Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Demystifying (& Bypassing) macOS's Background ...

"Demystifying (& Bypassing) macOS's Background Task Management"

To retain a foothold on an infected system, most Mac malware will persist; installing itself in a manner that ensures it will be automatically (re)launched each time the infected system is rebooted.

In macOS Ventura, Apple's rearchitected core persistence mechanisms and added a new security mechanism that alerts the user any time an item is persisted. As the former is both undocumented and implemented in a proprietary manner this poses a problem for existing security and forensics tools (that aim to heuristically detect malware via unauthorized persistence events). On the other hand, the latter is problematic to malware authors, who obviously want their malicious creations to persist without an alert being shown to the user.

In this talk, we'll indiscriminately provide solutions for all! First, we'll dive into the internals of macOS's Background Task Management (BTM) which, as we'll see, contains a central (albeit proprietary) repository of persistent items. Armed with this information, we'll release open-source code capable of programmatically enumerating all persistent items from BTM, ensuring security and forensics tools regain compatibility. We'll also highlight design weaknesses that malicious code could trivially employ to sidestep the new security features of BTM, such that persistence may still be silently achieved.

Patrick Wardle

August 11, 2023
Tweet

More Decks by Patrick Wardle

Other Decks in Technology

Transcript

  1. WHOAMI Patrick Wardle macOS security tools "The Art of Mac

    Malware" books "Objective by the Sea" conference Objective-See Foundation, 501(c)(3)
  2. WHAT YOU WILL LEARN Leveraging BTM 
 to detect malware

    Internals 
 of macOS's BTM Bypassing BTM 
 (alerts & ES messaging) Although the talk is largely focused on macOS’s Background Task Management (BTM) - we'll also cover topics of reversing, malware detection, macOS internals, and more! Detecting 
 these bypasses
  3. SO WHAT IS BACKGROUND TASK MANAGEMENT (BTM)? governance of persistent

    items ("background tasks") just installed item } triggers: System Alert shown to user # ./btm_monitor 
 New Event: 'ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD' 
 
 Item: /Library/PrivilegedHelperTools/us.zoom.ZoomDaemon Endpoint Security event System "registration"
  4. WHO CARES? well, we do! …as defenders …as hackers Tools

    Bypasses # ./btm_monitor 
 'ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD' 
 ~/Library/LaunchAgents/com.apple.softwareupdate.plist OSX.DazzleSpy
  5. WHERE TO BEGIN? ...to the logs (after enabling 'private' data)

    <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" ...> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadDisplayName</key> <string>ManagedClient logging</string> <key>PayloadEnabled</key> <true/> <key>PayloadIdentifier</key> <string>com.apple.logging.ManagedClient.1</string> <key>PayloadType</key> <string>com.apple.system.logging</string> <key>PayloadUUID</key> <string>ED5DE307-A5FC-434F-AD88-187677F02222</string> <key>PayloadVersion</key> <integer>1</integer> <key>System</key> <dict> <key>Enable-Private-Data</key> <true/> </dict> </dict> </array> … "Unified Logs: 
 How to Enable Private Data" 
 (www.cmdsec.com) Private Data Logging (installed profile)
  6. LOGGING ...while installing a launch daemon % log stream --debug

    --info --predicate "subsystem = 'com.apple.backgroundtaskmanagement'" 
 
 smd: [com.apple.xpc.smd:all] Got a fsevent. Doing re-register 
 smd: [com.apple.xpc.smd:all] Bootstrapping legacy plists 
 
 backgroundtaskmanagementd: -[BTMService launchdWillScanPath:reply:]: /Library/LaunchDaemons 
 
 smd: (BackgroundTaskManagement) BTMManager.registerLaunchItemWithBundleURL 
 
 backgroundtaskmanagementd: registerLaunchItem: pid=0, uid=0, type=legacy daemon, parentURL=(null), 
 url=/Library/LaunchDaemons/us.zoom.ZoomDaemon.plist, config= BTMConfigArguments = "/Library/PrivilegedHelperTools/us.zoom.ZoomDaemon" smd 
 & backgroundtaskmanagementd method: "launchd will scan path" method: 
 "register launch item" /Library/LaunchDaemons Scan Register
  7. "SMD": SYSTEM MANAGEMENT DAEMON file system event notification, for new

    item sub_100005a28 
 ... 
 
 adr x3, #0x1027d7243 ; argument "format" 
 ("Got a fsevent. Doing re-register") 
 nop 
 mov x4, sp ; argument "buf" 
 mov x1, x19 ; argument "log" 
 mov w2, #0x0 ; argument "type" 
 mov w5, #0x2 ; argument "size" 
 bl os_log() 01 02 03 04 
 05 06 07 08 
 09 
 10 
 11 Process 300 stopped 
 smd`___lldb_unnamed_symbol: 
 -> 0x100005a28 <+0>: pacibsp 
 
 (lldb) po $x1 <OS_xpc_dictionary: dictionary[0x13290d290]: { refcnt = 1, xrefcnt = 1, subtype = 1, count = 1, transport = 0, 
 dest port = 0x0, dest msg id = 0x0, transaction = 1, voucher = 0x13290bff0 } <dictionary: 0x13290d290> 
 { count = 1, transaction: 1, voucher = 0x13290bff0, 
 contents = "XPCEventName" => <string: 0x131f06eb0> { length = 28, contents = "com.apple.xpc.smd.WatchPaths" } }> log message: "Got a fsevent" "XPCEventName: com.apple.xpc.smd.WatchPaths" debugging SMD
  8. "SMD": SYSTEM MANAGEMENT DAEMON file system event notification, for new

    item <?xml version="1.0" encoding="UTF-8"?> 
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" ... > 
 <plist version="1.0"> 
 <dict> 
 ... 
 <key>Program</key> 
 <string>/usr/libexec/smd</string> 
 
