├── .travis.yml
├── contributing.md
├── LICENSE
└── README.md


/.travis.yml:
--------------------------------------------------------------------------------
1 | language: ruby
2 | rvm:
3 |   - 2.2
4 | before_script:
5 |   - gem install awesome_bot
6 | script:
7 |   - awesome_bot README.md --white-list 'posts.specterops.io,www.fireeye.com,www.alienvault.com,www.blackbagtech.com,arstechnica.com'


--------------------------------------------------------------------------------
/contributing.md:
--------------------------------------------------------------------------------
 1 | # Contribution Guidelines
 2 | 
 3 | Please ensure your pull request adheres to the following guidelines:
 4 | 
 5 | - Search previous suggestions before making a new one, as yours may be a duplicate.
 6 | - Make sure your entries is useful before submitting.
 7 | - Make an individual pull request for each suggestion.
 8 | - Titles should be [capitalized](http://grammar.yourdictionary.com/capitalization/rules-for-capitalization-in-titles.html).
 9 | - Link additions should be added to the bottom of the relevant category.
10 | - New categories or improvements to the existing categorization are welcome.
11 | - Check your spelling and grammar.
12 | - Make sure your text editor is set to remove trailing whitespace.
13 | - The pull request and commit should have a useful title.
14 | 
15 | Thank you for your suggestions!


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 | Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "{}"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright {yyyy} {name of copyright owner}
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | osx-security-awesome [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome)[![Travis](https://api.travis-ci.org/kai5263499/osx-security-awesome.svg?branch=master)](https://travis-ci.org/kai5263499/osx-security-awesome)
  2 | 
  3 | ------------------------------------------------------------------------------------------
  4 | 
  5 | A collection of OSX/iOS security related resources
  6 | 
  7 | * [**News**](#news)
  8 | 
  9 | * [**Hardening**](#hardening)
 10 | 
 11 | * [**Malware sample sources**](#malware-sample-sources)
 12 | 
 13 | * [**DFIR**](#digital-forensics--incident-response-dfir)
 14 | 
 15 | * [**Reverse engineering**](#reverse-engineering)
 16 | 
 17 | * [**Presentations and Papers**](#presentations-and-papers)
 18 | 
 19 | * [**Virus and exploit writeups**](#virus-and-exploit-writeups)
 20 | 
 21 | * [**Useful tools and guides**](#useful-tools-and-guides)
 22 | 
 23 | * [**Remote Access Toolkits**](#remote-access-toolkits)
 24 | 
 25 | * [**Worth following on Twitter**](#worth-following-on-twitter)
 26 | 
 27 | 
 28 | ------------------------------------------------------------------------------------------
 29 | 
 30 | ## News
 31 | 
 32 | ---------------------------------------------------------------------
 33 | ### [Linking a microphone](https://ubrigens.com/posts/linking_a_microphone.html)
 34 | * The Story of CVE-2018-4184 or how a vulnearbility in OSX's Speech system allowed apps with access to the microphone to escape sandbox restrictions
 35 | ### [iOS vulnerability write-up](https://github.com/writeups/iOS)
 36 | * A repository of iOS vulnerability write-ups as they are released
 37 | * Also includes conference papers
 38 | ### [iOS display bugs](https://docs.google.com/document/d/1TDCVavaqDJCFjcQxZsL6InzHxPEYWwMMMh9QtfRGjbY/edit)
 39 | * Regularly updated list of iOS display bugs
 40 | 
 41 | ### [Mac Virus](https://macviruscom.wordpress.com)
 42 | * Frequently updated blog that provides a good summary of the latest unique mac malware.
 43 | 
 44 | ### [Intego Mac Security Blog](https://www.intego.com/mac-security-blog/)
 45 | * Intego's corporate Mac security blog often contains recent and in-depth analysis of mac malware and other security issues
 46 | 
 47 | ### [Objective-See](https://objective-see.com/blog.html)
 48 | * Objective-See's blog often contains in-depth breakdowns of malware they've reverse engineered and vulnarabilities they've discovered.
 49 | 
 50 | ### [The Safe Mac](https://www.thesafemac.com/)
 51 | * Resource to help educate Mac users about security issues. Contains historical as well as timely security updates.
 52 | 
 53 | ### [Mac Security](https://macsecurity.net/news)
 54 | * Another Mac security blog. This often includes more in-depth analysis of specific threats.
