The Art of Mac Malware: The Guide to Analyzing Malicious Software
- Length: 328 pages
- Edition: 1
- Language: English
- Publisher: No Starch Press
- Publication Date: 2022-06-14
- ISBN-10: 1718501943
- ISBN-13: 9781718501942
- Sales Rank: #1129075 (See Top 100 Books)
A comprehensive guide to the threats facing Apple computers and the foundational knowledge needed to become a proficient Mac malware analyst.
Defenders must fully understand how malicious software works if they hope to stay ahead of the increasingly sophisticated threats facing Apple products today. The Art of Mac Malware: The Guide to Analyzing Malicious Software is a comprehensive handbook to cracking open these malicious programs and seeing what’s inside.
Discover the secrets of nation state backdoors, destructive ransomware, and subversive cryptocurrency miners as you uncover their infection methods, persistence strategies, and insidious capabilities. Then work with and extend foundational reverse-engineering tools to extract and decrypt embedded strings, unpack protected Mach-O malware, and even reconstruct binary code. Next, using a debugger, you’ll execute the malware, instruction by instruction, to discover exactly how it operates. In the book’s final section, you’ll put these lessons into practice by analyzing a complex Mac malware specimen on your own.
You’ll learn to:
- Recognize common infections vectors, persistence mechanisms, and payloads leveraged by Mac malware
- Triage unknown samples in order to quickly classify them as benign or malicious
- Work with static analysis tools, including disassemblers, in order to study malicious scripts and compiled binaries
- Leverage dynamical analysis tools, such as monitoring tools and debuggers, to gain further insight into sophisticated threats
- Quickly identify and bypass anti-analysis techniques aimed at thwarting your analysis attempts
A former NSA hacker and current leader in the field of macOS threat analysis, Patrick Wardle uses real-world examples pulled from his original research. The Art of Mac Malware: The Guide to Analyzing Malicious Software is the definitive resource to battling these ever more prevalent and insidious Apple-focused threats.
Title Page Copyright Dedication About the Author Foreword Acknowledgments Introduction Who Should Read This Book? What You’ll Find in This Book A Note on Mac Malware Terminology A Note on Safely Analyzing Malware Additional Resources Books Websites Downloading This Book’s Malware Specimens Endnotes Part I: Mac Malware Basics Chapter 1: Infection Vectors Mac Protections Malicious Emails Fake Tech and Support Fake Updates Fake Applications Trojanized Applications Pirated and Cracked Applications Custom URL Schemes Office Macros Xcode Projects Supply Chain Attacks Account Compromises of Remote Services Exploits Physical Access Up Next Endnotes Chapter 2: Persistence Login Items Launch Agents and Daemons Scheduled Jobs and Tasks Cron Jobs At Jobs Periodic Scripts Login and Logout Hooks Dynamic Libraries DYLD_* Environment Variables Dylib Proxying Dylib Hijacking Plug-ins Scripts Event Monitor Rules Reopened Applications Application and Binary Modifications KnockKnock . . . Who’s There? Up Next Endnotes Chapter 3: Capabilities Categorizing Mac Malware Capabilities Survey and Reconnaissance Privilege Escalation Escaping Sandboxes Gaining Root Privileges Adware-Related Hijacks and Injections Cryptocurrency Miners Remote Shells Remote Process and Memory Execution Remote Download and Upload File Encryption Stealth Other Capabilities Up Next Endnotes Part II: Mac Malware Analysis Chapter 4: Nonbinary Analysis Identifying File Types Extracting Malicious Files from Distribution Packaging Apple Disk Images (.dmg) Packages (.pkg) Analyzing Scripts Bash Shell Scripts Python Scripts AppleScript Perl Scripts Microsoft Office Documents Applications Up Next Endnotes Chapter 5: Binary Triage The Mach-O File Format The Header The