 <key>LaunchEvents</key> 
 <dict> 
 <key>com.apple.fsevents.matching</key> 
 <dict> 
 <key>com.apple.xpc.smd.WatchPaths</key> 
 <dict> 
 <key>Path</key> 
 <string>/Library/LaunchDaemons/</string> 
 </dict> 
 ... 01 02 03 04 
 05 06 07 08 
 09 
 10 
 11 12 
 13 
 14 
 15 
 16 
 17 
 18 
 file system watch events: 
 /Library/LaunchDaemons/ /Library/LaunchDaemons SMD
  9. "SMD": SYSTEM MANAGEMENT DAEMON ...and its "remote" XPC interactions *

    @class BTMManager */ 
 -(int)launchdWillScanPath:(int)arg2 { 
 x1 = arg1; 
 x2 = [arg2 retain]; 
 x0 = [arg0 connection]; 
 
 x21 = [x0 synchronousRemoteObjectProxyWithErrorHandler:...]; 
 [x21 launchdWillScanPath:x2 reply:...]; 01 02 03 04 
 05 06 07 08 Process 300 stopped 
 BackgroundTaskManagement`-[BTMManager launchdWillScanPath:]: 
 
 (lldb) po $x0 <__NSXPCInterfaceProxy_V2ServiceInterface: 0x131e0b690> 
 
 (lldb) x/s $x1 
 0x1d4037471: "launchdWillScanPath:reply:" 
 
 (lldb) po $x2 
 /Library/LaunchDaemons <NSXPCConnection> connection to service named 
 com.apple.backgroundtaskmanagement "scan path": 
 /Library/LaunchDaemons launchdWillScanPath: 
 (BTM framework, linked into SMD) SMD BTM daemon debugging SMD XPC msg
  10. XPC MESSAGES ...between SMD and BTM daemon # ps aux

    | grep backgroundtaskmanagementd 
 root 4643 /System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Resources/backgroundtaskmanagementd -daemon 
 # lsmp -p 4643 Process (4643) : backgroundtaskmanagementd name ipc-object rights identifier type --------- ---------- ---------- ----------- ------------ 
 0x0000310b 0x66b39d3f send 0x00001807 (300) smd 
 
 0x00003b0b 0x677147df recv 0x0000000000000000 + send 0x000010af (300) smd XPC messages 
 ...to and from SMD Process 4643 stopped 
 -[BTMService launchdWillScanPath:reply:] 
 -> 0x102da9634 <+0>: pacibsp 
 
 (lldb) bt * frame #0: 0x0000000102da9634 [BTMService launchdWillScanPath:reply:] 
 frame #1: 0x000000018547eca0 Foundation`__NSXPCCONNECTION_IS_CALLING_OUT_TO_EXPORTED_OBJECT_S2__ + 16 
 frame #2: 0x0000000185a9e594 Foundation`-[NSXPCConnection _decodeAndInvokeMessageWithEvent:reply:flags:] + 1592 
 frame #3: 0x0000000185a9fd88 Foundation`message_handler_message + 88 
 frame #4: 0x0000000185a9f7f4 Foundation`message_handler + 152 
 frame #5: 0x0000000184163e74 libxpc.dylib`_xpc_connection_call_event_handler + 152 call stack (BTM daemon) call stack w/ XPC functions XPC messages (via lsmp)
  11. <key>Label</key> 
 <string>com.apple.backgroundtaskmanagementd</string> 
 
 <key>MachServices</key> 
 <dict> 
 <key>com.apple.backgroundtaskmanagement</key>

    
 <true/> 
 <key>com.apple.backgroundtaskmanagement.sfl</key> 
 <true/> 
 <key>com.apple.backgroundtaskmanagement.responses</key> 
 <true/> 
 </dict> 
 
 <key>RunAtLoad</key> 
 <false/> 
 
 <key>Program</key> 
 <string>/System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Resources/backgroundtaskmanagementd 
 </string> 
 
 <key>ProgramArguments</key> 
 <array> 
 <string>/System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Resources/backgroundtaskmanagementd 
 </string> 
 <string>-daemon</string> 
 </array> 01 02 03 04 
 05 06 07 08 09 10 11 12 13 14 15 16 
 17 
 18 
 19 
 20 
 21 
 22 
 23 
 24 
 25 
 26 } Mach interfaces 
 (for entitled clients) com.apple.backgroundtaskmanagementd.plist "BACKGROUNDTASKMANAGEMENTD": BTM DAEMON BTM daemon binary
  12. % ps aux | grep backgroundtaskmanagementd root /System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Resources/backgroundtaskmanagementd -daemon backgroundtaskmanagementd

    (/System/Library/PrivateFrameworks/BackgroundTaskManagement.framework) Entitlements: { 
 "com.apple.private.backgroundtaskmanagement.notifications" = 1; 
 "com.apple.private.security.storage.backgroundtaskmanagement" = 1; 
 
 "com.apple.private.endpoint-security.submit.btm" = 1; 
 
 "com.apple.private.tcc.allow" = ( 
 kTCCServiceSystemPolicyAllFiles 
 ); 
 ... 
 } 01 02 03 04 
 05 06 07 08 09 10 11 BTM specific Endpoint Security binary & entitlements (always) running as root "BACKGROUNDTASKMANAGEMENTD": BTM DAEMON
  13. launch item registration Process 4643 stopped -[BTMService registerLaunchItemWithAuditToken:parentURL:type:relativeURL:configuration:uid:reply:] 
 ->

