Skip to content

Commit b09c4cf

Browse files
carlospolopgitbook-bot
carlospolop
authored and
gitbook-bot
committed
GitBook: [master] 3 pages modified
1 parent 67f9c47 commit b09c4cf

File tree

3 files changed

+21
-2
lines changed

3 files changed

+21
-2
lines changed

SUMMARY.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -57,7 +57,7 @@
5757

5858
* [MacOS Security & Privilege Escalation](macos/macos-security-and-privilege-escalation/README.md)
5959
* [Mac OS Protocols](macos/macos-security-and-privilege-escalation/mac-os-protocols.md)
60-
* [Inspecting and debugging Mac OS Apps](macos/macos-security-and-privilege-escalation/inspecting-and-debugging-mac-os-apps.md)
60+
* [Inspecting and debugging Mac OS Sotware](macos/macos-security-and-privilege-escalation/inspecting-and-debugging-mac-os-apps.md)
6161
* [Mac OS Serial Number](macos/macos-security-and-privilege-escalation/macos-serial-number.md)
6262
* [Mac OS Architecture](macos/macos-security-and-privilege-escalation/mac-os-architecture.md)
6363

macos/macos-security-and-privilege-escalation/inspecting-and-debugging-mac-os-apps.md

+16-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# Inspecting and debugging Mac OS Apps
1+
# Inspecting and debugging Mac OS Sotware
22

33
## Static Analysis
44

@@ -9,6 +9,21 @@ otool -L /bin/ls #List dynamically linked libraries
99
otool -tv /bin/ps #Decompile application
1010
```
1111

12+
### SuspiciousPackage
13+
14+
\*\*\*\*[**SuspiciousPackage**](https://mothersruin.com/software/SuspiciousPackage/get.html) is a tool useful to inspect **.pkg** files \(installers\) and see what is inside before installing it.
15+
These installers have `preinstall` and `postinstall` bash scripts that malware authors usually abuse to **persist** **the** **malware**.
16+
17+
### hdiutil
18+
19+
This tool allows to **mount** Apple disk images \(**.dmg**\) files to inspect them before running anything:
20+
21+
```bash
22+
hdiutil attach ~/Downloads/Firefox\ 58.0.2.dmg
23+
```
24+
25+
It will be mounted in `/Volumes`
26+
1227
## Dynamic Analysis
1328

1429
{% hint style="warning" %}

misc/basic-python/bypass-python-sandboxes.md

+4
Original file line numberDiff line numberDiff line change
@@ -158,6 +158,10 @@ f = ftype(ctype(1, 1, 1, 67, '|\x00\x00GHd\x00\x00S', (None,), (), ('s',), 'stdi
158158
f(42)
159159
```
160160

161+
### Decompiling Python
162+
163+
Using tools like [https://www.decompiler.com/](https://www.decompiler.com/) one can decompile given compiled python code
164+
161165
## Builtins
162166

163167
* [Builtins functions of python2](https://docs.python.org/2/library/functions.html)

0 commit comments

Comments
 (0)