Load Commands The Data Segment Classifying Mach-O Files Hashes Code-Signing Information Strings Objective-C Class Information “Nonbinary” Binaries Identifying the Tool Used to Build the Binary Extracting the Nonbinary Component Up Next Endnotes Chapter 6: Disassembly and Decompilation Assembly Language Basics Registers Assembly Instructions Calling Conventions The objc_msgSend Function Disassembly Objective-C Disassembly Swift Disassembly C/C++ Disassembly Control Flow Disassembly Decompilation Reverse Engineering with Hopper Creating a Binary to Analyze Loading the Binary Exploring the Interface Viewing the Disassembly Changing the Display Mode Up Next Endnotes Chapter 7: Dynamic Analysis Tools Process Monitoring The ProcessMonitor Utility File Monitoring The fs_usage Utility The FileMonitor Utility Network Monitoring macOS’s Network Status Monitors The Netiquette Utility Network Traffic Monitors Up Next Endnotes Chapter 8: Debugging Why You Need a Debugger The LLDB Debugger Starting a Debugger Session Controlling Execution Using Breakpoints Examining All the Things Modifying Process State LLDB Scripting A Sample Debugging Session: Uncovering Hidden Cryptocurrency Mining Logic in an App Store Application Up Next Endnotes Chapter 9: Anti-Analysis Anti-Static-Analysis Approaches Sensitive Strings Disguised as Constants Encrypted Strings Locating Obfuscated Strings Finding the Deobfuscation Code String Deobfuscation via a Hopper Script Forcing the Malware to Execute Its Decryption Routine Code-Level Obfuscations Bypassing Packed Binary Code Decrypting Encrypted Binaries Anti-Dynamic-Analysis Approaches Checking the System Model Name Counting the System’s Logical and Physical CPUs Checking the System’s MAC Address Checking System Integrity Protection Status Detecting or Killing Specific Tools Detecting a Debugger Preventing Debugging with ptrace Bypassing Anti-Dynamic-Analysis Logic Modifying the Execution Environment Patching the Binary Image Modifying the Malware’s Instruction Pointer Modifying a Register Value A Remaining Challenge: Environmentally Generated Keys Up Next Endnotes Part III: Analyzing EvilQuest Chapter 10: EvilQuest’s Infection, Triage, and Deobfuscation The Infection Vector Triage Confirming the File Type Extracting the Contents Exploring the Package Extracting Embedded Information from the patch Binary Analyzing the Command Line Parameters --silent --noroot --ignrp Analyzing Anti-Analysis Logic Virtual Machine–Thwarting Logic? Debugging-Thwarting Logic Obfuscated Strings Up Next Endnotes Chapter 11: EvilQuest’s Persistence and Core Functionality Analysis Persistence Killing Unwanted Processes Making Copies of Itself Persisting the Copies as Launch Items Starting the Launch Items The Repersistence Logic The Local Viral Infection Logic Listing Candidate Files for Infection Checking Whether to Infect Each File Infecting Target Files Executing and Repersisting from Infected Files Executing the Infected File’s Original Code The Remote Communications Logic The Mediator and Command and Control Servers Remote Tasking Logic react_exec (0x1) react_save (0x2) react_start (0x4) react_keys (0x8) react_ping (0x10) react_host (0x20) react_scmd (0x40) The File Exfiltration Logic Directory Listing Exfiltration Certificate and Cryptocurrency File Exfiltration File Encryption Logic EvilQuest Updates Better Anti-Analysis Logic Modified Server Addresses A Longer List of Security Tools to Terminate New Persistence Paths A Personal Shoutout Better Functions Removed Ransomware Logic Conclusion Endnotes Index
Donate to keep this site alive
How to download source code?
1. Go to: https://nostarch.com/
2. Search the book title: The Art of Mac Malware: The Guide to Analyzing Malicious Software
, sometime you may not get the results, please search the main title
3. Click the book title in the search results
3. Download the Source Code.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.