 55 | 
 56 | ### [OSX Daily](https://osxdaily.com/)
 57 | * Not strictly security-specific but it contains jailbreaking information which has security implications
 58 | 
 59 | ## Hardening
 60 | 
 61 | ### [macops](https://github.com/google/macops)
 62 | * Utilities, tools, and scripts for managing and tracking a fleet of Macintoshes in a corporate environment collected by Google
 63 | 
 64 | ### [SUpraudit](http://newosxbook.com/tools/supraudit.html)
 65 | * System monitoring tool
 66 | 
 67 | ### [EFIgy](https://github.com/duo-labs/EFIgy)
 68 | * A RESTful API and client that helps Apple Mac users determine if they are running the expected EFI firmware version given their Mac hardware and OS build version
 69 | 
 70 | ### [Launchd](https://www.launchd.info/)
 71 | * Everything you need to know about the launchd service
 72 | 
 73 | ### [OSX startup sequence](http://osxbook.com/book/bonus/ancient/whatismacosx/arch_startup.html)
 74 | * Step-by-step guide to the startup process
 75 | 
 76 | ### [Google OSX hardening](https://www.usenix.org/conference/lisa13/os-x-hardening-securing-large-global-mac-fleet)
 77 | * Google's system hardening guide
 78 | 
 79 | ### [Run any command in a sandbox](https://www.davd.io/os-x-run-any-command-in-a-sandbox/)
 80 | * How to for using OSX's sandbox system
 81 | 
 82 | ### [Sandblaster](https://github.com/malus-security/sandblaster)
 83 | * Reversing the Apple sandbox
 84 | * [Paper](https://arxiv.org/pdf/1608.04303.pdf)
 85 | 
 86 | ### [OSX El Capitan Hardening Guide](https://github.com/ernw/hardening/blob/master/operating_system/osx/10.11/ERNW_Hardening_OS_X_EL_Captain.md)
 87 | * Hardening guide for El Capitan
 88 | 
 89 | ### [Hardening hardware and choosing a good BIOS](https://media.ccc.de/v/30C3_-_5529_-_en_-_saal_2_-_201312271830_-_hardening_hardware_and_choosing_a_goodbios_-_peter_stuge)
 90 | * Protecting your hardware from "evil maid" attacks
 91 | 
 92 | ## Malware sample sources
 93 | ### [Objective-See](https://objective-see.com/malware.html)
 94 | * Curated list of malware samples. Use this list if you're looking for interesting samples to reverse engineer
 95 | ### [Alien Vault](https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed)
 96 | ### [Contagio malware dump](http://contagiodump.blogspot.com/2013/11/osx-malware-and-exploit-collection-100.html)
 97 | 
 98 | ## Digital Forensics / Incident Response (DFIR)
 99 | ### APOLLO tool
100 | * Python tool for advanced forensics analysis
101 | * [Presentation slides](https://github.com/mac4n6/Presentations/blob/master/LaunchingAPOLLO/LaunchingAPOLLO.pdf)
102 | * [Source code](https://github.com/mac4n6/APOLLO)
103 | ### [venator](https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56)
104 | * Python tool for proactive detection tool for malware and trojans
105 | * [Source](https://github.com/richiercyrus/Venator)
106 | ### [lynis](https://github.com/CISOfy/lynis/)
107 | * Security auditing tool for UNIX-based systems, including macOS
108 | ### [AutoMacTC](https://github.com/CrowdStrike/automactc)
109 | * [Modular forensic triage collection framework](https://www.crowdstrike.com/blog/automating-mac-forensic-triage/) from CrowdStrike 
110 | ### [Legacy Exec History](https://github.com/knightsc/system_policy)
111 | * OSQuery module to give you a report of 32bit processes running on a 10.14 machine
112 | ### [Using the macOS/iOS knowledgeC.db Database to Determine Precise User and Application Usage](https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage)
113 | ### [Artefacts for Mac OSX](http://sud0man.blogspot.com/2015/05/artefacts-for-mac-os-x.html?m=1)
114 | * Locations of sensitive files
