Common malware OS calls

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Common malware OS calls

Postby moveax41h » Wed Aug 16, 2017 10:22 pm

Hello,

I do malware analysis on Windows for an AV company and I'm looking into Mac malware analysis in the future. One useful thing to have on Windows is a "cheat sheet" of common OS API calls which are used for malicious purposes. For example, on Windows, an "executable resource" can be attached to a file and then loaded into the process by using the APIs FindResource, LockResource, LoadResource in succession. Therefore, as an analyst, this is one of the many things I may look for when analyzing a file. Others being WriteProcessMemory for for example, which allows a process to write bytes to another process.

Obviously, Mac is different but I assume there are similar API calls which can be used by malware and I was wondering if anyone had a list or some other reference for these purposes. Thank you.
moveax41h
 
Posts: 1
Joined: Wed Aug 16, 2017 10:17 pm

Re: Common malware OS calls

Postby morpheus » Tue Aug 22, 2017 10:36 pm

Wow. that's a tough one. Honestly, there are SO many.

- LaunchServices calls: which can be used to enumerate apps, processes, etc - check out my LSDtrip demo as an example
- Regular file calls, but particularly with paths pointing to */LaunchDaemons or */LaunchAgents, as a vector for persistency
- IOKit calls , performed directly from the binary, and not via Apple's frameworks
- In fact, any direct linking to a PrivateFramework path
- possible use of dlopen(3) - though might lead to false positives

And there's lots more.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 2 guests

cron