![]() ![]() “She precisely calibrates the elegant ennui of the public Diana-her familiar crooked-neck pose, her downward gaze so knowing and haunted while she talks in that mournful dove’s coo,” wrote Vanity Fair’s chief critic, Richard Lawson, in his review. I read it at night.Elizabeth Debicki has mesmerized audiences with her eerie summoning of Princess Diana on The Crown’s fifth season, which charts the late royal’s messy breakup with Prince Charles and the royal family. Look it up, it’s a great book I highly recommend it. It was written by the guy who did the new OS X Internals book. ![]() You can see which applications are using more network throughput.Īnd one more, this is like a TCP view type of thing, it’s called ‘lsock’. You can also do network analysis with Activity Monitor. I like to see the content of the packets when it’s rolling through, see if it’s peeking into certain things – I want to see that live, so I personally like the option with content. We got good ol’ tcpdump, getting a couple of options here: one with content and one without content. So, command line version – we got two options. When you have to open up Safari or open up iWork stuff, you will have a full page of text that will show up blank. ![]() It shows up blank, and I’m like: “Are you kidding me? What am I doing wrong?” I know some VMs can be a little bit buggy, especially when it comes to video stuff. Wireshark will not frickin’ install on 10.7 or 10.8 systems in a VM. I usually have a clean VM and dirty VM while doing analysis. I had a hell of a time when I was running this software in VMs. Let’s move on to Wireshark, the all time favorite. When it comes down to it, it’s pretty damn slick. It’s kind of interesting because it caches packets, so it’s not completely live, which bugs the hell out of me. So, CocoaPacketAnalyzer is a Mac-only tool. There’s also the CocoaPacketAnalyzer, let’s get into it. Wireshark is always popular in the Windows world. It’s very much like the Task Manager on Windows, pretty much the same thing. Whenever a process is taking up a lot of RAM on your computer and you are wondering why it’s so hot and the fan is running so hard, this is what you are going to open up and kill the process. Then, of course, we have the Activity Monitor. I can see it’s 64-bit, I can see the size of virtual memory it’s using, what other processes are executing underneath it, things like that. It’s interactive, so you can click down, press Enter and more information will pop up about that process this is shown in the lower screenshot. We have a bunch of different columns here. But you can’t make Terminal stuff look good, it’s just impossible. It’s equipped with a few more functionalities and coloring. This is basically a Terminal version, Mac version of Process Explorer. Malware might be using some different ones that’s basically the Domino Man page lookup. You see ‘bin’, ‘sh’, ‘man’, ‘tbl’, ‘groff’ – these are all command line tools that we might be interested in. It confers ‘posix_spawn’, that’s across one process ‘execve’ is a new process. It is not too verbose.Īgain, fs_usage, the ‘-f exec’ filter – a lot of the same information: timestamp, new process, new path. You easily see on the command line what’s getting run at that time. Pretty darn concise, too, which is why I like it. It does the relative time, it does the current time, UID, PID, parent ID, and arguments. Then, with new processes we use ‘execsnoop’. And I did an ‘open -a TextWrangler’, I opened the TextWrangler from the command line. One of the lines at the top is when I double-clicked the Notes application it had a bunch of different things executing with it: framework stuff, XPC stuff – it’s all services. A couple of examples here I’ll point out. Newproc.d shows us if it’s a process with the parent processes, timestamp, whether it’s a 32-bit or 64-bit executable, it has command line arguments and things like that. So, we want to snoop new processes, we want to see what’s being executed, what’s spawning new processes. Process analysis - you got a couple of Dtrace scripts, some fs_usage again, and some more data on applications. Sarah Edwards now makes an emphasis on such fundamentals of scrutinizing Mac malware as process analysis and network analysis, with tools and examples included. Read previous part: Reverse Engineering Mac Malware 4 - File Analysis ![]()
0 Comments
Leave a Reply. |