115 | ### [Pac4Mac](https://github.com/sud0man/pac4mac)
116 | * Forensics framework
117 | ### [Inception](https://github.com/carmaa/inception)
118 | * Physical memory manipulation
119 | ### [Volafox](https://github.com/n0fate/volafox)
120 | * Memory analysis toolkit
121 | ### [Mac4n6](https://github.com/pstirparo/mac4n6)
122 | * Collection of OSX and iOS artifacts
123 | ### [Keychain analysis with Mac OSX Forensics](https://repo.zenk-security.com/Forensic/Keychain%20Analysis%20with%20Mac%20OS%20X%20Memory%20Forensics.pdf)
124 | ### [OSX Collector](https://github.com/Yelp/osxcollector)
125 | * Forensics utility developed by Yelp
126 | ### [OSX incident response](https://www.youtube.com/watch?v=gNJ10Kt4I9E)
127 | * OSX incident response at GitHub [Slides](https://speakerdeck.com/sroberts/hipster-dfir-on-osx-bsidescincy)
128 | ### [iOS Instrumentation without jailbreaking](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/october/ios-instrumentation-without-jailbreak/)
129 | * How to debug an iOS application that you didn't create
130 | ### [Certo](https://www.certosoftware.com/)
131 | * Paid service for analyzing the iTunes backup of your iOS device
132 | ### [Blackbag Tech free tools](https://www.blackbagtech.com/resources/free-tools/)
133 | ### [OSX (Mac) Memory Acquisition and Analysis Using OSXpmem and Volatility](https://ponderthebits.com/2017/02/osx-mac-memory-acquisition-and-analysis-using-osxpmem-and-volatility/)
134 | ### [mac-apt](https://github.com/ydkhatri/mac_apt)
135 | * Mac Artifact Parsing Tool for processing full disk images and extracting useful information
136 | * The author also has a collection of [DFIR scripts](https://github.com/ydkhatri/MacForensics)
137 | 
138 | ## Reverse engineering
139 | ### [New OS X Book](http://www.newosxbook.com/)
140 | * Frequently updated book on OSX internals
141 | ### [Collection of OSX reverse engineering resources](https://github.com/michalmalik/osx-re-101)
142 | * Another Awesome-style list dedicated to OSX reverse engineering resources
143 | ### [The iPhone Wiki](https://www.theiphonewiki.com/wiki/Main_Page)
144 | ### [Reverse engineering OSX](https://reverse.put.as/)
145 | ### [OSX crackmes](https://reverse.put.as/crackmes/)
146 | * A collection of puzzles to test your reverse engineering skills
147 | ### [Introduction to Reverse Engineering Cocoa Applications](https://www.fireeye.com/blog/threat-research/2017/03/introduction_to_reve.html)
148 | * Walkthrough for Coca applications
149 | ### [iOS Kernel source](https://github.com/apple/darwin-xnu)
150 | * Source code for iOS kernel
151 | ### [Reverse Engineering Challenges](https://challenges.re/)
152 | * Very good list of various crackme challenges that is categorized by level and OS
153 | ### [Awesome Reversing](https://github.com/tylerha97/awesome-reversing)
154 | * Awesome list dedicated to reversing
155 | 
156 | ## Presentations and Papers
157 | ### [Area41 2018: Daniel Roethlisberger: Monitoring MacOS For Malware And Intrusions](https://www.youtube.com/watch?v=OSSkBgn_xJs&feature=youtu.be)
158 | ### [Windshift APT](https://www.youtube.com/watch?v=Mza6qv4mY9I&feature=youtu.be&t=6h12m24s)
159 | * [Deep-dive write-up by Objective See](https://objective-see.com/blog/blog_0x38.html)
160 | ### [Automated Binary Analysis on iOS – A Case Study on Cryptographic Misuse in iOS Applications](https://pure.tugraz.at/ws/portalfiles/portal/17749575)
161 | * Examining iOS applications for poorly guarded secrets
162 | ### [Writing Bad @$$ Malware for OSX](https://www.youtube.com/watch?v=fv4l9yAL2sU)
163 | * [Slides](https://www.slideshare.net/Synack/writing-bad-malware-for-os-x) and [another related video](https://www.youtube.com/watch?v=oT8BKt_0cJw).
