Sorry for the delay, here it comes: trendmicro.com/en_us/research…

TrueTree now has more reliability on macOS 11/12. This includes the ability to look "around" the RunningBoard service and acquire the true parent of a process. Thank you Objective-See Foundation for the code and the tips on the obscure ApplicationServices framework. themittenmac.com/tools/

Just published a Frida tutorial, with a focus on iOS devices. It contains an introduction to Frida and iOS, low-level iOS interfaces (GCD, XPC, IOKit, Mach), and Objective-C instrumentation. youtube.com/watch?v=h070-Y… youtube.com/watch?v=qpEIRe… youtube.com/watch?v=x48y2e…

Took some time recently to dive into in-memory Mach-O execution on macOS. I dig into the API calls necessary to perform reflective code loading, present my Swift implementation, cover nuances on Big Sur vs Monterey, and how to detect it on Monterey! slyd0g.medium.com/understanding-…

It took a while, but the English version of the macOS Forensics Hands-on Workshop materials are now available. Have fun! jsac.jpcert.or.jp/archive/2022/p… jsac.jpcert.or.jp/archive/2022/d… #DFIR #JSAC2022

Updates to Apple's Endpoint Security Framework (ESF)! - Ability to mute events based on path/process - New `eslogger` binary to quickly get your hands dirty with ESF - More userland events! developer.apple.com/videos/play/ww…

I put together a quick blogpost about this new AMFI Launch Constraints mitigation, with examples what kind of exploits it prevents. Again this was long time needed. Well done to everyone involved! theevilbit.github.io/posts/amfi_lau…

As promised, my experimental virtualization app for Apple Silicon Macs is now open source. Here’s VirtualBuddy: github.com/insidegui/Virt…

Congrats to all! What a pity that we Yuebin Sun have to withdraw our talk because of the quarantine policy of our country. 😭

Sharing our slides and paper for Usenix Security 2022: github.com/edwardz246003/…

I'm going to start a series of two blog posts related to iOS obfuscation. The first part will be about RASP on iOS like detecting the Frida's Stalker or using the iOS Sandbox to detect jailbroken devices. romainthomas.fr/post/22-08-ios…

iBoot running on QEMU? 🔥🌸 In case you missed our BH talk, here is one of the presented demo. The slides should be linked below. Meanwhile, our new DWC3 USB emulation and iOS 16 support is published, be sure to check it out at the repo. github.com/TrungNguyen190…

LIVE: Apple Security Research, our new blog and website at security.apple.com! We launch with an update on Apple Security Bounty (security.apple.com/blog/apple-sec…), and a deep dive into some fundamental XNU memory safety improvements with kalloc_type (security.apple.com/blog/towards-t…). Enjoy!

Today we are releasing Hyperpom, a fuzzing framework for ARM64 binaries based on the Apple Silicon hypervisor. Check out our latest blogpost, as well as our GitHub repo, to learn more about the project and its internals. 📙 blog.impalabs.com/2211_hyperpom.… 🗃️ github.com/impalabs/hyper…

New Project Zero blog post in which I dissect Apple DER-encoded entitlements and tell a story about how I found a fun (albeit short-lived) bug in the way they were decoded. googleprojectzero.blogspot.com/2023/01/der-en…

Stoked to announce "Objective by the Sea" (#OBTS) v6.0 🍎🧑🏻‍🏫🌴☀️ Details: 📍 Marbella, Spain 🗓️ Oct 9ᵗʰ - 13ᵗʰ '23 ℹ️ Hop over to the conf. site to sign up for trainings, conference, & book a room at the venue: objectivebythesea.org/v6/index.html Can't wait to see y'all at the there! 🥰

Happy Friday everyone! Want a ProcMon for macOS? Ever wish you had your own Endpoint Security client you could task? Want to peer behind the macOS EDR curtain? Have a go and let us know what you think! github.com/redcanaryco/ma…

It’s time to tell you more: jhftss.github.io/CVE-2023-23525…

We've released a new blog on an APT malware targeting macOS that we call RustBucket. The actor is using decoy PDF documents that act as a key when loaded within an attacker provided pdf app. The malware has three stages. Check out our writeup for details jamf.com/blog/bluenorof…

🔺New on the Apple Security Research blog: we pit our hardened kalloc_type XNU allocator against SockPuppet, a powerful vulnerability from the past: security.apple.com/blog/what-if-w…