The course covers the following modules over five days, with hands-on exercises and guided demos:
Architectural Overview (3 hours)
- Introduction to the Architecture of macOS and iOS.
- Review of Apple's architectural diagrams and corrections for accuracy.
- Overview of iOS derivatives (TvOS, WatchOS).
- Introduction to private frameworks.
- The Darwin environment and XNU kernel.
- Hardware architecture for macOS (x86, x86_64, x86_64h) and iOS (armv8, A7+, A11).
- Apple Silicon and Rosetta II.
- Using sysctl for hardware details and MobileGestalt for software and hardware details.
Binaries (2+1 hours)
- Detailed examination of the Mach-O file format.
- Types of Mach-O files: Executables, bundles, dylibs, kexts, cores.
- Load commands, LC_SEGMENT[64], and process virtual memory setup.
- DYLD dependencies, code signing, and code encryption.
- Tools like otool(1) and JTool2 for static analysis.
- Exercises include analysing user-mode malware or other binaries and defeating code encryption in iOS.
Advanced Mach-O and DYLD (2+2 hours)
- Exploring lesser-known aspects of DYLD, Mach-O Loader, and loader opcodes.
- Dynamic linking, rebasing chains, and DYLD callbacks.
- Exercises include extending and hacking DYLD.
Debugging and Tracing Techniques (2+1 hours)
- Built-in tools for debugging and profiling macOS/iOS processes.
- Using LLDB, malloc_history, vmmap, sc_usage, and other tracing tools.
- Endpoint Security Framework and DTrace for macOS.
- Exercises include using KDebug, Process Explorer, and creating filters.
Launchd and XPC (2+1 hours)
- Describing macOS and iOS startup via launchd, LaunchDaemons, and LaunchAgents.
- Malware persistence through Launchd.
- Introduction to Mach ports, Mach services, and XPC APIs.
- Exercises include listing Mach and XPC endpoints, and adding a LaunchDaemon or LaunchAgent.
Mach Primitives and IPC (3+2 hours)
- Core concepts of XNU and Mach kernel, tasks, threads, and message passing.
- Remote code injection using Mach APIs.
- Exercises include enumerating Mach tasks and using Mach APIs for thread injection.
XNU Kernel, Up Close (1 hour)
- Detailed look at the XNU kernel, source tree layout, and compiling options.
- Reverse engineering without XNU source code (iOS).
- Introduction to the Kernel Debug Kit.
Programming KEXTs and DEXTs (1+1 hours)
- Architecture of Kernel Extensions (KEXTs) and Driver Extensions (DEXTs).
- Commands for managing KEXTs: kextstat, kextutil, and kmutil.
- OSKext* APIs and dependency handling.
- Exercises include building a KEXT and using OSKext APIs for kernel memory inspection.
I/O Kit (2+2 hours)
- In-depth exploration of I/O Kit, object-oriented driver runtime in XNU.
- IOUserClients, IOConnectCall* methods, and I/O Registry.
- Exercises include reverse engineering I/O Kit kernel modules and creating a simple fuzzer.
The Network Stack (Optional) (1+1 hours)
- Layer-by-layer discussion of the BSD-based network stack in macOS/iOS.
- Protocol implementations, interface filters, and Berkeley Packet Filter (BPF).
- Exercises include installing packet filters and intercepting connections.
Security (4 hours)
- Detailed look at macOS and iOS security mechanisms like AppleMobileFileIntegrity and the Sandbox kernel extensions.
- Code signing, entitlement handling, quarantine, and Gatekeeper.
- Detailed deconstruction of malware examples, including the NSO Group’s “Pegasus” for iOS.
- Exercises include analysis of student-provided malware samples.