164 | ### [Methods of Malware Persistence on OSX](https://www.youtube.com/watch?v=rhhvZnA4VNY)
165 | ### [Advanced Mac OSX Rootkits](https://www.blackhat.com/presentations/bh-usa-09/DAIZOVI/BHUSA09-Daizovi-AdvOSXRootkits-SLIDES.pdf)
166 | ### [The Python Bytes Your Apple](https://speakerdeck.com/flankerhqd/the-python-bites-your-apple-fuzzing-and-exploiting-osx-kernel-bugs)  
167 | * Fuzzing and exploiting OSX kernel bugs
168 | ### [Breaking iOS Code Signing](https://papers.put.as/papers/ios/2011/syscan11_breaking_ios_code_signing.pdf)
169 | ### [The Apple Sandbox - 5 years later](http://newosxbook.com/files/HITSB.pdf)
170 | ### [Practical iOS App Hacking](https://papers.put.as/papers/ios/2012/Mathieu-RENARD-GreHACK-Practical-iOS-App-Hacking.pdf)
171 | ### [Behavioral Detection and Prevention of Malware on OS X](https://www.virusbulletin.com/blog/2016/september/paper-behavioural-detection-and-prevention-malware-os-x/)
172 | ### [Security on OSX and iOS](https://www.youtube.com/watch?v=fdxxPRbXPsI)
173 | * [Slides](https://www.slideshare.net/nosillacast/security-on-the-mac)
174 | 
175 | ### [Thunderstrike](https://trmm.net/Thunderstrike_31c3)
176 | * [Video](https://www.youtube.com/watch?v=5BrdX7VdOr0), hacking Mac's extensible firmware interface (EFI)
177 | ### [Direct Memory Attack the Kernel](https://github.com/ufrisk/presentations/blob/master/DEFCON-24-Ulf-Frisk-Direct-Memory-Attack-the-Kernel-Final.pdf)
178 | ### [Don't trust your eye, Apple graphics is compromised](https://speakerdeck.com/marcograss/dont-trust-your-eye-apple-graphics-is-compromised)
179 | * security flaws in IOKit's graphics acceleration that lead to exploitation from the browser
180 | ### [Fuzzing and Exploiting OSX Vulnerabilities for Fun and Profit Complementary Active & Passive Fuzzing](https://www.slideshare.net/PacSecJP/moony-li-pacsec18?qid=15552f01-6655-4555-9894-597d62fd803c)
181 | ### [Strolling into Ring-0 via I/O Kit Drivers](https://speakerdeck.com/patrickwardle/o-kit-drivers)
182 | ### [Juice Jacking](https://www.youtube.com/watch?v=TKAgemHyq8w)
183 | ### [Attacking OSX for fun and profit tool set limiations frustration and table flipping Dan Tentler](https://www.youtube.com/watch?v=9T_2KYox9Us)
184 | * [Follow-up from target](https://www.youtube.com/watch?v=bjYhmX_OUQQ)
185 | ### [Building an EmPyre with Python](https://www.youtube.com/watch?v=79qzgVTP3Yc)
186 | ### [PoisonTap](https://www.youtube.com/watch?v=Aatp5gCskvk)
187 | ### [Storing our Digital Lives - Mac Filesystems from MFS to APFS](https://www.youtube.com/watch?v=uMfmgcnrn24)
188 | * [slides](http://macadmins.psu.edu/files/2017/07/psumac2017-174-Storing-our-digital-lives-Mac-filesystems-from-MFS-to-APFS.key-254bf2y.pdf)
189 | ### [Collection of mac4en6 papers/presentations](https://drive.google.com/drive/folders/0B37-sa0Wh9_TdjVSbzRvMEVGQ2c)
190 | ### [The Underground Economy of Apple ID](https://www.youtube.com/watch?v=4acVKs9WPts)
191 | ### [iOS of Sauron: How iOS Tracks Everything You Do](https://www.youtube.com/watch?v=D6cSiHpvboI)
192 | ### [macOS/iOS Kernel Debugging and Heap Feng Shui](https://github.com/zhengmin1989/MyArticles/blob/master/PPT/DEFCON-25-Min-Spark-Zheng-macOS-iOS-Kernel-Debugging.pdf)
193 | ### [Billy Ellis iOS/OSX hacking YouTube channel](https://www.youtube.com/channel/UCk2sx_3FUkKvDGlIhdUQa8A)
194 | ### [A Technical Autopsy of the Apple - FBI Debate using iPhone forensics | SANS DFIR Webcast](https://www.youtube.com/watch?v=_q_2mN8U91o)
195 | ### [Jailbreaking Apple Watch at DEFCON-25](https://www.youtube.com/watch?v=eJpbi-Qz6Jc)
196 | ### [SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles](http://www.icri-sc.org/fileadmin/user_upload/Group_TRUST/PubsPDF/sandscout-final-ccs-2016.pdf)
197 | * An exploration of the sandbox protections policies
198 | * [Presentation](https://www.youtube.com/watch?v=TnwXEDCIowQ)
199 | 
200 | ## Virus and exploit writeups
201 | ### [Detailed Analysis of macOS/iOS Vulnerability CVE-2019-6231](https://www.fortinet.com/blog/threat-research/detailed-analysis-of-macos-ios-vulnerability-cve-2019-6231.html)
202 | * Exploration of QuartzCore/CoreAnimation flaw leading to a malicious application being able to read restricted memory.
