Page 1 of 1

Common malware OS calls

PostPosted: Wed Aug 16, 2017 10:22 pm
by moveax41h

I do malware analysis on Windows for an AV company and I'm looking into Mac malware analysis in the future. One useful thing to have on Windows is a "cheat sheet" of common OS API calls which are used for malicious purposes. For example, on Windows, an "executable resource" can be attached to a file and then loaded into the process by using the APIs FindResource, LockResource, LoadResource in succession. Therefore, as an analyst, this is one of the many things I may look for when analyzing a file. Others being WriteProcessMemory for for example, which allows a process to write bytes to another process.

Obviously, Mac is different but I assume there are similar API calls which can be used by malware and I was wondering if anyone had a list or some other reference for these purposes. Thank you.

Re: Common malware OS calls

PostPosted: Tue Aug 22, 2017 10:36 pm
by morpheus
Wow. that's a tough one. Honestly, there are SO many.

- LaunchServices calls: which can be used to enumerate apps, processes, etc - check out my LSDtrip demo as an example
- Regular file calls, but particularly with paths pointing to */LaunchDaemons or */LaunchAgents, as a vector for persistency
- IOKit calls , performed directly from the binary, and not via Apple's frameworks
- In fact, any direct linking to a PrivateFramework path
- possible use of dlopen(3) - though might lead to false positives

And there's lots more.