    0000000102da9898 <+0>: pacibsp 
 
 (lldb) po $x0 <BTMService: 0x129904630> 
 
 (lldb) po $x5 file:///Library/LaunchDaemons/us.zoom.ZoomDaemon.plist -[BTMService registerLaunchItemWithAuditToken:parentURL:type:relativeURL:configuration:uid:reply:] 
 adr x3, #0x102dcf8cc ; argument "format" 
 "registerLaunchItem: pid=%d, uid=%d, ... url=%@, config=%@" 
 nop 
 add x4, sp, #0x20 ; argument "buf" 
 mov x1, x27 ; argument "log" 
 mov w2, #0x0 ; argument "type" 
 mov w5, #0x36 ; argument "size" 
 bl os_log() 01 02 03 04 
 05 06 07 08 
 09 registerLaunchItemWithAuditToken: 
 (BTM daemon) plist (of launch item) to register "BACKGROUNDTASKMANAGEMENTD": BTM DAEMON
  14. MORE LOGGING BTM daemon & agent: posting "advisory" notification %

    log stream --debug --info --predicate "subsystem = 'com.apple.backgroundtaskmanagement'" backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] should post new container advisory=true for uid=501, id=905C1526-CC7A-4343-9C97-55DED87CC397, item=Zoom Video Communications, Inc. BackgroundTaskManagementAgent: [com.apple.backgroundtaskmanagement:main] Posting new container advisory notification request: identifier=905C1526-CC7A-4343-9C97-55DED87CC397, body='Software from “Zoom Video Communications, Inc…' "should post advisory = true" "posting new advisory notification" BTM daemon BTM Agent SMD BTM "advisory notification"
  15. <key>Label</key> 
 <string>com.apple.backgroundtaskmanagement.agent</string> 
 
 <key>MachServices</key> 
 <dict> 
 <key>com.apple.backgroundtaskmanagementagent</key>

    
 <true/> 
 <key>com.apple.backgroundtaskmanagement.notifications</key> 
 <true/> 
 <key>com.apple.usernotifications.delegate.com.apple.BTMNotificationAgent</key> 
 <true/> 
 </dict> 
 
 <key>RunAtLoad</key> 
 <false/> 
 
 <key>Program</key> 
 <string>/System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Support/ BackgroundTaskManagementAgent.app/Contents/MacOS/BackgroundTaskManagementAgent</string> 
 01 02 03 04 
 05 06 07 08 09 10 11 12 13 14 15 16 
 17 
 18 
 19 }Mach interfaces 
 (for by entitled clients) com.apple.backgroundtaskmanagement.agent.plist "BACKGROUNDTASKMANAGEMENTAGENT": BTM AGENT BTM agent binary BTM agent's property list
  16. "BACKGROUNDTASKMANAGEMENTAGENT": BTM AGENT % ps aux | grep -i backgroundtaskmanagementagent

    patrick /System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Support/BackgroundTaskManagementAgent.app/ Contents/MacOS/BackgroundTaskManagementAgent BackgroundTaskManagementAgent (/System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Support/BackgroundTaskManagementAgent.app/) Entitlements: { 
 "com.apple.private.backgroundtaskmanagement.manage" = 1; 
 "com.apple.private.backgroundtaskmanagement.responses" = 1; 
 "com.apple.private.coreservices.canaccessanysharedfilelist" = "read-write"; 
 
 "com.apple.private.tcc.allow" = ( 
 kTCCServiceSystemPolicyAllFiles 
 ); 
 
 "com.apple.private.usernotifications.bundle-identifiers" = ( 
 "com.apple.BTMNotificationAgent" 
 ); 
 } 01 02 03 04 
 05 06 07 08 09 10 11 12 13 BTM specific Notifications binary & entitlements runs as user
  17. "SHOULD POST NEW CONTAINER ADVISORY"? interactions between SMD & BTM

    daemon bl [DaemonNotificationManager shouldNotifyUpdatingItem:...] 
 mov x20, x0 
 
 cbz w20, noNeedToPostNotification 
 
 rax = [rdi synchronousProxyForUID:...] 
 [rax postAdvisoryForContainer:rax reply:&var_B0] 
 
 rax = [NSDictionary dictionaryWithObjects:&var_68 forKeys:&var_70 count:0x1] 
 AnalyticsSendEvent(@"com.apple.BackgroundTaskManager.Notification", [rax retain]) 
 
 noNeedToPostNotification: 
 ret 01 02 03 04 
 05 06 07 08 
 09 
 10 
 11 
 12 
 13 invoked by: -[DaemonNotificationManager 
 postAdvisoryNotificationForContainer:uid:] "shouldNotifyUpdatingItem:" method check: "AlwaysPostNotifications" preference If item is managed (MDM) Was allowed / was already notified } if this return true: 
 then, show notification 
 (via XPC message to BTM agent)
  18. "POST ADVISORY FOR CONTAINER" interactions BTM daemon & agent /*

