------------------------------------------------------------------- 1 | Objective C Tutorial: https://www.youtube.com/watch?v=5esQqZIJ83g 2 | Objective C Programming Playlist Tutorials: https://www.youtube.com/playlist?list=PL640F44F1C97BA581 3 | etc. 4 | -------------------------------------------------------------------------------- /2. BinaryAnalysis/Dynamic Analysis/Rules: -------------------------------------------------------------------------------- 1 | Cannot attach debugger to Helper app on macOS (com.apple.secuirty.get-task-allow): https://developer.apple.com/forums/thread/127544 2 | Debugging notarized app not possible: https://developer.apple.com/forums/thread/118450 3 | -------------------------------------------------------------------------------- /3. Crafting Shellcodes/MachO-Format: -------------------------------------------------------------------------------- 1 | Common assembly in Linux: 2 | 3 | .section data 4 | .section text 5 | # your code here 6 | 7 | Translate into Mach-O: 8 | 9 | .section __DATA,__data 10 | # __DATA is segment, __data is section 11 | .section __TEXT,__text 12 | # __TEXT is segment, __text is section 13 | # your code here 14 | -------------------------------------------------------------------------------- /2. BinaryAnalysis/Static Analysis Tools: -------------------------------------------------------------------------------- 1 | Codesign: https://www.digicert.com/kb/code-signing/mac-os-codesign-tool.htm 2 | Objdump man page: https://man7.org/linux/man-pages/man1/objdump.1.html 3 | jtool2: http://www.newosxbook.com/tools/jtool.html 4 | 5 | Hopper Disassembler: 6 | CNIT 127: Hopper Debugger: https://www.youtube.com/watch?v=vXFMHKdCUiA 7 | Intro to Hopper: https://www.youtube.com/watch?v=yk3agTVwVGI 8 | -------------------------------------------------------------------------------- /4. Dylib Injection/DYLIB Injection: -------------------------------------------------------------------------------- 1 | Deep-Dive DYLIB Injection for macOS: https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/ 2 | Hijack Execution Flow: Dynamic Linker Hijacking: https://attack.mitre.org/techniques/T1574/006/ 3 | 4 | DLL Hijacking on OS X: https://www.youtube.com/watch?v=PGVNja2MNws 5 | Automated Dylib Hijacking: https://www.youtube.com/watch?v=pHowAQsgytI 6 | -------------------------------------------------------------------------------- /3. Crafting Shellcodes/XNU-Syscalls: -------------------------------------------------------------------------------- 1 | To perform a system call, you put the system call number in %eax, and put the actual exit code to %ebx. 2 | The system call number can be found in /usr/include/sys/syscall.h. 3 | 4 | #define SYS_syscall 0 5 | #define SYS_exit 1 6 | #define SYS_fork 2 7 | #define SYS_read 3 8 | #define SYS_write 4 9 | #define SYS_open 5 10 | #define SYS_close 6 11 | #define SYS_wait4 7 12 | 13 | The system call number need to add an offset 0x2000000, because OSX has 4 different class of system calls. 14 | 15 | Reference: https://opensource.apple.com/source/xnu/xnu-1699.26.8/osfmk/mach/i386/syscall_sw.h 16 | -------------------------------------------------------------------------------- /3. Crafting Shellcodes/x64 Assembly: -------------------------------------------------------------------------------- 1 | YouTube Playlist: https://www.youtube.com/playlist?list=PLKK11Ligqitg9MOX3-0tFT1Rmh3uJp7kA 2 | 3 | x86 64 Assembly Tutorial for Mac OS, Part 1: "Hello, World": https://www.youtube.com/watch?v=qhkEOyK1ek0 4 | x86_64 ASM for MacOS Part 2: Structs, Functions, Loops and Arrays: https://www.youtube.com/watch?v=xY248ZxuNBw 5 | 6 | 7 | Fun with machO x86-64 shellcode (Part 1): https://www.youtube.com/watch?v=o8SQk0IH_x0 8 | Fun with machO x86-64 shellcode (Part 2): https://www.youtube.com/watch?v=fm-bwZMm2H0 9 | 10 | Developing custom shellcode in x64 using pure assembly: https://wajid-nawazish.medium.com/developing-custom-shellcode-in-x64-57172a885d77 11 | 12 | Writing 64 Bit Assembly on Mac OS X: http://www.idryman.org/blog/2014/12/02/writing-64-bit-assembly-on-mac-os-x/ 13 | How to write and load shellcode on macOS: https://0xc0decafe.com/write-and-load-shellcode-on-macos/ 14 | 15 | Series: 16 | Part 1: Introduction to x86_64 shellcoding https://nekosecurity.com/x86-64-shellcoding/part-1-introduction-to-x86_64-shellcoding 17 | Part 2: Shellcode creation: https://nekosecurity.com/x86-64-shellcoding/part-2-shellcode-creation 18 | Part 3: Execve Shellcode: https://nekosecurity.com/x86-64-shellcoding/part-3-execve-shellcode 19 | 20 | Same creator, x86-64 Assembly Series: https://nekosecurity.com/x86-64-assembly/part-1-introduction 21 | -------------------------------------------------------------------------------- /3. Crafting Shellcodes/Execve-asm: -------------------------------------------------------------------------------- 