└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | osx & ios re 101
  2 | ==========
  3 | 
  4 | Work in progress as I am actively collecting these.
  5 | 
  6 | #### Must read
  7 | 
  8 | - https://reverse.put.as/
  9 | - https://blog.paloaltonetworks.com/tag/mac-os-x/
 10 | - https://www.synack.com/blog/r-d-projects/os-x-security-research/
 11 | - https://pewpewthespells.com/re.html
 12 | - https://github.com/bx/machO-tools
 13 | - https://github.com/kpwn/iOSRE
 14 | 
 15 | #### Keep these handy
 16 | - "OSX Mach-O File Format Reference" https://pewpewthespells.com/re/Mach-O_File_Format.pdf
 17 | - "OSX ABI" https://pewpewthespells.com/re/Mac_OS_X_ABI_Function_Calls.pdf
 18 | - Mach-O structures https://opensource.apple.com/source/xnu/xnu-2050.18.24/EXTERNAL_HEADERS/mach-o/loader.h
 19 | - "OSX BSD system calls" https://sigsegv.pl/osx-bsd-syscalls/
 20 | - https://opensource.apple.com/source/xnu/xnu-2050.18.24/bsd/kern/syscalls.master
 21 | 
 22 | #### Basics
 23 | 
 24 | - "Universal Binary: The Mach-O file format" https://cocoaintheshell.whine.fr/2009/07/universal-binary-mach-o-format/
 25 | - "Basics of the Mach-O file format" https://samhuri.net/posts/2010/01/basics-of-the-mach-o-file-format/
 26 | - "How OS X Executes Applications" http://0xfe.blogspot.de/2006/03/how-os-x-executes-applications.html
 27 | - "Infecting Mach-O object format" https://papers.put.as/papers/macosx/2005/mach-o_infection.ppt
 28 | - "Under the iHood" https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-hotchkies.pdf
 29 | - "Dissection of minimal Intel 32-bits, 204 bytes, Mach-O "Hello World" executable file" http://seriot.ch/hello_macho.php
 30 | - "Crafting a Tiny Mach-O Executable" http://osxbook.com/blog/2009/03/15/crafting-a-tiny-mach-o-executable/
 31 | - "Parsing Mach-O files" http://lowlevelbits.org/parse-mach-o-files/
 32 | - "ELF vs. Mach-O" http://timetobleed.com/dynamic-linking-elf-vs-mach-o/
 33 | - "ELF vs. Mach-O 2" http://timetobleed.com/dynamic-symbol-table-duel-elf-vs-mach-o-round-2/
 34 | - "NASM Hello World for x86 and x86_64 Intel Mac OS X" https://gist.github.com/FiloSottile/7125822
 35 | - "Reverse Engineering the OS: A Practical Guide" https://www.youtube.com/watch?v=uQWH55yIgYU
 36 | 
 37 | #### Malware, Anti-debugging, infection techniques, obfuscation, and encryption
 38 | 
 39 | - "Infecting Mach-O" http://nicolascormier.com/documentation/security/Infecting_Mach-O_Files.pdf
 40 | - "Abusing the Mach-O format" http://cocoaintheshell.com/2009/10/abusing-mach-o
 41 | - "Multi-Platform Viruses Made Easy - A Case Study" http://vxer.org/lib/vjp00.html
 42 | - "Running executables on macOS from memory" https://blog.cylance.com/running-executables-on-macos-from-memory
 43 | - macos_execute_from_memory https://github.com/prsecurity/macos_execute_from_memory/blob/master/main.c
 44 | - "Understanding Apple's Binary Protection in Mac OS X" http://osxbook.com/book/bonus/chapter7/binaryprotection/
 45 | - "Macs get sick too" http://www.irongeek.com/i.php?page=videos/derbycon6/104-macs-get-sick-too-tyler-halfpop-jacob-soo
 46 | - "A Peek Under the Hood of iOS Malware" http://webdiis.unizar.es/~ricardo/files/papers/GR-WMA-16.pdf
 47 | - "Crafting macOS Rootkits" https://www.zdziarski.com/blog/wp-content/uploads/2017/02/Crafting-macOS-Root-Kits.pdf
 48 | - "Revisiting Mac OS X Kernel Rootkits" http://phrack.org/issues/69/7.html#article
 49 | - "Methods of malware persistence on Mac OS X" https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
 50 | - "Let's Play: Practical OS X Malware Detection & Analysis" https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf
 51 | 
 52 | #### Various research & tutorials
 53 | 
 54 | - "Reversing and Keygenning qwertyoruiop's Crackme" https://reverse.put.as/2018/10/06/reversing-and-keygenning-qwertyoruiop-crackme/