    @class NotificationManager */ 
 -(void)postAdvisoryForContainer:(BTMItem*)item reply:(void *)arg3 { 
 
 content = [NotificationManager copyAdvisoryContentWithBodyKey:@"NOTIFICATION_BODY_BACKGROUND_ITEM_ADVISORY" name:name]; 
 
 notification = [UNNotificationRequest requestWithIdentifier:id content:content trigger:0x0]; 
 
 notificationCenter = [NotificationManager notificationCenter]; 
 [notificationCenter addNotificationRequest:notification withCompletionHandler:...]; 01 02 03 04 
 05 06 07 08 
 09 
 10 in BTM Agent, 
 (invoked by BTM Daemon, via XPC) % ps aux | grep BackgroundTaskManagementAgent patrick 88262 /System/Library/PrivateFrameworks/BackgroundTaskManagement.framework 
 /Support/BackgroundTaskManagementAgent.app/Contents/MacOS/BackgroundTaskManagementAgent 
 (lldb) process attach --pid 88262 Target 0: (BackgroundTaskManagementAgent) stopped. (lldb) po $x0 <UNMutableNotificationContent: 0x12684df10; title: Background Items Added, subtitle: (null), body: Software from "Zoom Video Communications" added items that can run in the background. You can manage this in Login Items Settings., summaryArgument: , summaryArgumentCount: 0, categoryIdentifier: com.apple.BackgroundTaskManagement.advisory, launchImageName: , threadIdentifier: , attachments: ( ), badge: (null), sound: (null), realert: 0, interruptionLevel: 1, relevanceScore: 0.00, filterCriteria: (null) notification (+content)
  19. saving registered item to "BackgroundItems-v8.btm" % log stream --debug --info

    --predicate "subsystem = 'com.apple.backgroundtaskmanagement'" backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] BTMStore: 
 store saved to /var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v8.btm # FileMonitor.app/Contents/MacOS/FileMonitor -pretty { "event" : "ES_EVENT_TYPE_NOTIFY_CLOSE", "file" : { "destination" : "/private/var/db/ 
 com.apple.backgroundtaskmanagement/BackgroundItems-v8.btm", "process" : { "name" : "backgroundtaskmanagementd", "path" : "/System/Library/PrivateFrameworks/ 
 BackgroundTaskManagement.framework/Versions/A/Resources/backgroundtaskmanagementd", } 
 ... BTM daemon BackgroundItems-v8.btm "BACKGROUNDTASKMANAGEMENTD": BTM DAEMON
  20. MAC MALWARE ...the vast majority persists! 2022: ~80% persisted (all

    as launch items) 2021: ~90% persisted (all as launch items) BlockBlock 
 ...block block'ing since 2015! alert user when something persists !
  21. EXAMPLE: DAZZLESPY …deployed via Safari 0days % strings - DazzleSpy/softwareupdate

    ... %@/Library/LaunchAgents /com.apple.softwareupdate.plist launchctl unload %@ RunAtLoad Embedded strings # FileMonitor.app/Contents/MacOS/FileMonitor -pretty ... { "event" : "ES_EVENT_TYPE_NOTIFY_CREATE", "file" : { "destination" : "~/Library/LaunchAgents/ 
 com.apple.softwareupdate.plist", "process" : { 
 "pid" : 1469 
 "name": softwareupdate "path" : "/Users/user/Desktop/softwareupdate", } } } Launch agent persistence (~/Library/LaunchAgents/com.apple.softwareupdate.plist) /Library/LaunchAgents
  22. DUMPING THE BTM DATABASE …to enumerate persistently installed software and

    malware! # sfltool Usage: sfltool csinfo|dumpbtm|archive|clear|resetbtm|resetlist|list|list-info [options] # sfltool dumpbtm … 
 UUID: EAE1D8DC-2928-47C1-BC53-6274590FE3D1 Name: us.zoom.ZoomDaemon Developer Name: Zoom Video Communications, Inc. Team Identifier: BJ4HAAB9B3 Type: legacy daemon (0x10010) Disposition: [enabled, allowed, visible, notified] (11) Identifier: us.zoom.ZoomDaemon URL: file:///Library/LaunchDaemons/us.zoom.ZoomDaemon.plist Executable Path: /Library/PrivilegedHelperTools/us.zoom.ZoomDaemon Generation: 1 Parent Identifier: Zoom Video Communications, Inc. sfltool (option: dumpbtm)
  23. REVERSING SFLTOOL …how does it enumerate background tasks? /* @class

    DumpBTMCommand */ 
 -(int)run { 
 ... 
 rax = [BTMManager shared]; 
 r12 = [rax dumpDatabaseWithAuthorization:r14 error:&var_28]; 
 if(r12 != 0x0) { 
 r12 = [objc_retainAutorelease(r12) UTF8String]; 
 puts(r12); 
 } 
 else { 
 NSLog(@"Error fetching the database dump: %@", r15); 
 } 01 02 03 04 
 05 06 07 08 09 10 11 12 % log stream … 
 backgroundtaskmanagementd: -[BTMService listener:shouldAcceptNewConnection:]: connection=<NSXPCConnection: 0x152307aa0> connection from pid 52886 on mach service named com.apple.backgroundtaskmanagement 
 
 backgroundtaskmanagementd: dumpDatabaseWithAuthorization: "noErr: Call succeeded with no error" sfltool BTM daemon sfltool decompilation 
 [DumpBTMCommand run]; mach connection (from sfltool) to: “com.apple.backgroundtaskmanagement"
  24. PROGRAMMATICALLY DUMPING THE BTM DATABASE @interface BTMManager : NSObject 


    
 +(id)shared; 
 -(id)dumpDatabaseWithAuthorization:(SFAuthorization*)arg1 error:(id*)arg2; 
 
 @end 
 
 void *handle = dlopen("/System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Versions/ A/BackgroundTaskManagement", RTLD_LAZY); 
 
