Reverse on OSX

in

This articles is a simple collection of programm I use for understanding how a third party programm interact with the system.

List symbols of a binary

nm -g /bin/ls
                 U __DefaultRuneLocale
                 U ___assert_rtn
                 U ___bzero
                 U ___error
                 U ___maskrune
                 U ___snprintf_chk
                 U ___stack_chk_fail
                 U ___stack_chk_guard

 Show shared libraries used by a programm

otool -L /bin/ls
/bin/ls:
	/usr/lib/libutil.dylib (compatibility version 1.0.0, current version 1.0.0)
	/usr/lib/libncurses.5.4.dylib (compatibility version 5.4.0, current version 5.4.0)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1213.0.0)

Get asm code

otool -vt /bin/ls

List open file and network connections

lsof
COMMAND     PID            USER   FD      TYPE             DEVICE   SIZE/OFF     NODE NAME
launchd       1            root  cwd       DIR                1,2       1224        2 /
launchd       1            root  txt       REG                1,2     304240 21153870 /sbin/launchd

Based on Dtrace

dtrace is a powerfull tools for reverse engineer

iosnoop

iosnoop is a live trace of disk/io 

sudo iosnoop
  UID   PID D    BLOCK   SIZE       COMM     PATHNAME
  501 88892 R 440836400   4096 Google Chrome ??/Cache/data_2
  501 88892 R 420909232   4096 Google Chrome ??/Cache/data_0
  501 88892 R 439174816   4096 Google Chrome ??/Cache/data_2

 opensnoop

Live trace file opening

sudo opensnoop -ve
STRTIME                UID    PID COMM          FD ERR PATH
2015 May 11 13:51:00     0     99 DisplayLinkMana   6   0 /Library/Application Support/DisplayLink/.dl.xml
2015 May 11 13:51:00     0     99 DisplayLinkMana   6   0 /Library/Application Support/DisplayLink/.dl.xml

 execsnoop

Live trace program execution

sudo execsnoop
  UID    PID   PPID ARGS
  501  52098  48099 sudo

 druss

dtruss allow you to show all system calls. You can filter by binary with the -n options.

sudo dtruss -n ls
	PID/THRD  SYSCALL(args) 		 = return
52383/0x1e98b4:  thread_selfid(0x7FFF5B281460, 0x7F93C18013F0, 0x7F93C060A7D0)		 = 2005172 0
52383/0x1e98b4:  csops(0x0, 0x0, 0x7FFF5BF4FA08)		 = 0 0
52383/0x1e98b4:  issetugid(0x0, 0x0, 0x7FFF5BF4FA08)		 = 0 0

errinfo

Show system calls errors

sudo errinfo
            EXEC          SYSCALL  ERR  DESC
           iTerm             read   35  Resource temporarily unavailable
           iTerm             read   35  Resource temporarily unavailable
           iTerm             read   35  Resource temporarily unavailable