 55 | - "Cracking Tutorial #1 - "Sandwich" CrackMe" http://reverse.put.as/wp-content/uploads/2012/06/Sandwich_crackme_tut_qwertyoruiop.txt
 56 | - "Solving crackmes with LDPRELOAD" http://radare.today/solving-crackmes-with-ldpreload/
 57 | - "Analyzing Binaries with Hopper’s Decompiler" http://abad1dea.tumblr.com/post/23487860422/analyzing-binaries-with-hoppers-decompiler
 58 | - "Reverse Engineering Hopper Disassembler v3.9.9" https://www.youtube.com/watch?v=pCITcLqgS9Q
 59 | - "Reverse-Engineering iOS Apps: Hacking on Lyft" https://realm.io/news/conrad-kramer-reverse-engineering-ios-apps-lyft/
 60 | - "Jailbreak iOS 8.1.2 and Analyze Related Exploits" http://proteaswang.blogspot.com/2017/04/jailbreak-ios-812-and-analyze-related.html
 61 | -  "Attacking The XNU Kernel in El Capitan" https://www.blackhat.com/docs/eu-15/materials/eu-15-Todesco-Attacking-The-XNU-Kernal-In-El-Capitain.pdf
 62 | - "Shooting the OSX El Capitan Kernel Like a Sniper" https://speakerdeck.com/flankerhqd/shooting-the-osx-el-capitan-kernel-like-a-sniper
 63 | - "The Italian morons are back! What are they up to this time?" https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/
 64 | - "The Journey of a complete OSX privilege escalation with a single vulnerability - Part 1" http://keenlab.tencent.com/en/2016/07/29/The-Journey-of-a-complete-OSX-privilege-escalation-with-a-single-vulnerability-Part-1/
 65 | - "iOS 10 Kernel Heap Revisted" http://gsec.hitb.org/materials/sg2016/D2%20-%20Stefan%20Esser%20-%20iOS%2010%20Kernel%20Heap%20Revisited.pdf
 66 | - "Who needs decrypted kernels anyways?" http://blog.offcellresearch.com/security/apple/ios/kernel/2016/08/23/who-needs-decrypted-kernels-anyways.html
 67 | - "Mac OS X Privilege Escalation via Use-After-Free: CVE-2016-1828" https://bazad.github.io/2016/05/mac-os-x-use-after-free/
 68 | - "PEGASUS iOS Kernel Vulnerability Explained" http://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html
 69 | - "Behind the Scenes with iOS Security" https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf
 70 | - "The Apple Sandbox: Deeper Into The Quagmire" https://www.youtube.com/watch?v=mG715HcDgO8
 71 | - “A deep-dive into the many flavors of IPC available on OS X.” https://vimeo.com/127859750
 72 | - "Analysis of iOS 9.3.3 Jailbreak & Security Enhancements of iOS 10" http://powerofcommunity.net/poc2016/pangu.pdf
 73 | - "Fried Apples: Jailbreak DIY" https://speakerdeck.com/mbazaliy/fried-apples-jailbreak-diy
 74 | - "Reversing a macOS Kernel Extension" (DSMOS) http://lightbulbone.com/2016/10/04/intro-to-macos-kernel-debugging.html
 75 | - "Demystifying the Secure Enclave Processor" http://mista.nu/research/sep-paper.pdf
 76 | - "Leveraging Apple's Game Engine to Detect macOS Threats" https://objectivebythesea.com/v1/talks/OBTS_v1_Malm_Stein.pdf
 77 | - "Get Cozy with OpenBSM Auditing" https://objective-see.com/talks/Wardle_ShmooCon2018.pdf
 78 | - "Real-time auditing on macOS with OpenBSM" https://meliot.me/2017/07/02/mac-os-real-time-auditing/
 79 | 
 80 | #### Kernel extension (KEXT) development
 81 | 
 82 | - "KEXT Controls and Notifications" https://developer.apple.com/library/content/documentation/Darwin/Conceptual/NKEConceptual/control/control.html
 83 | - "Network Kernel Extensions Reference" https://developer.apple.com/library/content/documentation/Darwin/Conceptual/NKEConceptual/reference/reference.html#//apple_ref/doc/uid/TP40001858-CH232-BBAGGGED
 84 | - "Working with TrustedBSD in Mac OS X" https://sysdev.me/trusted-bsd-in-osx/
 85 | - "BUILDING AN APPLE OSX KERNEL MODULE WITH CMAKE – C/C" http://www.goodbits.ca/index.php/2017/09/25/building-an-apple-osx-kernel-module-with-cmake-cc/
 86 | - "Debugging macOS Kernel using VirtualBox" https://klue.github.io/blog/2017/04/macos_kernel_debugging_vbox/