1 | Documentation Archive: https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man2/execve.2.html 2 | 3 | NAME 4 | execve -- execute a file 5 | 6 | SYNOPSIS 7 | #include 8 | 9 | int 10 | execve(const char *path, char *const argv[], char *const envp[]); 11 | 12 | DESCRIPTION 13 | Execve() transforms the calling process into a new process. The new 14 | process is constructed from an ordinary file, whose name is pointed to by 15 | path, called the new process file. This file is either an executable 16 | object file, or a file of data for an interpreter. An executable object 17 | file consists of an identifying header, followed by pages of data repre-senting representing 18 | senting the initial program (text) and initialized data pages. Addi-tional Additional 19 | tional pages may be specified by the header to be initialized with zero 20 | data; see a.out(5). 21 | 22 | ------------------------------------------------------------------------------------- 23 | bits 64 24 | 25 | xor esi, esi ; esi = 0 26 | mul esi ; eax = 0, edx = 0 27 | bts eax, 25 ; eax = 0x02000000 28 | mov al, 59 ; rax = sys_execve 29 | mov rbx, '/bin//sh' 30 | push rdx ; 0 31 | push rbx ; "/bin//sh" 32 | push rsp 33 | pop rdi ; rdi="/bin//sh", 0 34 | syscall 35 | -------------------------------------------------------------------------------- /1. macOS Security Introduction/Architecture-Resources: -------------------------------------------------------------------------------- 1 | Reads: 2 | 3 | Architecture of macOS: https://en.wikipedia.org/wiki/Architecture_of_macOS 4 | Apple File System (APFS) https://support.apple.com/guide/security/role-of-apple-file-system-seca6147599e/web 5 | Signed System volume security in macOS: https://support.apple.com/guide/security/signed-system-volume-security-secd698747c9/1/web/1 6 | Signed System Volume: https://support.apple.com/guide/mac-help/what-is-a-signed-system-volume-mchl0f9af76f/mac 7 | Signed System Volume: https://support.apple.com/guide/security/signed-system-volume-security-secd698747c9/web 8 | Firmlinks: http://www.swiftforensics.com/2019/10/macos-1015-volumes-firmlink-magic.html 9 | File System Strcuture macOS: https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html#//apple_ref/doc/uid/TP40010672-CH2-SW14 10 | Property List: https://www.oreilly.com/library/view/mac-os-x/0596003706/ch17s02.html 11 | Bunde (macOS): https://en.wikipedia.org/wiki/Bundle_(macOS) 12 | Introduction to Mac OS X Bundles http://mirror.informatimago.com/next/developer.apple.com/documentation/MacOSX/Conceptual/BPBundles/BPBundles.html 13 | Dymaic Linker: https://en.wikipedia.org/wiki/Dynamic_linker 14 | Using Dynamic Libraries Apple Support: https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/UsingDynamicLibraries.html 15 | Overview of Mach-O Executable Format: https://en.wikipedia.org/wiki/Architecture_of_macOS 16 | -------------------------------------------------------------------------------- /3. Crafting Shellcodes/HelloWorldLin.s: -------------------------------------------------------------------------------- 1 | //Blog Training: https://www.briansteffens.com/introduction-to-64-bit-assembly/01-hello-world/ 2 | 3 | section .data //Data section contains data which the program will use. When the program runs, the contents of this section will be loaded into memory and made available for use by the code. 4 | message db "Hello, World!", 10 //message = The name you will use for later. db = The data type, db means that the data being declared is a series of bytes. Bytes are 8bit integers, which with a value from 0-255. , 10 = This is the ASCII code for a newline character. 5 | 6 | section .text // Markrs the end of the data section and the beginning of the text section, which is where the code godes. 7 | 8 | global _start //Defining the entry-point of the program. When the program is run, the line immediately following _start: will be executed. This is how the computer knows which instruction to start with when the program is run. 9 | _start: 10 | move rax, 1 //Put value 1 into the register rax. 11 | move rdi, 1 //Loading the value 1 into the register rdi. 1 stands for STDOUT, which means to write to the console. This could also be 2 to write to STDERR, which is normally where errors are written. 12 | mov rsi, message //rsi set to the beginning of our "Hello World!" string. 13 | mov rdx, 14 //How many bytes of message to write. 14 is how many characters our string is. 14 | syscall // Lets the OS know we have some work for it to do. 15 | 16 | 17 | // Code Without Comments: 18 | section .data 19 | message db "Hello, world!", 10 20 | section .text 21 | global _start 22 | _start: 23 | mov rax, 1 24 | mov rdi, 1 25 | mov rsi, message 26 | mov rdx, 14 27 | syscall 28 | --------------------------------------------------------------------------------