UTM
utmconfigs

1
2
MallocStackLogging=1 ./titanagent
sudo heap -guessNonObjects -sort $(pgrep titanagent)

macos_ventura_note.md

CODE_SIGNING_MONITOR
xnu/bsd/kern/kern_codesigning.c

drop 32bit arm

xnu/bsd/sys/constrained_ctypes.h
xnu/bsd/sys/kdebug_triage.h
xnu/bsd/sys/trust_caches.h

xnu/config/MasterVersion
xnu/doc/memorystatus/overview.md

xnu/doc/sched_cond.md
Atomic Condition Variables for Thread Synchronization

xnu/osfmk/kern/cambria_layout.h

[+] xnu/osfmk/kern/iotrace.h

xnu/osfmk/kern/smr.c
SMR clocks have 3 state machines interacting at any given timea

kdebug_note.md

sudo ktrace trace -sS -p 62872 | grep test

export PATH=$PATH:/Applications/Xcode.app/Contents/Applications/Instruments.app/Contents/MacOS
instruments -d result.trace -t ‘System Trace’ /bin/ls
open result.trace

sudo ./kdv 23960 | grep BSC_

sudo ktrace trace -p 62872

sudo ktrace setopt -x 62872
sudo ktrace dump -T1 -p 62872

dump的过滤好像无效
ktrace dump trace001.trace
ktrace trace -R trace001.trace -p firefox
只能先dump再过滤???

https://github.com/nowsecure/fsmon

sudo ktrace setopt -x firefox
sudo ktrace dump -p firefox

bash inject

sudo mv /bin/bash /bin/bash_old
Password:
mv: rename /bin/bash to /bin/bash_old: Operation not permitted

macOS可能不具备bash注入能力

获取运行进程的CFBundleIdentifier

1
sudo launchctl procinfo 48339 | grep CFBundleIdentifier | head -n1 | awk '{print $3}'

获取bundleid根据bundleid打开应用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump | grep identifier: | awk '{print $2}' | sort -u
open -b com.apple.Console #控制台
open -b com.apple.grapher
open -b com.netease.163music
open -b com.tencent.qq
open -b com.google.Chrome
open -b com.kingsoft.wpsoffice.mac
open -b com.apple.Dictionary
open -b com.apple.DigitalColorMeter
open -b com.apple.FontBook
open -b com.apple.Preview
open -b com.apple.calculator
open -b com.apple.dt.Instruments
open -b com.apple.finder
open -b com.xunlei.Thunder
open -b com.apple.TextEdit

macOS动态库

1
2
3
4
5
6
7
8
tapi - Text-based
TAPI can generate text-based stub files (.tbd) from existing Mach-O
libraries or parse the headers of a framework and infer the text-based
stub file from it. Stubs Tool

vtool – Mach-O version number utility
The vtool utility displays and edits build and source version numbers
embedded in the Mach-O(5) file format.
1
2
vtool -show /opt/homebrew/opt/qt/lib/QtSvg.framework/QtSvg | grep minos
vtool -show /opt/homebrew/opt/qt/lib/QtSvg.framework/QtSvg

Network.framework

https://developer.apple.com/documentation/network
https://developer.apple.com/documentation/network/implementing_netcat_with_network_framework
https://developer.apple.com/documentation/network/taking_advantage_of_third-party_network_debugging_tools

1
clang -framework Network -framework Security main.c -o nwcat

Apple OSS上的CF(CoreFoundation)有些没有开源 比如Notification的实现

KDebug

https://github.com/matan1008/pykdebugparser

1
2
3
pip install pykdebugparser
sudo ktrace dump -p pid
pykdebugparser kevents trace001.ktrace
1
2
3
4
# dump的过滤好像无效
ktrace dump trace001.trace
ktrace trace -R trace001.trace -p firefox
# 只能先dump再过滤???

https://github.com/per-gron/shuriken/tree/master/src/shk-trace
https://github.com/dlevi309/kdebugView
https://github.com/nowsecure/fsmon

https://stackoverflow.com/questions/72549332/macos-ktrace-t-c-system-call-tracing-available-on-newer-macos

1
sudo ktrace trace -s -S -t c -p 25317 | grep test
1
2
3
io.open("test.txt",'w')
python
open("test.txt",'w')

https://etcnotes.com/posts/system-call/

1
2
3
4
export PATH=$PATH:/Applications/Xcode.app/Contents/Applications/Instruments.app/Contents/MacOS
instruments  -d result.trace -t 'System Trace' /bin/ls
open result.trace
# 选择ls主线程 然后选择Events:System Calls

osquery endpointsecurity

1
sudo osqueryi --disable_events=false --disable_audit=false --disable_endpointsecurity=false --audit_allow_config

recovery mode (old system)

1
2
sudo usr/sbin/nvram internet-recovery-mode=RecoveryModeNetwork
sudo /usr/sbin/nvram -d internet-recovery-mode