 Class BTMManager = NSClassFromString(@"BTMManager"); 
 id sharedInstance = [BTMManager shared]; 
 
 SFAuthorization *authorization = [SFAuthorization authorization]; 
 [authorization obtainWithRight:"system.privilege.admin", ...]; 
 
 id dbContents = [sharedInstance dumpDatabaseWithAuthorization:authorization error:NULL]; 01 02 03 04 
 05 06 07 08 09 10 11 12 13 14 15 16 17 % log stream … 
 backgroundtaskmanagementd: -[BTMService listener:shouldAcceptNewConnection:]: process with pid=20987 lacks entitlement ‘com.apple.private.coreservices.canmanagebackgroundtasks' GTFO ...you're not entitled mimicking: sfltool dumpbtm fail :\ invoke: 
 dumpDatabaseWithAuthorization:...
  25. DUMPING THE BTM DATABASE …entitlement check(s) in BTM daemon /*

    @class BTMService */ 
 -(BOOL) listener: (NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection { 
 … 
 
 rax = [r15 valueForEntitlement:@"com.apple.private.backgroundtaskmanagement.manage"]; 
 if(rax == 0x0) { 
 rax = [r15 valueForEntitlement:@"com.apple.private.coreservices.canmanagebackgroundtasks"]; 
 } 
 
 if(objc_opt_isKindOfClass(rax, objc_opt_class(@class(NSNumber))) == 0x0 || [rax boolValue] == 0x0) { //leave, don't accept connection } 01 02 03 04 
 05 06 07 08 09 10 11 12 
 13 Entitlement checking
  26. WHAT ABOUT THE (RAW) BTM DATABASE …a binary plist, containing

    serialized objects % file /var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v8.btm 
 Apple binary property list 
 
 % plutil -p /var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v8.btm 
 { "$archiver" => "NSKeyedArchiver" "$objects" => [ 0 => "$null" 1 => { "$class" => <CFKeyedArchiverUID 0x600003e57640 [0x1e69087f8]>{value = 142} "itemsByUserIdentifier" => <CFKeyedArchiverUID 0x600003e57660 [0x1e69087f8]>{value = 2} "mdmPaloadsByIdentifier" => <CFKeyedArchiverUID 0x600003e57680 [0x1e69087f8]>{value = 140} "userSettingsByUserIdentifier" => <CFKeyedArchiverUID 0x600003e576a0 [0x1e69087f8]>{value = 134} ... Serialization, saves objects to a persistent archive (e.g. BTM database) BTM database (contains NSKeyedArchiver)
  27. SFLTOOL'S ITEM DE-SERIALIZATION …implemented in an initWithCoder: method /* @class

    ItemRecord */ 
 -(void *)initWithCoder:(NSCoder *)decoder { 
 
 rax = objc_opt_class(@class(NSUUID)); 
 rax = [r14 decodeObjectOfClass:rax forKey:@"uuid"]; 
 
 rax = objc_opt_class(@class(NSString)); 
 rax = [r14 decodeObjectOfClass:rax forKey:@"executablePath"]; 
 
 rax = objc_opt_class(@class(NSString)); 
 rax = [r14 decodeObjectOfClass:rax forKey:@"teamIdentifier"]; 
 
 … 01 02 03 04 
 05 06 07 08 09 10 11 12 
 13 BTM Daemon 
 [ItemRecord initWithCoder]; 'ItemRecord' properties method automatically invoked 
 to de-serialize stored objects de-serialization
  28. ITEM DE-SERIALIZATION …reimplemented in our own code @interface ItemRecord :

    NSObject <NSSecureCoding> 
 @property NSInteger type; 
 @property(nonatomic, retain)NSURL* url; 
 @property(nonatomic, retain)NSUUID* uuid; 
 … 
 @property(nonatomic, retain)NSString* executablePath; 
 @property(nonatomic, retain)NSString* teamIdentifier; 
 @property(nonatomic, retain)NSString* bundleIdentifier; 
 
 @end 
 
 -(id)initWithCoder:(NSCoder *)decoder 
 { 
 ... 
 self.url = [decoder decodeObjectOfClass:[NSURL class] forKey:@"url"]; 
 self.uuid = [decoder decodeObjectOfClass:[NSUUID class] forKey:@"uuid"]; 
 self.executablePath = [decoder decodeObjectOfClass:[NSString class] forKey:@"executablePath"]; 
 self.teamIdentifier = [decoder decodeObjectOfClass:[NSString class] forKey:@"teamIdentifier"]; 
 self.bundleIdentifier = [decoder decodeObjectOfClass:[NSString class] forKey:@“bundleIdentifier"]; 
 ... 01 02 03 04 
 05 06 07 08 09 10 11 12 
 13 
 14 
 15 
 16 
 17 
 18 
 19 
 20 ItemRecord deserialization 
 (custom initWithCoder: method)
  29. …reimplemented in our own code //load 
 // path set

    to BTM database 
 NSData* data = [NSData dataWithContentsOfURL:path options:0 error:NULL]; 
 
 //init keyed unarchiver with database data 
 NSKeyedUnarchiver* keyedUnarchiver = [[NSKeyedUnarchiver alloc] initForReadingFromData:data error:NULL]; 
 
 //de-serialize 
 // will trigger call to "initWithCoder:" and de-serialize all objects 
 Storage* storage = [keyedUnarchiver decodeObjectOfClass:[Storage class] forKey:@"store"]; 
 
