Reverse Engineering Mac Malware 4 - File Analysis
Read previous part: Reverse Engineering Mac Malware 3 - Dynamic Analysis
Methods and tools for Mac file analysis, including Dtrace, fs_usage and fseventer, are extensively analyzed by Sarah Edwards in this part of the presentation.
A little bit about file analysis. We are going over some Dtrace, fs_usage, and fseventer.
Dtrace script, ‘filebyproc’, opens up files opened by process.
You really want to look at what kind of files this thing is opening, creating, touching and working with. And again, this is very similar to what we saw before. You see the application name; we got ‘Finder’, ‘Dock’, ‘touch’; and the path. In this example you can see I touched a document called ‘test.txt’. Also, there’s, obviously, configuration; the ‘mdworker’, ‘mds’ – that’s all related to the metadata service for SpotlightServer. So, in a normal working system you will see overpopulation from mdworker and Spotlight stuff. Some of the tools will actually be able to filter out a lot of this.
Another one – files opened – gives you a slightly different view on things. This one actually opens and shows you the process IDs, the User ID that opened the process or started the process. This could be quite interesting. Down here you can see 501, a normal user. We also see the root user doing some stuff here with TextEdit. So it’s good information to know which user - an admin user or a regular user – doing some stuff.
Another one. There’re a lot of Dtrace scripts and they all are a little bit different here, and you just got to figure out which one you like best. So, ‘opensnoop -a’ (‘-a’ equals ‘all data’) – just give it to me and let me filter it out myself. Opensnoop gives you a couple of timestamps: the first one is a relative timestamp; the second one is actually the local system time. And still it has the UID, PID and other things, so that gives you a ton of different information.
We also want to see files read/written by process, it’s a little bit different. It shows you what the block size is, where it is in the file system. So if you really want to go find where that file is written to, you may do so. The examples I’m providing are normal system usage, so I’m not running any malware here, this is normal. So we have ‘launchd’ doing something with ASL file – that’s Apple System Log. It’s very syslog-like, it’s Apple’s version of syslog pretty much.
So, files opened by process – this one is creatbyproc.d. You see ‘Google Chrome’, ‘cat’, ‘sh’, ‘troff’ – a ton of different things.
Another native tool, fs_usage, is hugely verbose. I have up here two arguments: ‘-w’ argument is for ‘what’, meaning you get a wider view, you get more information out of it; and ‘-f’ is for ‘filter’. This one has a bunch of different filters in it for different types of things. We are going to go over the ‘pathname’, ‘exec’ and ‘diskio’ filters.
You can use the pathname filter. This will get us the timestamp, the calls, file path, time interval and process name. Some calls of interest – I recommend going to Apple Developer documents and looking up these calls. You can do ‘getattrlist’, I’ll show you a lot of information about that. A lot of the documentation is built in. With Windows stuff you might be going on MSDN or search for it on Google. A lot of this is built into the OS, which is real nice.
So, here’s an example of the pathname. Because it’s so verbose, I had to take it out of the screenshot and actually put it in as text. I highly recommend putting it up into a file. This is an example of ‘getattrlist’, it’s doing something with Messages.app and with the Dock. What I did there was I clicked on Messages, and that opened it up. You can see some interfacing with Google Chrome here, data on browsing the web, things like that.
Diskio – a lot of the similar stuff: we got disk block, byte count again, similar to what we saw before.
A couple of examples here: you see my Gmail, not my primary account. We have Google Chrome doing some local storage; I was dropping out some tunes on Rdio. You see a lot of this stuff is normal. If you are working with this stuff you have to know what is normal and what is not. Look at your activity while you are just browsing the web and doing normal email, things like that - I’m not kidding when I say “verbose”. Who uses procmon? It’s similar to that, there’s a ton of information. If you do, like, ‘fsusage’ with no filters, it’s very similar to procmon. You know, it gets the network, disks, processes - all sorts of information.
So, the GUI tool for all of this - ‘fseventer’ by the folks at fernLightning. It’s a GUI application, it’s got a couple of different views that we’ll see later on. It also has a text input filter doing live filtering or something like that. And it does have the ability to save to an output file.
I don’t care for this viewer mostly, but it does show you the various levels of the file system. You have the cliffstoll, Users, Library, SyncedPreferences with some plist files. So it does help you visually see what files are being accessed and at what time.
Of course my preferred one, very “procmon-y”, is the table view. Just sort by time and look at what’s happening, you know. It has file path, time, what type of action or event occurred, and the process that it occurred with.
This one shows you the filtering. I filtered here by ‘plist’, I wanted to know what plist files are being written to. Though it’s not Mac users, plists are like the registry of the network. Instead of five or six hives that Windows has, there are hundreds and hundreds of plist files. Each application, each thing has a separate plist file.
Read next part: Reverse Engineering Mac Malware 5 - Process and Network Analysis