203 | ### [kernelcache laundering](https://github.com/Synacktiv-contrib/kernelcache-laundering)
204 | * Load iOS12 kernelcaches and PAC code in IDA
205 | ### [blanket](https://github.com/bazad/blanket)
206 | * Proof of concept for CVE-2018-4280: Mach port replacement vulnerability in launchd on iOS 11.2.6
207 | ### [Proof of Concept for Remote Code Execution in WebContent](https://github.com/externalist/exploit_playground/blob/master/CVE-2018-4233/pwn_i8.js)
208 | * [MachO tricks](https://iokit.racing/machotricks.pdf) - Appears to be slides from a presentation that ends with the CVE listed above
209 | ### [There's Life in the Old Dog Yet: Tearing New Holes into Intel/iPhone Cellular Modems](https://comsecuris.com/blog/posts/theres_life_in_the_old_dog_yet_tearing_new_holes_into_inteliphone_cellular_modems/)
210 | * How the public warning system can be used as an attack vector 
211 | ### [I can be Apple, and so can you](https://www.okta.com/security-blog/2018/06/issues-around-third-party-apple-code-signing-checks/)
212 | * An exploration of a code signing vulnerability in macOS that has persisted for 11 years
213 | * [Creating signed and customized backdoored macos apps](https://medium.com/@adam.toscher/creating-signed-and-customized-backdoored-macos-applications-by-abusing-apple-developer-tools-b4cbf1a98187)
214 | ### [Leveraging emond on macOS for persistence](https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124)
215 | ### [APFS credential leak vulnerability](https://www.mac4n6.com/blog/2018/3/21/uh-oh-unified-logs-in-high-sierra-1013-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utilityapp)
216 | * A flaw in Unified Logs leaks the password for encrypted APFS volumes
217 | 
218 | ### [A fun XNU infoleak](https://bazad.github.io/2018/03/a-fun-xnu-infoleak/)
219 | ### Meltdown
220 | * CPU flaw allowing kernel memory to be accessed by hijacking speculative
221 |   execution
222 | * [Proof of concept](https://github.com/gkaindl/meltdown-poc)
223 | * [Apple's statement](https://support.apple.com/en-us/HT208394)
224 | * [Measuring OSX meltdown patches performance](https://reverse.put.as/2018/01/07/measuring-osx-meltdown-patches-performance/)
225 | * [iPhone performance after Spectre patch](https://www.gsmarena.com/spectre_and_meltdown_testing_performance_impact_on_iphone_8_plus-news-29132.php)
226 | ### [Flashback](https://www.cnet.com/news/more-than-600000-macs-infected-with-flashback-botnet/)
227 | * [Detailed analysis](https://www.intego.com/mac-security-blog/more-about-the-flashback-trojan-horse/)
228 | ### [Flashback pt 2](https://www.intego.com/mac-security-blog/flashback-botnet-is-adrift/)
229 | ### [iWorm](https://www.thesafemac.com/iworm-method-of-infection-found/)
230 | * [Detailed analysis](https://www.intego.com/mac-security-blog/iworm-botnet-uses-reddit-as-command-and-control-center/)
231 | ### [Thunderbolt](https://www.theregister.co.uk/2015/01/08/thunderstrike_shocks_os_x_with_first_firmware_bootkit/)