 //print out all items 
 for(NSString* key in storage.items) { 
 
 NSArray* items = storage.items[key]; 
 
 for(ItemRecord* item in items){ 
 printf(" #%d\n", ++itemNumber); 
 printf(" %s\n", [[item dumpVerboseDescription] UTF8String]); } 
 } 01 02 03 04 
 05 06 07 08 09 10 11 12 
 13 
 14 
 15 
 16 
 17 
 18 
 19 
 20 
 21 22 PROGRAMMATICALLY DUMPING THE BTM DATABASE "DUMP BTM" library
  30. …reimplemented in our own code #include "dumpBTM.h" 
 
 int

    main(int argc, const char * argv[]) { 
 
 //set if you want 
 // a custom btm file 
 NSURL* btmPath = nil; 
 
 //dump stdout 
 // (aka sfltool dumpbtm) 
 dumpBTM(btmPath); 
 
 //or parse into a dictionary... 
 NSDictionary* contents = parseBTM(path); 
 ... 01 02 03 04 
 05 06 07 08 09 10 11 12 
 13 
 14 
 15 
 16 github.com/objective-see/DumpBTM link in the 'Dump BTM' library PROGRAMMATICALLY DUMPING THE BTM DATABASE
  31. DUMPBTM OUTPUT ...and no root access required % ./dumpBTM Opened

    /private/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v8.btm ======================== Records for UID 0 : FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000 ======================== ... UUID: EAE1D8DC-2928-47C1-BC53-6274590FE3D1 Name: us.zoom.ZoomDaemon Developer Name: Zoom Video Communications, Inc. Team Identifier: BJ4HAAB9B3 Type: legacy daemon (0x10010) Disposition: [enabled allowed visible notified] (11) Indentifier: us.zoom.ZoomDaemon URL: file:///Library/LaunchDaemons/us.zoom.ZoomDaemon.plist Executable Path: /Library/PrivilegedHelperTools/us.zoom.ZoomDaemon Generation: 2 Assoc. Bundle IDs: [us.zoom.xos] Parent Identifier: Zoom Video Communications, Inc. "Dump BTM" output
  32. BTM DAEMON'S REFERENCES TO "ENDPOINT SECURITY" % strings - backgroundtaskmanagementd

    | grep ES 
 
 submitItemAddToES: No URL provided, cannot submit event to EndpointSecurity submitItemAddToES: Invalid BTMItemType, cannot submit event to EndpointSecurity submitItemAddToES: 
 ... 
 
 bl ess_notify_btm_launch_item_add 01 02 03 04 libEndpointSecuritySystem.dylib very undocumented :/ implemented in:
  33. ENDPOINT SECURITY ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD event /* The valid event types recognized

    by EndpointSecurity */ 
 typedef enum { 
 ... 
 
 // The following events are available beginning in macOS 13.0 
 ... 
 ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD, 
 ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_REMOVE 01 02 03 04 
 05 06 07 08 } /Library/LaunchDaemons ES "client" deliver notification
  34. REGISTERING FOR ES EVENTS ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD event //client/event of interest 


    es_client_t* esClient = NULL; 
 es_event_type_t events[] = {ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD}; 
 
 //new client 
 //callback will process 'ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD' events 
 es_new_client(&esClient, ^(es_client_t *client, const es_message_t *message) 
 { 
 //TODO: handle event 
 } 
 
 //subscribe 
 es_subscribe(endpointProcessClient, events, sizeof(events)/sizeof(events[0]))); 01 02 03 04 05 06 07 08 09 10 11 12 13 14 ES BTM Monitor 
 (ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD) callback for 
 BTM events Specify events of interest Create callback for events Subscribe for events
  35. HANDLING ES NOTIFICATIONS ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD event typedef struct { 
 es_process_t

    * instigator; 
 es_process_t * app; 
 es_btm_launch_item_t * item; 
 es_string_token_t executable_path; 
 } es_event_btm_launch_item_add_t; 01 02 03 04 05 06 //new client 
 // callback will process 'ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD' events 
 es_new_client(&esClient, ^(es_client_t *client, const es_message_t *message) { 
 
 NSLog(@"Item URL: %@", toString(&message->event.btm_launch_item_add->item->item_url); 
 NSLog(@"Item Executable: %@", toString(event.btm_launch_item_add->executable_path); 
 
 es_process_t* app = message->event.btm_launch_item_add->app; 
 if(NULL != app) NSLog(@"App: %@", toString(&app->executable->path)); 
 
 es_process_t* instigator = message->event.btm_launch_item_add->instigator; 
 if(NULL != instigator) NSLog(@"Instigator: %@", toString(&instigator->executable->path)); 
 ... 
 01 02 03 04 05 06 
 07 
 08 
 09 
 10 
 11 
 12 
 13 NSString* toString(es_string_token_t* token) { 
 
 return [[NSString alloc] 
 initWithBytes:token->data 
 length:token->length 
 encoding:NSUTF8StringEncoding]; 
 } 01 02 03 04 05 06 
 07 es_event_btm_launch_item_add_t our helper function Handler for ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD
  36. HOORAY, PERSISTENT MALWARE DETECTION ...via ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD # ./btm_monitor 
 New

    Event: 'ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD' 
 
 Type: ES_BTM_ITEM_TYPE_AGENT 
 Instigator: /usr/libexec/smd 
 
 Agent exe: /Users/User/.local/softwareupdate 
 Agent url: /Users/User/Library/LaunchAgents/com.apple.softwareupdate.plist Persistence detection 
 (OSX.DazzleSpy) Note: No delivery of BTM removal events (ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_REMOVE) ...broken!
  37. "BTM LAUNCH ITEM ADD" EVENT (WAS) BROKEN ...in two separate

    ways 🤦 ES_BTM_ITEM_TYPE_AGENT / ES_BTM_ITEM_TYPE_DAEMON: 
 
