Some notes, tools, and techniques for reverse engineering macOS binaries.
MushR00m
MushR00m
/ reverse-engineering-macos.md
Created
August 22, 2025 06:48
— forked from 0xdevalias/reverse-engineering-macos.md
Some notes, tools, and techniques for reverse engineering macOS binaries
MushR00m
/ inject.c
Created
June 29, 2025 16:43
— forked from vocaeq/inject.c
An example of how to inject code to call dlopen and load a dylib into a remote mach task. Tested on 12.5 M1 Pro.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <dlfcn.h> | |
| #include <stdio.h> | |
| #include <unistd.h> | |
| #include <sys/types.h> | |
| #include <mach/mach.h> | |
| #include <mach/error.h> | |
| #include <errno.h> | |
| #include <stdlib.h> | |
| #include <sys/sysctl.h> | |
| #include <sys/mman.h> |
MushR00m
/ inject.c
Created
June 29, 2025 16:40
— forked from knightsc/inject.c
An example of how to inject code to call dlopen and load a dylib into a remote mach task. Tested on 10.13.6 and 10.14.3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <dlfcn.h> | |
| #include <stdio.h> | |
| #include <unistd.h> | |
| #include <sys/types.h> | |
| #include <mach/mach.h> | |
| #include <mach/error.h> | |
| #include <errno.h> | |
| #include <stdlib.h> | |
| #include <sys/sysctl.h> | |
| #include <sys/mman.h> |
MushR00m
/ microsoft.com.txt
Created
March 11, 2025 10:11
— forked from abramas/microsoft.com.txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://01-asea.apac.prd.audience.teams.microsoft.com | |
| https://01-auea.apac.prd.audience.teams.microsoft.com | |
| https://01-euno.emea.prd.audience.teams.microsoft.com | |
| https://01-euwe.emea.prd.audience.teams.microsoft.com | |
| https://01-usce.noam.prd.audience.teams.microsoft.com | |
| https://01-usea.noam.prd.audience.teams.microsoft.com | |
| https://01-ussc.noam.prd.audience.teams.microsoft.com | |
| https://01-uswe.noam.prd.audience.teams.microsoft.com | |
| https://02-asea.apac.prd.audience.teams.microsoft.com | |
| https://02-auea.apac.prd.audience.teams.microsoft.com |
MushR00m
/ gcloud-cheat-sheet.md
Created
July 4, 2024 10:46
— forked from pydevops/gcloud-cheat-sheet.md
gcp gcloud cheat sheet
MushR00m
/ CVE-2024-4761.js
Created
May 24, 2024 10:13
— forked from mistymntncop/CVE-2024-4761.js
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Build d8 using: | |
| // a) Run once | |
| // git checkout 6f98fbe86a0d11e6c902e2ee50f609db046daf71 | |
| // gclient sync | |
| // gn gen ./out/x64.debug | |
| // gn gen ./out/x64.release | |
| // | |
| // b) | |
| // Debug Build: | |
| // ninja -C ./out/x64.debug d8 |
MushR00m
/ GetAPICall.cs
Created
April 5, 2024 14:59
— forked from benpturner/GetAPICall.cs
GetAPICall
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| using System.Text; | |
| namespace GetAPICall | |
| { | |
| class Program | |
| { | |
| const uint PROCESS_ALL_ACCESS = 0x000F0000 | 0x00100000 | 0xFFF; |
MushR00m
/ malleable_c2_profiles_09272021
Created
September 22, 2023 20:39
— forked from MHaggis/malleable_c2_profiles_09272021
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://raw.githubusercontent.com/FortyNorthSecurity/C2concealer/3630a87e56a1e36ea0d907903fc9b7460419e71f/C2concealer/components/postex.py | |
| https://raw.githubusercontent.com/MythicAgents/Apollo/49a8f4b8486a4cfd7cab5bf4ac0d457158f99606/Payload_Type/apollo/agent_code/Apollo/CommandModules/SpawnTo.cs | |
| https://raw.githubusercontent.com/kphongagsorn/c2-profiles/29fe50eaad655ddd0028fca06a9c7785e3ffaf41/amazon.profile | |
| https://raw.githubusercontent.com/MythicAgents/Apollo/49a8f4b8486a4cfd7cab5bf4ac0d457158f99606/documentation-payload/apollo/commands/spawnto_x64.md | |
| https://raw.githubusercontent.com/TheRipperJhon/CAPE/2bc977577a8fcc81a46046fe5bf9248ed3ac0c28/modules/processing/parsers/malwareconfig/CobaltStrike.py | |
| https://raw.githubusercontent.com/Tylous/SourcePoint/7bebe641d9c0d2dbc41c27ef621333f257cbd3e6/Struct/Struct.go | |
| https://raw.githubusercontent.com/MythicAgents/Apollo/92958fc2c9511d738bc1cd2dd44405c650991014/documentation-payload/apollo/opsec.md | |
| https://raw.githubusercontent.com/nsquar3/malware_analysis/e7f3070f4 |
MushR00m
/ cobalt-strike-malleable-profiles
Created
September 22, 2023 20:39
— forked from Nikhithx86/cobalt-strike-malleable-profiles
These are profiles gathered by crawling through Github and Gists
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://raw.githubusercontent.com/0sm0s1z/MalleableC2-Spoof/1553ac3211849a166af43b14b4d1ae1cbad0be87/c2profiles/bingsearch_getonly.profile | |
| https://raw.githubusercontent.com/0sm0s1z/MalleableC2-Spoof/1553ac3211849a166af43b14b4d1ae1cbad0be87/c2profiles/cnnvideo_getonly.profile | |
| https://raw.githubusercontent.com/0sm0s1z/MalleableC2-Spoof/1553ac3211849a166af43b14b4d1ae1cbad0be87/c2profiles/gmail.profile | |
| https://raw.githubusercontent.com/0sm0s1z/MalleableC2-Spoof/1553ac3211849a166af43b14b4d1ae1cbad0be87/c2profiles/googledrive_getonly.profile | |
| https://raw.githubusercontent.com/0sm0s1z/MalleableC2-Spoof/1553ac3211849a166af43b14b4d1ae1cbad0be87/c2profiles/microsoftupdate_getonly.profile | |
| https://raw.githubusercontent.com/0sm0s1z/MalleableC2-Spoof/1553ac3211849a166af43b14b4d1ae1cbad0be87/c2profiles/msnbcvideo_getonly.profile | |
| https://raw.githubusercontent.com/0sm0s1z/MalleableC2-Spoof/1553ac3211849a166af43b14b4d1ae1cbad0be87/c2profiles/onedrive_getonly.profile | |
| https://raw.githubusercontent.com/0sm0s1z/MalleableC2-Spoof/15 |
MushR00m
/ piccache.php
Created
April 28, 2023 08:00
— forked from Victrid/piccache.php
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| define("CACHE_PLACE_PATH", sys_get_temp_dir()); | |
| # Also possible: | |
| # define("CACHE_PLACE_PATH", "C:\\your\\Directory"); | |
| # define("CACHE_PLACE_PATH", "/var/www/html/directory"); | |
| # Remember to set correct privileges allowing PHP access. | |
| function join_paths(...$paths) { | |
| return preg_replace('~[/\\\\]+~', DIRECTORY_SEPARATOR, implode(DIRECTORY_SEPARATOR, $paths)); | |
| }; |
NewerOlder