Reverse on OSX

in

This articles is a simple collection of programm I use for understanding how a third party programm interact with the system.

List symbols of a binary

nm -g /bin/ls
                 U __DefaultRuneLocale
                 U ___assert_rtn
                 U ___bzero
                 U ___error
                 U ___maskrune
                 U ___snprintf_chk
                 U ___stack_chk_fail
                 U ___stack_chk_guard

# Show shared libraries used by a programm

otool -L /bin/ls
/bin/ls:
	/usr/lib/libutil.dylib (compatibility version 1.0.0, current version 1.0.0)
	/usr/lib/libncurses.5.4.dylib (compatibility version 5.4.0, current version 5.4.0)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1213.0.0)

Get asm code

otool -vt /bin/ls

List open file and network connections

lsof
COMMAND     PID            USER   FD      TYPE             DEVICE   SIZE/OFF     NODE NAME
launchd       1            root  cwd       DIR                1,2       1224        2 /
launchd       1            root  txt       REG                1,2     304240 21153870 /sbin/launchd

Based on Dtrace

dtrace is a powerfull tools for reverse engineer

iosnoop

iosnoop is a live trace of disk/io

sudo iosnoop
  UID   PID D    BLOCK   SIZE       COMM     PATHNAME
  501 88892 R 440836400   4096 Google Chrome ??/Cache/data_2
  501 88892 R 420909232   4096 Google Chrome ??/Cache/data_0
  501 88892 R 439174816   4096 Google Chrome ??/Cache/data_2

## opensnoop

Live trace file opening

sudo opensnoop -ve
STRTIME                UID    PID COMM          FD ERR PATH
2015 May 11 13:51:00     0     99 DisplayLinkMana   6   0 /Library/Application Support/DisplayLink/.dl.xml
2015 May 11 13:51:00     0     99 DisplayLinkMana   6   0 /Library/Application Support/DisplayLink/.dl.xml

## execsnoop

Live trace program execution

sudo execsnoop
  UID    PID   PPID ARGS
  501  52098  48099 sudo

## druss

dtruss allow you to show all system calls. You can filter by binary with the -n options.

sudo dtruss -n ls
	PID/THRD  SYSCALL(args) 		 = return
52383/0x1e98b4:  thread_selfid(0x7FFF5B281460, 0x7F93C18013F0, 0x7F93C060A7D0)		 = 2005172 0
52383/0x1e98b4:  csops(0x0, 0x0, 0x7FFF5BF4FA08)		 = 0 0
52383/0x1e98b4:  issetugid(0x0, 0x0, 0x7FFF5BF4FA08)		 = 0 0

errinfo

Show system calls errors

sudo errinfo
            EXEC          SYSCALL  ERR  DESC
           iTerm             read   35  Resource temporarily unavailable
           iTerm             read   35  Resource temporarily unavailable
           iTerm             read   35  Resource temporarily unavailable