 87 | - "Remote Kext Debugging" https://rednaga.io/2017/04/09/remote_kext_debugging/
 88 | - "Introduction to macOS Kernel Debugging" https://lightbulbone.com/posts/2016/10/intro-to-macos-kernel-debugging/
 89 | - "Kernel debugging with LLDB and VMWare Fusion" http://ddeville.me/2015/08/kernel-debugging-with-lldb-and-vmware-fusion
 90 | - "Monitoring Process Creation via the Kernel (Part I)" https://objective-see.com/blog.html#blogEntry9
 91 | - "Monitoring Process Creation via the Kernel (Part II)" https://objective-see.com/blog/blog_0x0A.html
 92 | - "Monitoring Process Creation via the Kernel (Part III)" https://objective-see.com/blog/blog_0x0B.html
 93 | - "Monitoring macOS, Part I: Monitoring Process Execution via MACF" https://www.fortinet.com/blog/threat-research/monitoring-macos--part-i--monitoring-process-execution-via-macf.html
 94 | - "Monitoring macOS, Part II: Monitoring File System Events and Dylib Loading via MACF" https://www.fortinet.com/blog/threat-research/monitor-file-system-events-and-dylib-loading-via-macf-on-macos.html
 95 | - "Monitoring macOS, Part III: Monitoring Network Activities Using Socket Filters" https://www.fortinet.com/blog/threat-research/monitoring-macos--part-iii--monitoring-network-activities-using-.html
 96 | - "A binary whitelisting/blacklisting system for Mac OS X" https://github.com/google/santa
 97 | 
 98 | #### Other
 99 | - "The Python bites your apple - fuzzing and exploiting OSX Kernel bugs" https://speakerdeck.com/flankerhqd/the-python-bites-your-apple-fuzzing-and-exploiting-osx-kernel-bugs
100 | - "Artefacts and tricks for Mac OS X" http://sud0man.blogspot.fr/2015/05/artefacts-for-mac-os-x.html?m=1
101 | - "Collection of forensics artifacs location for Mac OS X and iOS" https://github.com/pstirparo/mac4n6
102 | - "New macOS Sierra (10.12) Forensic Artifacts – Introducing Unified Logging" https://www.mac4n6.com/blog/2016/11/13/new-macos-sierra-1012-forensic-artifacts-introducing-unified-logging
103 | - "A curated list of shell commands and tools specific to OS X" https://github.com/herrbischoff/awesome-osx-command-line
104 | - "OS X Security and Privacy Guide" https://github.com/drduh/OS-X-Security-and-Privacy-Guide
105 | - "A launchd tutorial" http://launchd.info/
106 | - https://objective-see.com/index.html
107 | - "OS X malloc introspection tool" https://github.com/blankwall/MacHeap
108 | - "MacOS Hardening Guide" http://newosxbook.com/files/moxii3/AppendixA.pdf by Jonathan Levin
109 | - "Checkout4Mac" http://sud0man.blogspot.sk/2016/10/new-version-of-checkout4mac-02.html
110 | - "OSX kernel fuzzer" https://github.com/SilverMoonSecurity/PassiveFuzzFrameworkOSX
111 | - "iOS instrumentation without jailbreak" https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/october/ios-instrumentation-without-jailbreak/
112 | - "MacOS monitoring the open source way" https://blogs.dropbox.com/tech/2018/04/4696/
113 | - "Mac OS X El Capitan (10.11) and task_for_pid()" https://attilathedud.me/mac-os-x-el-capitan-10-11-and-task_for_pid/
114 | 
115 | #### Crackmes and challenges
116 | 
117 | - https://reverse.put.as/crackmes/
118 | - "Exercises" section in http://beginners.re/Reverse_Engineering_for_Beginners-en.pdf
119 | 
120 | #### Books
121 | 
122 | - "The Mac Hacker's Handbook" by Charlie Miller, Dino Dai Zovi
123 | - "Mac OS X and iOS Internals: To the Apple's Core" by Jonathan Levin
124 | - "Mac OS X Internals: A Systems Approach" by Amit Singh
125 | - "iOS App Reverse Engineering" https://github.com/iosre/iOSAppReverseEngineering
126 | - "iOS Hacker's Handbook" by Charlie Miller, Dion Blazakis, Dino Dai Zovi, Stefan Esser, Vincenzo Iozzo, Ralf-Philip Weinmann 
127 | - "Hacking and Securing iOS Applications" by Jonathan Zdziarski
128 | 


--------------------------------------------------------------------------------