From b09c4cf3e13caf37241bda10651ca8c950fcf76a Mon Sep 17 00:00:00 2001 From: CPol Date: Sat, 31 Jul 2021 01:06:22 +0000 Subject: [PATCH] GitBook: [master] 3 pages modified --- SUMMARY.md | 2 +- .../inspecting-and-debugging-mac-os-apps.md | 17 ++++++++++++++++- misc/basic-python/bypass-python-sandboxes.md | 4 ++++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/SUMMARY.md b/SUMMARY.md index 9806f261..ee48424f 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -57,7 +57,7 @@ * [MacOS Security & Privilege Escalation](macos/macos-security-and-privilege-escalation/README.md) * [Mac OS Protocols](macos/macos-security-and-privilege-escalation/mac-os-protocols.md) - * [Inspecting and debugging Mac OS Apps](macos/macos-security-and-privilege-escalation/inspecting-and-debugging-mac-os-apps.md) + * [Inspecting and debugging Mac OS Sotware](macos/macos-security-and-privilege-escalation/inspecting-and-debugging-mac-os-apps.md) * [Mac OS Serial Number](macos/macos-security-and-privilege-escalation/macos-serial-number.md) * [Mac OS Architecture](macos/macos-security-and-privilege-escalation/mac-os-architecture.md) diff --git a/macos/macos-security-and-privilege-escalation/inspecting-and-debugging-mac-os-apps.md b/macos/macos-security-and-privilege-escalation/inspecting-and-debugging-mac-os-apps.md index 41665853..e11ae4ca 100644 --- a/macos/macos-security-and-privilege-escalation/inspecting-and-debugging-mac-os-apps.md +++ b/macos/macos-security-and-privilege-escalation/inspecting-and-debugging-mac-os-apps.md @@ -1,4 +1,4 @@ -# Inspecting and debugging Mac OS Apps +# Inspecting and debugging Mac OS Sotware ## Static Analysis @@ -9,6 +9,21 @@ otool -L /bin/ls #List dynamically linked libraries otool -tv /bin/ps #Decompile application ``` +### SuspiciousPackage + +\*\*\*\*[**SuspiciousPackage**](https://mothersruin.com/software/SuspiciousPackage/get.html) is a tool useful to inspect **.pkg** files \(installers\) and see what is inside before installing it. +These installers have `preinstall` and `postinstall` bash scripts that malware authors usually abuse to **persist** **the** **malware**. + +### hdiutil + +This tool allows to **mount** Apple disk images \(**.dmg**\) files to inspect them before running anything: + +```bash +hdiutil attach ~/Downloads/Firefox\ 58.0.2.dmg +``` + +It will be mounted in `/Volumes` + ## Dynamic Analysis {% hint style="warning" %} diff --git a/misc/basic-python/bypass-python-sandboxes.md b/misc/basic-python/bypass-python-sandboxes.md index 7ebcb6c7..7b42d34d 100644 --- a/misc/basic-python/bypass-python-sandboxes.md +++ b/misc/basic-python/bypass-python-sandboxes.md @@ -158,6 +158,10 @@ f = ftype(ctype(1, 1, 1, 67, '|\x00\x00GHd\x00\x00S', (None,), (), ('s',), 'stdi f(42) ``` +### Decompiling Python + +Using tools like [https://www.decompiler.com/](https://www.decompiler.com/) one can decompile given compiled python code + ## Builtins * [Builtins functions of python2](https://docs.python.org/2/library/functions.html)