232 | * Firmware bootkit
233 | ### [Malware in firmware: how to exploit a false sense of security](https://www.welivesecurity.com/2017/10/19/malware-firmware-exploit-sense-security/)
234 | * A post on the resurgence of bootkits and how to defend against them
235 | ### [Proton RAT](https://www.cybereason.com/blog/labs-proton-b-what-this-mac-malware-actually-does)
236 | * Exploration of a Remote Access Toolkit
237 | 
238 | ### [Mokes](https://thehackernews.com/2016/09/cross-platform-malware.html)
239 | ### [MacKeeper](https://www.cultofmac.com/170522/is-mackeeper-really-a-scam/)
240 | ### [OpinionSpy](https://www.thesafemac.com/opinionspy-is-back/)
241 | ### [Elanor](https://blog.malwarebytes.com/cybercrime/2016/07/new-mac-backdoor-malware-eleanor/)
242 | ### [Mac Defender](https://macsecurity.net/view/79-remove-mac-defender-virus-from-mac-os-x)
243 | ### [Wire Lurker](https://www.paloaltonetworks.com/resources/research/unit42-wirelurker-a-new-era-in-ios-and-os-x-malware.html)
244 | ### [KeRanger](https://techcrunch.com/2016/03/07/apple-has-shut-down-the-first-fully-functional-mac-os-x-ransomware/)
245 | * First OSX ransomware
246 | ### [Proof-of-concept USB attack](https://www.ehackingnews.com/2016/09/a-usb-device-can-steal-credentials-from.html)
247 | ### [Dark Jedi](https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-mac-firmware-security-is-completely-broken/)
248 | ### EFI attack that exploits a vulnerability in suspend-resume cycle [Sentinel One write-up](https://www.sentinelone.com/blog/reverse-engineering-mac-os-x/)
249 | ### [XAgent Mac Malware Used In APT-28](https://labs.bitdefender.com/2017/02/new-xagent-mac-malware-linked-with-the-apt28/)
250 | * [Samples](http://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html)
251 | ### [Juice Jacking](https://www.howtogeek.com/166497/htg-explains-what-is-juice-jacking-and-how-worried-should-you-be/)
252 | ### [Local Privilege Escalation for macOS 10.12.2 and XNU port Feng Shui](https://github.com/zhengmin1989/macOS-10.12.2-Exp-via-mach_voucher)
253 | 
254 | ### [Ian Beer, Google Project Zero: "A deep-dive into the many flavors of IPC available on OS X."](https://www.youtube.com/watch?v=D1jNCy7-g9k)
255 | * Deep dive into the interprocess communication and its design flaws
256 | 
257 | ### [PEGASUS iOS Kernel Vulnerability Explained](https://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html)
258 | ### [Analysis of iOS.GuiInject Adware Library](https://www.sentinelone.com/blog/analysis-ios-guiinject-adware-library/)
259 | ### [Broadpwn](https://blog.exodusintel.com/2017/07/26/broadpwn/)
260 | * Gaining access through the wireless subsystem
261 | 
262 | ### [Reverse Engineering and Abusing Apple Call Relay Protocol](https://www.martinvigo.com/diy-spy-program-abusing-apple-call-relay-protocol/)
263 | * Details the discovery of a vulnerability in Apple's Call handoff between mobile and desktop through analyzing network traffic.
