Log In
Or create an account -> 
Imperial Library
  • Home
  • About
  • News
  • Upload
  • Forum
  • Help
  • Login/SignUp

Index
Title Page Copyright Dedication About the Author Foreword Acknowledgments Introduction
Who Should Read This Book? What You’ll Find in This Book A Note on Mac Malware Terminology A Note on Safely Analyzing Malware Additional Resources
Books Websites
Downloading This Book’s Malware Specimens Endnotes
Part I: Mac Malware Basics
Chapter 1: Infection Vectors
Mac Protections Malicious Emails Fake Tech and Support Fake Updates Fake Applications Trojanized Applications Pirated and Cracked Applications Custom URL Schemes Office Macros Xcode Projects Supply Chain Attacks Account Compromises of Remote Services Exploits Physical Access Up Next Endnotes
Chapter 2: Persistence
Login Items Launch Agents and Daemons Scheduled Jobs and Tasks
Cron Jobs At Jobs Periodic Scripts
Login and Logout Hooks Dynamic Libraries
DYLD_* Environment Variables Dylib Proxying Dylib Hijacking
Plug-ins Scripts Event Monitor Rules Reopened Applications Application and Binary Modifications KnockKnock . . . Who’s There? Up Next Endnotes
Chapter 3: Capabilities
Categorizing Mac Malware Capabilities Survey and Reconnaissance Privilege Escalation
Escaping Sandboxes Gaining Root Privileges
Adware-Related Hijacks and Injections Cryptocurrency Miners Remote Shells Remote Process and Memory Execution Remote Download and Upload File Encryption Stealth Other Capabilities Up Next Endnotes
Part II: Mac Malware Analysis
Chapter 4: Nonbinary Analysis
Identifying File Types Extracting Malicious Files from Distribution Packaging
Apple Disk Images (.dmg) Packages (.pkg)
Analyzing Scripts
Bash Shell Scripts Python Scripts AppleScript Perl Scripts
Microsoft Office Documents Applications Up Next Endnotes
Chapter 5: Binary Triage
The Mach-O File Format
The Header The Load Commands The Data Segment
Classifying Mach-O Files
Hashes Code-Signing Information Strings Objective-C Class Information
“Nonbinary” Binaries
Identifying the Tool Used to Build the Binary Extracting the Nonbinary Component
Up Next Endnotes
Chapter 6: Disassembly and Decompilation
Assembly Language Basics
Registers Assembly Instructions Calling Conventions The objc_msgSend Function
Disassembly
Objective-C Disassembly Swift Disassembly C/C++ Disassembly Control Flow Disassembly
Decompilation Reverse Engineering with Hopper
Creating a Binary to Analyze Loading the Binary Exploring the Interface Viewing the Disassembly Changing the Display Mode
Up Next Endnotes
Chapter 7: Dynamic Analysis Tools
Process Monitoring
The ProcessMonitor Utility
File Monitoring
The fs_usage Utility The FileMonitor Utility
Network Monitoring
macOS’s Network Status Monitors The Netiquette Utility Network Traffic Monitors
Up Next Endnotes
Chapter 8: Debugging
Why You Need a Debugger The LLDB Debugger
Starting a Debugger Session Controlling Execution Using Breakpoints Examining All the Things Modifying Process State
LLDB Scripting A Sample Debugging Session: Uncovering Hidden Cryptocurrency Mining Logic in an App Store Application Up Next Endnotes
Chapter 9: Anti-Analysis
Anti-Static-Analysis Approaches
Sensitive Strings Disguised as Constants Encrypted Strings Locating Obfuscated Strings Finding the Deobfuscation Code String Deobfuscation via a Hopper Script Forcing the Malware to Execute Its Decryption Routine Code-Level Obfuscations Bypassing Packed Binary Code Decrypting Encrypted Binaries
Anti-Dynamic-Analysis Approaches
Checking the System Model Name Counting the System’s Logical and Physical CPUs Checking the System’s MAC Address Checking System Integrity Protection Status Detecting or Killing Specific Tools Detecting a Debugger Preventing Debugging with ptrace
Bypassing Anti-Dynamic-Analysis Logic
Modifying the Execution Environment Patching the Binary Image Modifying the Malware’s Instruction Pointer Modifying a Register Value
A Remaining Challenge: Environmentally Generated Keys Up Next Endnotes
Part III: Analyzing EvilQuest
Chapter 10: EvilQuest’s Infection, Triage, and Deobfuscation
The Infection Vector Triage
Confirming the File Type Extracting the Contents Exploring the Package
Extracting Embedded Information from the patch Binary Analyzing the Command Line Parameters
--silent --noroot --ignrp
Analyzing Anti-Analysis Logic
Virtual Machine–Thwarting Logic? Debugging-Thwarting Logic Obfuscated Strings
Up Next Endnotes
Chapter 11: EvilQuest’s Persistence and Core Functionality Analysis
Persistence
Killing Unwanted Processes Making Copies of Itself Persisting the Copies as Launch Items Starting the Launch Items
The Repersistence Logic The Local Viral Infection Logic
Listing Candidate Files for Infection Checking Whether to Infect Each File Infecting Target Files Executing and Repersisting from Infected Files Executing the Infected File’s Original Code
The Remote Communications Logic
The Mediator and Command and Control Servers Remote Tasking Logic react_exec (0x1) react_save (0x2) react_start (0x4) react_keys (0x8) react_ping (0x10) react_host (0x20) react_scmd (0x40)
The File Exfiltration Logic
Directory Listing Exfiltration Certificate and Cryptocurrency File Exfiltration
File Encryption Logic EvilQuest Updates
Better Anti-Analysis Logic Modified Server Addresses A Longer List of Security Tools to Terminate New Persistence Paths A Personal Shoutout Better Functions Removed Ransomware Logic
Conclusion Endnotes
Index
  • ← Prev
  • Back
  • Next →
  • ← Prev
  • Back
  • Next →

Chief Librarian: Las Zenow <zenow@riseup.net>
Fork the source code from gitlab.

This is a mirror of the Tor onion service:
http://kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion