This collection of programs demonstrates techniques used in malware to accomplish core tasks.

It's like Al-Khaser, except focused on macOS and Linux.

Catalog

• Anti-Autoanalysis
• Anti-Reverse Engineering
• Anti-VM
• Data-Collection
• Persistence

Implementation

These programs are written in a mix of languages. Currently, the library uses (in order of strlen(language_name)):

• C
• x86
• Bash
• Python
• Objective-C

Building and Running

Each program is meant to be run independently. There is no main.{c,py,m,asm}.

Typically, each program (written in C) can be compiled with $ gcc FILE -o OUTPUT_FILE.

Exceptions to this are:

• src/anti-vm/cross-platform/vmware_detect_with_asm.c, which uses cmake for compilation. Instructions can be found in src/anti-vm/cross-platform/README.md.
• src/anti-autoanalysis/macOS/detectUserActivity, which uses clang for compilation. Instructions can be found in src/anti-autoanalysis/macOS/detectUserActivity/README.md

Motivation

You can read about the motivation behind this project in this presentation I gave.

Acknowledgements

Thank you to all the security researchers that made this project possible. Material published by the following researchers was particularly helpful while I was building this library:

• Patrick Wardle, Objective-See
• Peter Ferrie, Senior Principal Researcher, Symantec Advanced Threat Research
• Alexander Omara