264 | 
265 | ### Exploiting the Wifi Stack on Apple Devices
266 | Google's Project Zero series of articles that detail vulnerabilities in the wireless stack used by Apple Devices
267 |   * [Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 1)](https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html)
268 |   * [Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2)](https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html)
269 |   * [Over The Air - Vol. 2, Pt. 1: Exploiting The Wi-Fi Stack on Apple Devices](https://googleprojectzero.blogspot.com/2017/09/over-air-vol-2-pt-1-exploiting-wi-fi.html)
270 |   * [Over The Air - Vol. 2, Pt. 2: Exploiting The Wi-Fi Stack on Apple Devices](https://googleprojectzero.blogspot.com/2017/10/over-air-vol-2-pt-2-exploiting-wi-fi.html)
271 |   * [Over The Air - Vol. 2, Pt. 3: Exploiting The Wi-Fi Stack on Apple Devices](https://googleprojectzero.blogspot.com/2017/10/over-air-vol-2-pt-3-exploiting-wi-fi.html)
272 | 
273 | ### [ChaiOS bug](https://www.grahamcluley.com/chaios-bug-crash-ios-macos-messages/)
274 | * A message that crashes iMessage
275 | * Looks similar to [previous](https://arstechnica.com/gadgets/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/) [bugs](https://www.intego.com/mac-security-blog/crash-text-message-iphone/) rendering Arabic characters
276 | 
277 | ## Useful tools and guides
278 | ### [Mac@IBM](https://github.com/IBM/mac-ibm-enrollment-app)
279 | * Mac enrollment helper provided by IBM
280 | ### [mOSL](https://github.com/0xmachos/mOSL)
281 | * Audit and fix macOS High Sierra (10.13.x) security settings
282 | ### [Darling](https://github.com/darlinghq/darling)
283 | * Darwin/macOS emulation layer for Linux
284 | ### [Kemon](https://github.com/didi/kemon)
285 | * Open source kernel monitoring
286 | ### [jelbrektime](https://github.com/kai5263499/jelbrekTime)
287 | * Developer jailbreak for Apple Watch
288 | ### [Booting Secure](http://michaellynn.github.io/2018/07/27/booting-secure/)
289 | * Deep dive into Secure Boot on 2018 MacBook Pro
290 | ### [Tutorial - emulate an iOS kernel in QEMU up to launchd and userspace](https://worthdoingbadly.com/xnuqemu2/)
291 | * Tutorial on getting an iOS kernel to run in QEMU
292 | ### [xnumon](https://www.roe.ch/xnumon)
293 | * Monitor macOS for malicious activity
294 | * [source](https://github.com/droe/xnumon)
295 | ### [DetectX](https://sqwarq.com/detectx/)
296 | * Audits system artifacts to help you identify unknown and novel threats
297 | ### [Are you really signed?](https://github.com/Sentinel-One/macos-are-you-really-signed)
298 | * Utility to test for code-sign bypass vulnerability
299 | ### [osx security growler](https://github.com/pirate/security-growler)
300 | * Mac menubar item that lets you know about security events on your system
301 | ### [mac-a-mal](https://github.com/phdphuc/mac-a-mal)
302 | * Automated malware analysis on macOS
303 | ### [jrswizzle](https://github.com/rentzsch/jrswizzle)
304 | * method interface exchange
305 | ### [MacDBG](https://github.com/blankwall/MacDBG)
306 | * C and Python debugging framework for OSX
307 | ### [bitcode_retriever](https://github.com/AlexDenisov/bitcode_retriever)
308 | * store and retrieve bitcode from Mach-O binary
309 | ### [machotools](https://github.com/enthought/machotools)
310 | * retrieve and change information about mach-o files
311 | ### [onyx-the-black-cat](https://github.com/acidanthera/onyx-the-black-cat) ([outdated original](https://github.com/gdbinit/onyx-the-black-cat))
312 | * kernel module for OSX to defeat anti-debugging protection
313 | ### [create-dmg](https://github.com/andreyvit/create-dmg)
314 | * CLI utility for creating and modifying DMG files
315 | ### [dmg2iso](https://sourceforge.net/projects/dmg2iso/?source=typ_redirect)
316 | * convert dmg to iso
317 | ### [Infosec Homebrew](https://github.com/kai5263499/homebrew-infosec)
318 | * Homebrew tap for security-related utilities
319 | ### [Awesome OSX Command Line](https://github.com/herrbischoff/awesome-macos-command-line)
320 | * Collection of really useful shell commands
321 | ### [Keychain dump](https://github.com/juuso/keychaindump)
322 | * Dump keychain credentials
323 | ### [KnockKnock](https://objective-see.com/products/knockknock.html)
324 | * Listing startup items. Also includes VirusTotal information
