*OS Internals: - About the Book

View 2nd Edition differences:

Show Additions (in red)
Show Updates (in blue :-)
Show Deletions (in grey)

Feedback/Requests Welcome! Click here, or email J@

MOXiI - 2nd Edition - Volume I - Table of Contents

The TOC for Volume II is also out. Requests/Comments welcome.
Note: DO NOT buy this book on Amazon - because it's no longer the right one - I explain here

Prerequisites
- OS X:
  - XCode and its command line tools
  - 10.11: System Integrity Protection (SIP)
- iOS:
  - Jailbreaking your device
  - Setting up SSH and authorized_keys
  - Setting up USB port forwarding
  - Completing the iOS Binary command set
  - Compiling with the iOS SDK
- The Companion Website (http://NewOSXBook.com/)
Chapter 1: Darwinism -The Evolution of OS X
- The Pre-Darwin Era: Mac OS Classic
- The Prodigal Son: NeXTSTEP
- Enter: OS X
- OS X Versions, to Date
  - 10.0 - Cheetah and the First Foray
  - 10.1 - Puma -a Stronger Feline, but . . .
  - 10.2 - Jaguar - Getting Better
  - 10.3 - Panther and Safari
  - 10.4 - Tiger and Intel Transition
  - 10.5 - Leopard and UNIX
  - 10.6 - Snow Leopard
  - 10.7 - Lion
  - 10.8 - Mountain Lion
  - 10.9 - Mavericks
  - 10.10 - Yosemite
  - 10.11 - El Capitan
- iOS-OS X Goes Mobile
  - 1.x-Heavenly and the First iPhone
  - 2.x - App Store, 3G and Corporate Features
  - 3.x - Farewell, 1st gen, Hello iPad
  - 4.x - iPhone4, Apple TV, and the iPad 2
  - 5.x - To the iPhone 4S and Beyond
  - 6.x - The iPhone 5 and the first mini
  - 7.x - Sochi - The 5S, and the move to 64-bit
  - 8.x - Okemo - The 6 and 6+
  - 9.x - Monarch - The 6S/6S+, iPad Pro
- WatchOS
- TvOS
- iOS vs. OS X
- The Future of OS X Obviously in need of an update..
- References
- Summary
New chapter: Hardware
- Mac devices Listing Hardware profiles and KEXts in..
- i-devices
  - Model Numbers and Code Names
  - Processor Types
- Hardware Specifications
  - CPU and RAM specifications
  - Retrieving other specifications
    - OS X: Using the SPSupport private framework
    - OS X: Using the System Management BIOS
    - iOS: Using MobileGestalt
    - iOS: Using SysCfg
    - Experiment: Figuring out your device specs
- Other devices: Time Machine, Airport, AppleTV, the iPod Nano* and the Apple Watch
Chapter 2: E Pluribus Unum: Architecture of OS X and iOS
- OS X Architectural Overview
- The User Experience Layer
  - Aqua
  - Quicklook
  - Spotlight
- Darwin - The UNIX Core
  - The Shell
  - The File System
- Filesystem Directories:
  - UNIX System Directories
  - OS X Specific Directories
  - iOS File System Idiosyncrasies
- Interlude: Bundles
- Applications
  - Info.plist
  - Resources
  - NIB Files
  - Internationalization with .lproj Files
  - Icons (.icns)
  - CodeResources
  - The LaunchServices Framework
    - Installing an Application
    - The LaunchServices Database
    - URL Schemes
    - Universal Type Identifiers (UTIs)
    - Claims
- Frameworks
  - Framework Bundle Format
  - List of OS X and iOS Public Frameworks
  - List of OS X and iOS Private Frameworks
- Libraries Updated
- Other Application types
  - System Calls
  - POSIX
  - Mach System Calls
- A High-Level View of XNU
  - Mach
  - The BSD Layer
  - libkern
  - I/O Kit
- Summary
- References
Chapter 3: On the Shoulders of Giants - OS X and iOS Technologies
- BSD heirlooms
  - sysctl new: list of important sysctls
  - kqueues
  - Auditing (OS X) Parsing the audit logs manually + Experiment: Configuring and controlling auditing
  - Mandatory Access Control
- OS X and iOS Specific Technologies
  - Directory Services
  - User and Group Management (OS X)
  - System Configuration
  - Logging Greatly expanded to cover ASL
  - Apple Events and AppleScript
  - FSEvents
  - Notifications Experiment: Viewing system notifications
- Additional APIs of interest
- Summary
- References
Promenade: A tour of OS X and iOS Files and Frameworks
- Common Directories and Files
- OS X: The system databases
  - User database
  - Keychains
- iOS: The system Databases
  - System Logs
  - User Info
    - Accounts