 When a new item installed, it would deliver a notification for *every* installed item. ES_BTM_ITEM_TYPE_LOGIN_ITEM: 
 
 When a new was item installed, no notification would be delivered. ...fixed in macOS 13.3 (submitted) bug report
  38. HACKERS HATE ALERTS & MESSAGES ...that can give away the

    attack! OMG, i've been hacked!! # ./btm_monitor 
 New Event: 'ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD' 
 
 Type: ES_BTM_ITEM_TYPE_AGENT 
 Agent exe: /Users/User/.local/softwareupdate 
 Agent url: /Users/User/Library/LaunchAgents/com.apple.softwareupdate.plist Can we (as hackers) prevent: A: The system alert? B: The Endpoint Security event? ...want to persist silently!
  39. PERSIST "OUTSIDE" BTM ...avoid it all together! def format(self, src,

    des, uc): 
 ... 
 if not os.path.isfile(des): 
 os.system('cp ' + src + ' ' + des) 
 
 if des[-3:] == '.py': 
 os.system('sudo crontab -l 2>/dev/null; 
 echo "*/2 * * * * python ' + des + '" | sudo crontab -') 01 02 03 04 05 06 
 07 
 08 Persistence via cron 
 (OSX.Enigma) lots of other ways to persist by: Csaba Fitzl Remember, BTM (currently) only covers launch agents/daemons, and login items.
  40. BYPASS SYSTEM ALERT (METHOD 0X1) reset the BTM database, via

    sfltool # sfltool resetbtm 
 sfltool[1261:13567] Database reset. note: requires root privileges % log stream --debug --info --predicate "process = 'backgroundtaskmanagementd'" backgroundtaskmanagementd: registerLaunchItem: result=no error, new item 
 disposition=[enabled, allowed, visible, not notified], 
 identifier=com.apple.softwareupdate, 
 url=file:///Users/user/Library/LaunchAgents/com.apple.softwareupdate.plist 
 
 
 backgroundtaskmanagementd: should post advisory=false for uid=501, 
 id=6ED3BEBC-8D60-45ED-8BCC-E0163A8AA806, item=softwareupdate reset db persist "should post advisory=false"
  41. pause, then kill the BTM agent BTM daemon BTM agent

    root session user session % pgrep BackgroundTaskManagementAgent 88262 % kill -SIGSTOP 88262 % ps -o state 88262 T 
 
 % kill -SIGKILL 88262 Get pid of BTM agent Send it a 'STOP' signal Once persisted, kill it 
 (to prevent alert re-delivery) 'T' means, stopped then: BYPASS SYSTEM ALERT (METHOD 0X2) when 'zzz' 
 ...no alert will be delivered
  42. BYPASS ES EVENTS prevent ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD # ./btm_monitor 
 New Event:

    'ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD' 
 item exe: /Users/User/.local/softwareupdate 
 item url: /Users/User/Library/LaunchAgents/com.apple.softwareupdate.plist BTM daemon def submitItemAddToES() 
 ... 
 ess_notify_btm_launch_item_add(); 01 02 03 def ess_notify_btm_launch_item_add() 
 ... 
 downcallNotifyOnly(); 01 02 03 want to prevent this ! def downcallNotifyOnly() 
 ... 
 if(!mac_syscall("EndpointSecurity", ...) 
 os_log_impl(..., "Failed to submit event using ES syscall %d: %d %s", &var_50, 0x18); 01 02 03 
 04 found in 
 libEndpointSecuritySystem mac_syscall: to the kernel
  43. (RESPONSIBLE?) PROCESS LOOKUP ...via proc_find & proc_getexecutablevnode def pdbReadAuditToken() 


    ... 
 PackedDataBufferReader::read 
 ... 
 AutoReleasingProc::createFromPidVer(); 
 ... 
 set_common_proc_info(); 
 
 //error? no ES message delivered! 01 02 03 
 04 05 06 07 08 09 % lldb (lldb) gdb-remote 8084 ... (lldb) bt EndpointSecurity`pdbReadAuditToken() ... 
 EndpointSecurity`EndpointSecurityEventManager::sendNotifyOnly() EndpointSecurity`EndpointSecurityEventManager::sendBtmLaunchItemAdd() EndpointSecurity`EndpointSecurityEventManager::es_policy_syscall() kernel`hndl_unix_scall64 def AutoReleasingProc::createFromPidVer(); 
 ... 
 proc* process = proc_find(<pid>); 01 02 03 EndpointSecurity.kext def set_common_proc_info(); 
 ... 
 vnode = proc_getexecutablevnode(process); 
 if(!vnode) 
 //set error to 0x3 (ESRCH / "No Such Process") 01 02 03 04 05 (lldb) p *(proc*)$rdi 
 (proc) $1 = { 
 p_pid = 866 
 p_name = {'OverSight'} # eslogger btm_launch_item_add 
 "event": { "btm_launch_item_add": { 
 "pid": 866 
 "path": "/Applications/OverSight.app 
 /Contents/MacOS/OverSight" 
 ... reported event 
 (in user-mode) call stack
  44. (RESPONSIBLE?) PROCESS LOOKUP ...via proc_find & proc_getexecutablevnode What happens if