WPS Office

1
2
4.1.2 1.67G
4.2.0 2.14G
1
sudo ln -sfn /opt/homebrew/opt/openjdk/libexec/openjdk.jdk /Library/Java/JavaVirtualMachines/openjdk.jdk

system_profiler

1
2
system_profiler -json SPMemoryDataType
system_profiler -listDataTypes

redirect

1
2
3
4
5
macOS
这就是你如何将 stderr 重定向到 /dev/null
command 2> /dev/null
例如
ls -l 2> /dev/null

brew services 命令解析

https://qiujunya.com/article/2019/6/23/23.html

mdutil

1
2
3
4
5
6
7
8
9
10
11
https://zhuanlan.zhihu.com/p/231076209
关掉方法:sudo mdutil -a -i off
打开方法: sudo mdutil -a -i on

关闭mds_stores的命令:
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist
[开启是:sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist]

关闭spotlight的命令:
sudo launchctl unload -w /System/Library/LaunchAgents/com.apple.Spotlight.plist
[开启是:sudo launchctl load -w /System/Library/LaunchAgents/com.apple.Spotlight.plist]

macos13 Ventura虚拟机安装无网络问题

https://www.dhzy.fun/archives/4263.html

set hostname

1
sudo scutil --set HostName wurui

ibtool

1
2
3
ibtool Window.xib --compile test.nib
ibtool test.nib --upgrade --write test.xib
# [<string>Interface Builder cannot open compiled nibs.</string>]

PlistBuddy简单使用

https://www.jianshu.com/p/2167f755c47e

csrutil

1
2
3
4
5
6
7
8
[-bash-3.2# csrutil disable
Turning off System Integrity Protection requires modifying system security.
Allow booting unsigned operating systems and any kernel extensions for os "Macin
tosh HD"? [y/nl: y
Authorized user: wurui
[Password
System Integrity Protection is off.
Restart the machine for the changes to take effect.
1
2
3
M1芯片电脑添加系统扩展时提示:若要启用系统扩展,您需要在“恢复” 
https://www.bilibili.com/read/cv19689455
https://www.jianshu.com/p/e459da1c8680

关闭 OSX 10.11 SIP (System Integrity Protection) 功能

https://www.cnblogs.com/lsgxeva/p/11872185.html

1
cat /System/Library/Sandbox/rootless.conf

10.15关闭SIP后升级到12.0的情况

1
$ csrutil status
1
2
3
4
5
6
7
8
9
10
11
12
System Integrity Protection status: unknown (Custom Configuration).

Configuration:
 Apple Internal: disabled
 Kext Signing: disabled
 Filesystem Protections: disabled
 Debugging Restrictions: disabled
 DTrace Restrictions: disabled
 NVRAM Protections: disabled
 BaseSystem Verification: enabled

This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.

macOS 12 进程注入漏洞破坏所有安全层

https://www.oschina.net/news/206685/process-injection-breaking-all-macos-security-layers

1
2
3
4
5
6
7
8
9
在 macOS 12.0.1 Monterey 中,苹果修复了编号为 CVE-2021-30873 的进程注入漏洞 (process injection),此漏洞影响所有基于 macOS AppKit 的应用。

进程注入

进程注入是一个进程在不同进程中执行代码的能力。 在 Windows 中,使用它的一个原因是逃避防病毒扫描程序的检测,例如通过称为 DLL 劫持的技术。 这允许恶意代码伪装成不同可执行文件的一部分。 在 macOS 中,由于两个应用程序可以拥有的权限不同,这种技术的影响要大得多。

在经典的 Unix 安全模型中,每个进程都以特定用户身份运行。 每个文件都有一个所有者、组和标志,这些标志确定允许哪些用户读取、写入或执行该文件。 以同一用户身份运行的两个进程具有相同的权限:假设它们之间没有安全边界。 用户是安全边界,流程不是。 如果两个进程作为同一个用户运行,那么一个进程可以作为调试器附加到另一个进程,允许它读取或写入另一个进程的内存和寄存器。 root 用户是一个例外,因为它可以访问所有文件和进程。 因此,root 始终可以访问计算机上的所有数据,无论是在磁盘上还是在 RAM 中。

从本质上讲,在引入 SIP(​​也称为“无根”)之前,这与 macOS 的安全模型相同。 这个名称并不意味着不再有 root 用户,但现在它本身的功能已经不那么强大了。 例如,某些文件不能再被 root 用户读取,除非该进程也具有特定的权利。 权利是为可执行文件生成代码签名时包含的元数据。 检查进程是否具有特定权利是 macOS 中许多安全措施的重要组成部分。 Unix 所有权规则仍然存在,这是在它们之上的额外权限检查层。 某些敏感文件(例如 Mail.app 数据库)和功能(例如网络摄像头)不再仅具有 root 权限,但需要额外的权利。 换句话说,权限提升不足以完全破坏 Mac 上的敏感数据。

xcdebug

Start a debugging session in Xcode.

xcode-select

Manages the active developer directory for Xcode and BSD tools

xctrace

Record, import, export and symbolicate Instruments .trace files.

1
2
3
xctrace list devices
xctrace list instruments
xctrace list templates