macOS恶意软件开发 II
本文深入探讨了自定义 macOS 恶意软件的开发,重点介绍了如何利用 Mach-O 内部结构和原生 Darwin API 构建自我变异的加载程序。文章详细描述了一种多态引擎的架构,该引擎分为两个阶段:一个负责有效载荷变异和重新加密的父进程,以及一个执行进化代码的变异进程。文中探讨了无文件执行、运行时变异、内存加密以及通过死信箱进行指挥与控制等技术,这些都完全通过原生 API 和低级 Mach-O 操作实现。
查看原文
This article is a deep technical dive into custom macOS malware development, centered on building a self-mutating loader using Mach-O internals and native Darwin APIs. It details the architecture of a polymorphic engine divided into two phases: a parent process responsible for payload mutation and re-encryption, and a mutant process that executes the evolved code. The piece explores techniques such as fileless execution, runtime mutation, in-memory encryption, and command-and-control via dead-drop, all implemented entirely through native APIs and low-level Mach-O manipulation.<p>https://0xf00sec.github.io/0x22