    the responsible process ...has (quickly) exited already? def AutoReleasingProc::createFromPidVer(); 
 ... 
 proc* process = proc_find(NULL); 01 02 03 def set_common_proc_info(); 
 ... 
 vnode = proc_getexecutablevnode(process); 
 if(!vnode) 
 //return ERROR 0x3: ('ESRCH' / "No Such Process") 
 rax = 0x3; 
 01 02 03 04 05 
 06 (lldb) p *(proc*)$rdi 
 (proc) $1 = { 
 p_pid = 0 
 p_name = {'kernel_task'} proc_find(NULL/0) 
 ...will return the kernel task the kernel task: no executable vnode! % log stream ... 
 Error 
 backgroundtaskmanagementd: (libEndpointSecuritySystem.dylib) 
 Failed to submit event using ES syscall 20: 3 No such process Error 
 ...and no ES message delivered ! 🫣
  45. HOW TO TRIGGER? ...as easy as installing BlockBlock 😅 #install

    logic 
 if [ "${1}" == "-install" ]; then 
 ... 
 
 cp "com.objective-see.blockblock.plist" /Library/LaunchDaemons/ 
 
 echo "launch daemon installed" 01 02 03 04 05 06 
 07 BlockBlock Installer DEMO
  46. via Endpoint Security (ES) ATTACK DETECTION files processes other 


    events } ES subsystem our ES client event 
 delivery "Writing a Process Monitor" 
 objective-see.org/blog/blog_0x47.html introduction write ES clients
  47. via process monitor (+ arguments) DETECTING BTM DATABASE RESET #

    sfltool resetbtm sfltool[1261:13567] Database reset. { "event" : "ES_EVENT_TYPE_NOTIFY_EXEC", 
 "process" : { "pid" : 44100 
 "name" : "sfltool", 
 "path" : "/usr/bin/sfltool", 
 "arguments" : [ "sfltool", "resetbtm" ], ... Or, block all together via ES_EVENT_TYPE_AUTH_EXEC event...
  48. es_event_type_t events[] = {ES_EVENT_TYPE_NOTIFY_SIGNAL}; 
 
 es_new_client(&endpointClient, ^(es_client_t *client, const

    es_message_t *message) { 
 
 int signal = message->event.signal.sig; 
 es_process_t* sourceProcess = message->process; 
 es_process_t* targetProcess = message->event.signal.target; 
 
 //have signal, source, & target process 
 // TODO: check if SIGSTOP (17), being sent to BTM agent 
 
 } 
 
 es_subscribe(endpointClient, events, sizeof(events)/sizeof(events[0])); 01 02 03 04 05 06 
 07 
 08 09 10 11 
 12 
 13 
 14 # ./monitorSignals 
 New Signal (ES_EVENT_TYPE_NOTIFY_SIGNAL): SIGSTOP (17) 
 
 Source process (687): /bin/zsh 
 Target process (590): /System/Library/PrivateFrameworks/BackgroundTaskManagement.framework 
 /Support/BackgroundTaskManagementAgent.app/Contents/MacOS/BackgroundTaskManagementAgent attack detected ES Monitoring (via: ES_EVENT_TYPE_NOTIFY_SIGNAL) via ES/ES_EVENT_TYPE_NOTIFY_SIGNAL MONITORING SIGNALS
  49. BLOCKING SIGNALS via ES/ES_EVENT_TYPE_AUTH_SIGNAL es_event_type_t events[] = {ES_EVENT_TYPE_AUTH_SIGNAL}; 
 


    es_new_client(&endpointClient, ^(es_client_t *client, const es_message_t *message) { 
 
 int signal = message->event.signal.sig; 
 es_process_t* sourceProcess = message->process; 
 es_process_t* targetProcess = message->event.signal.target; 
 
 if( (signal == SIGSTOP) && 
 (btmAgent == audit_token_to_pid(targetProcess->audit_token))) { 
 es_respond_auth_result(client, message, ES_AUTH_RESULT_DENY, false); 
 } 
 } 
 ... 01 02 03 04 05 06 
 07 
 08 09 10 11 
 12 
 13 
 14 % pgrep BackgroundTaskManagementAgent 
 590 
 
 % kill -SIGSTOP 590 
 % kill: kill 590 failed: operation not permitted block via ES_AUTH_RESULT_DENY ES blocking (via: ES_EVENT_TYPE_AUTH_SIGNAL) attack, now blocked :)
  50. MONITORING FOR PERSISTENCE via other ES events _NOTIFY_CREATE 
 _NOTIFY_WRITE,

    etc. _BTM_LAUNCH_ITEM_ADD bypassed, so not delivered other (file) events, still delivered! BlockBlock: Leverage ES file events Launch item location? Alert user, and block 0SX.DazzleSpy
  51. Takeaways New malware 
 detection tools Understanding 
 macOS's BTM

    A myriad of trivial bypasses If white hats don't point out flaws in Apple's 
 "security improvements" ...who will? (hint: not Apple!)
  52. Interested in Learning More? read, "The Art of Mac Malware"

    book(s) "The Art of Mac Malware" 
 free @ https://taomm.org Coming soon! 
 Vol. II: (programmatic) detection Book Signing: today @ 11:00 am
  53. Objective-See Foundation 501(c)(3) learn more our community efforts ...& support

    us! 🥰 The Objective-See Foundation 
 objective-see.org/about.html #OBTS Conference College Scholarships Diversity Programs 
 ("Objective-We")
  54. RESOURCES: Demystifying macOS's BTM "DumpBTM" 
 https://github.com/objective-see/DumpBTM 
 
 "Manage

    login items and background tasks on Mac" 
 https://support.apple.com/guide/deployment/manage-login-items-background-tasks-mac-depdca572563/web