325 | ### [Lingon-X](https://www.peterborgapps.com/lingon/)
326 | * GUI for launchd
327 | ### [Hopper](https://www.hopperapp.com/)
328 | * Excellent OSX debugger (requires license)
329 | ### [Symhash](https://github.com/threatstream/symhash)
330 | * Python utility for generating imphash fingerprints for OSX binaries
331 | ### [KisMac2](https://github.com/IGRSoft/KisMac2)
332 | * Wireless scanning and packet capturing
333 | ### [Passive fuzz framework](https://github.com/SilverMoonSecurity/PassiveFuzzFrameworkOSX)
334 | * Framework is for fuzzing OSX kernel vulnerability based on passive inline hook mechanism in kernel mode
335 | ### [Platypus](https://sveinbjorn.org/platypus)
336 | * GUI for generating .app bundles
337 | ### [createOSXinstallPkg](https://github.com/munki/createOSXinstallPkg)
338 | * CLI for generating .pkg installers
339 | ### [PoisonTap](https://github.com/samyk/poisontap)
340 | ### [Chipsec](https://github.com/chipsec/chipsec)
341 | * System firmware checker by Intel
342 | ### [Revisiting Mac OS X Kernel Rootkits by Phrack Magazine](http://phrack.org/issues/69/7.html)
343 | * A collection of OSX rootkit ideas
344 | ### [iPhone Data Protection in Depth](http://conference.hackinthebox.org/hitbsecconf2011ams/materials/D2T2%20-%20Jean-Baptiste%20Be%CC%81drune%20&%20Jean%20Sigwald%20-%20iPhone%20Data%20Protection%20in%20Depth.pdf)
345 | ### [Cycript](http://www.cycript.org/)
346 | * Remote control library for fuzz testing iOS apps
347 | ### [ChaoticMarch](https://github.com/synack/chaoticmarch)
348 | * Blackbox fuzz testing for iOS apps (requires jailbreak)
349 | ### [iOS backup decrypt script](https://stackoverflow.com/questions/1498342/how-to-decrypt-an-encrypted-apple-itunes-iphone-backup)
350 | * Contains a script for decrypting an encrypted iOS backup archive
351 | ### [Remote Packet Capture for iOS Devices](https://useyourloaf.com/blog/remote-packet-capture-for-ios-devices/)
352 | * Use a remote virtual interface to capture packets from a tethered iOS device
353 | * [Python utility](https://thrysoee.dk/iospcap/)
354 | * [Another python utility](https://github.com/gh2o/rvi_capture)
355 | ### [Pareto Security](https://paretosecurity.app/)
356 | * A MenuBar app to automatically audit your Mac for basic security hygiene.
357 | ### [Mana Security](https://manasecurity.com/)
358 | * Vulnerability Management app for individuals. It helps to keep macOS and installed applications updated.
359 | ### [cnspec](https://cnspec.io/)
360 | * Open source vulnerability and misconfiguration scanning for macOS hosts + much more.
361 | ### [Intro To IOS Malware Detection](https://8ksec.io/mobile-malware-analysis-part-4-intro-to-ios-malware-detection/)
362 | * iOS malware, its types, methods of gathering forensics information
363 | ### [Ipsw Walkthrough](https://8ksec.io/ipsw-walkthrough-part-1-the-swiss-army-knife-for-ios-macos-security-research/)
364 | * Part one that covers basic uses
365 | ### [Mobile CTF challenges](https://8ksec.io/battle/)
366 | 
367 | ## Remote Access Toolkits
368 | ### [Empyre](https://github.com/EmpireProject/EmPyre)
369 | ### [Bella](https://github.com/kai5263499/Bella)
370 | ### [Stitch](https://nathanlopez.github.io/Stitch/)
371 | ### [Pupy](https://github.com/n1nj4sec/pupy)
372 | ### [EggShell surveillance tool](https://github.com/neoneggplant/EggShell) - Works on OSX and jailbroken iOS
373 | ### [EvilOSX](https://github.com/Marten4n6/EvilOSX) - Pure python post-exploitation toolkit
374 | 
375 | ## Worth following on Twitter
376 | * [@patrickwardle](https://twitter.com/patrickwardle)
377 | * [@objective_see](https://twitter.com/objective_see)
378 | * [@0xAmit](https://twitter.com/0xAmit)
379 | * [@osxreverser](https://twitter.com/osxreverser)
380 | * [@liucoj](https://twitter.com/liucoj)
381 | * [@osxdaily](https://twitter.com/osxdaily)
382 | * [@iamevltwin](https://twitter.com/iamevltwin)
383 | * [@claud_xiao](https://twitter.com/claud_xiao)
384 | * [@JPoForenso](https://twitter.com/JPoForenso)
385 | * [@patrickolsen](https://twitter.com/patrickolsen)
386 | 
387 | ## Other OSX Awesome lists
388 | * [ashishb/osx-and-ios-security-awesome](https://github.com/ashishb/osx-and-ios-security-awesome)
389 | 


--------------------------------------------------------------------------------