Mac OS Internals

• Knowledge of macOS at a user level, including user-mode programming.
• Familiarity with x86_64 and/or ARM64 is highly recommended.
• Bring your own Mac or jailbroken i-Device.

Target Audience

• Reverse Engineers
• Security Researchers
• Malware Researchers
• Forensics Experts

Particularly those interested in macOS and iOS and reverse engineering techniques specific to Apple’s operating systems.

• Understand the process of binary linking and loading.
• Reverse engineer and analyse Mach-O binaries.
• Reverse engineer Objective-C and Swift code.
• Use Apple’s documented and undocumented APIs for tracing and debugging.
• Explain, interface with, and hook kernel system calls.
• Identify and explain common malware techniques.
• Understand attack surfaces in macOS and iOS, particularly in the kernel, kexts (I/O Kit), and system daemons.

The course covers the following modules over five days, with hands-on exercises and guided demos:

Architectural Overview (3 hours)

• Introduction to the Architecture of macOS and iOS.
• Review of Apple's architectural diagrams and corrections for accuracy.
• Overview of iOS derivatives (TvOS, WatchOS).
• Introduction to private frameworks.
• The Darwin environment and XNU kernel.
• Hardware architecture for macOS (x86, x86_64, x86_64h) and iOS (armv8, A7+, A11).
• Apple Silicon and Rosetta II.
• Using sysctl for hardware details and MobileGestalt for software and hardware details.

Binaries (2+1 hours)

• Detailed examination of the Mach-O file format.
• Types of Mach-O files: Executables, bundles, dylibs, kexts, cores.
• Load commands, LC_SEGMENT[64], and process virtual memory setup.
• DYLD dependencies, code signing, and code encryption.
• Tools like otool(1) and JTool2 for static analysis.
• Exercises include analysing user-mode malware or other binaries and defeating code encryption in iOS.

Advanced Mach-O and DYLD (2+2 hours)

• Exploring lesser-known aspects of DYLD, Mach-O Loader, and loader opcodes.
• Dynamic linking, rebasing chains, and DYLD callbacks.
• Exercises include extending and hacking DYLD.

Debugging and Tracing Techniques (2+1 hours)

• Built-in tools for debugging and profiling macOS/iOS processes.
• Using LLDB, malloc_history, vmmap, sc_usage, and other tracing tools.
• Endpoint Security Framework and DTrace for macOS.
• Exercises include using KDebug, Process Explorer, and creating filters.

Launchd and XPC (2+1 hours)

• Describing macOS and iOS startup via launchd, LaunchDaemons, and LaunchAgents.
• Malware persistence through Launchd.
• Introduction to Mach ports, Mach services, and XPC APIs.
• Exercises include listing Mach and XPC endpoints, and adding a LaunchDaemon or LaunchAgent.

Mach Primitives and IPC (3+2 hours)

• Core concepts of XNU and Mach kernel, tasks, threads, and message passing.
• Remote code injection using Mach APIs.
• Exercises include enumerating Mach tasks and using Mach APIs for thread injection.

XNU Kernel, Up Close (1 hour)

• Detailed look at the XNU kernel, source tree layout, and compiling options.
• Reverse engineering without XNU source code (iOS).
• Introduction to the Kernel Debug Kit.

Programming KEXTs and DEXTs (1+1 hours)

• Architecture of Kernel Extensions (KEXTs) and Driver Extensions (DEXTs).
• Commands for managing KEXTs: kextstat, kextutil, and kmutil.
• OSKext* APIs and dependency handling.
• Exercises include building a KEXT and using OSKext APIs for kernel memory inspection.

I/O Kit (2+2 hours)

• In-depth exploration of I/O Kit, object-oriented driver runtime in XNU.
• IOUserClients, IOConnectCall* methods, and I/O Registry.
• Exercises include reverse engineering I/O Kit kernel modules and creating a simple fuzzer.

The Network Stack (Optional) (1+1 hours)

• Layer-by-layer discussion of the BSD-based network stack in macOS/iOS.
• Protocol implementations, interface filters, and Berkeley Packet Filter (BPF).
• Exercises include installing packet filters and intercepting connections.

Security (4 hours)

• Detailed look at macOS and iOS security mechanisms like AppleMobileFileIntegrity and the Sandbox kernel extensions.
• Code signing, entitlement handling, quarantine, and Gatekeeper.
• Detailed deconstruction of malware examples, including the NSO Group’s “Pegasus” for iOS.
• Exercises include analysis of student-provided malware samples.