More than half a year as passed since HITCON'12 and as far as I know no one cared much about implementing some sort of detection/protection against this type of attack (correct me if I’m wrong). As explained in HITCON slides, this trick can be very useful to install backdoors and avoid the usual lame LaunchDaemons type of thing. I did some massive cleanup to the original PoC that I had glued for HITCON but it’s still a bit messy and definitely not “production” ready....

Another day, another lame malware attacking and spying on OS X users, and still using the same old lame Daemons and Agents approach to gain persistence at victims machine. Hey, it works, so why change, right? Ice the Guardian v2 is a quick hack using TrustedBSD to monitor the system LaunchDaemons and LaunchAgents folders. There’s a lot of room for improvement so I’m waiting for your commits 😉. Apple has the technology in place so they could probably implement something like this default oin OS X....

And 2012 (Gregorian calendar version) is almost over so it’s time to look back and ahead. This year was certainly a great one for myself. Had quite a few interesting projects, went to Asia and spoke at conferences for the first time, improved a lot my skills and fulfilled the main 2012 goal. It was certainly a very busy but fun year that set the pace for 2013. The projects’ queue for 2013 is already very interesting with lots of (fun) work ahead!...

The question that most people want to be answered is if this is the book to replace the venerable Mac OS X Internals by Amit Singh. In my opinion it’s complementary with some good updates and interesting tips. I wasn’t expecting to buy this book so soon due to some Twitter comments and to printing issues, with at least one chapter missing and replaced with another from a ASP.net book. A project I’m working at antecipated my waiting....

It’s the lazy post season so I present you otool-ng. It’s a fork of Apple’s otool with small modifications for things that I use often or dislike in current otool. The segment command LC_MAIN was introduced to replace LC_UNIXTHREAD and one information that is lost is the entrypoint address. While ASLR kind of makes it less useful, I still debug a lot of programs and do other stuff, where ASLR is disabled....