    - Contacts
    - Call, VoiceMail and SMS DBs
    - Mail
    - Safari
    - Springboard settings
    - Location Database
New Chapter: (split from Chapter 4) Mach-O updated for 10.8-10.10, and header patching/editing
- Universal Binaries
- Mach-O Binaries
  - The Mach-O header
  - Load commands processed by kernel
    - LC_SEGMENT[_64]
    - LC_UNIXTHREAD
    - LC_MAIN
    - LC_UUID
    - LC_THREAD
    - LC_CODE_SIGNATURE
- The Dynamic Linker
  - The role of the dynamic linker
  - Load commands processed by the Linker
    - LC_LOAD_DYLIB and friends
    - LC_SYMTAB and LC_DYSYMTAB
    - LC_LOAD_DYLIB
    - LC_RPATH
    - LC_DYLD_INFO
    - LC_SEGMENT_SPLIT_INFO
    - LC_FUNCTION_STARTS
    - LC_DATA_IN_CODE
- Launch-Time Loading of Libraries Updated for ARM64 stubs
- Shared Library Caches more info on shared cache format, 32,64
  - Experiment: Extracting files from a shared cache
  - Overriding the Shared Cache
- Runtime Loading of Libraries
- dyld Features
- __LINKEDIT segment
- dyld opcodes
- debugging dyld
- Experiments with JTool
Chapter 4: Parts of the Process: ~~Mach-O~~ Process and Thread Internals
- A Nomenclature Refresher
- Processes and threads
- The Process Lifecycle
- UNIX Signals
- Process Address Space
  - The process entry point
  - Address Space Layout Randomization
  - 32-Bit (Intel)
  - 64-Bit (Intel)
  - 32-Bit (iOS)
  - 64-Bit (iOS)
  - Experiment: Using vmmap(1) to Peek Inside a Process' Address Space
- Process Memory Allocation (User Mode)
- Memory Pressure and Jetsam
- Virtual Memory-The sysadmin Perspective
- Swapping (OS X)
- Threads
  - Unraveling threads
  - POSIX Thread APIs
  - Not-So-POSIX Thread APIs
- GCD Internals
- References
New Chapter: IPC in OS X and iOS
- Traditional UNIX mechanisms
  - UNIX Domain sockets
  - IP sockets
  - System-V mechanisms
- Mach messages
  - high level view of messages and ports
  - Bootstrap ports vs. ephemeral
  - mach_msg
  - Experiment: A simple Mach message client and server
- XPC
  - Theory and design
  - Implementation
  - Integration with GCD
  - Changes in 10.10/8
New chapter: The Runtime Environments
- Objective-C
  - Theory and rationale
  - Classes, Protocols, etc
  - objc_msgsend()
  - The Mach-O sections
  - Class dumping and reverse engineering
  - Experiment: Deconstructing an Objective-C binary using JTool
- Swift
  - Theory and rationale
  - Interpreter vs. Compiler
  - Mangling
  - The runtime environment
  - Decompiiling
Chapter 5. Non Sequitur: Process Tracing and Debugging
- DTrace
  - The D Language
  - dtruss
  - Another example or two of advanced DTrace with OS X specific probes
  - How DTrace Works Updates on DTrace internals, CTF, etc
- Other Profiling Mechanisms
  - The Decline and Fall of CHUD
  - AppleProfileFamily: Another one bites the dust
  - Kperf
- Process Information
  - sysctl More on KERN_PROCARGS, etc
  - proc_info Even more on my favorite syscall
  - (Re)Introducing: Process Explorer
- Process and system snapshots
  - system_profiler(8)
  - sysdiagnose(1) - and the new iOS9 sysdiagnose (w/Host Special Port)
  - systemstats (10.9)
  - allmemory
  - stackshot
  - stack_snapshot Updates for micro-stackshots and 10.11 stackshots
- KDebug
  - KDebug-Based Utilities
  - kdebug codes
  - Writing kdebug messages
  - Reading kdebug messages
  - KDebug and CoreProfile
  - 10.11/iOS 9 KDebug enhancements
  - Introducing: KDebugView
- 10.9: Telemetry
- 10.10: proc_trace_log
- Application Crashes
  - Application Hangs and Sampling
  - iOS: Jetsam
- Memory Bugs
  - Memory Corruption Bugs
  - Memory Leaks
    - heap(1)
    - leaks(1)
    - malloc_history
- Standard UNIX tools
- Using LLDB
- Summary
- References
- Installation Images
- Software updates

Chapter 6. ~~Alone in the Dark: The Boot Process~~Boot, Panic, and Shutdown

EFI, Demystified

OS X and boot.efi

Flow of Boot.efi

Booting the kernel

kernel callbacks into EFI

boot.efi in ~~Lion~~Mavericks

Core-Storage induced changes

Count your blessings

Experiment: Running EFI Programs on a Mac

iOS and iBoot

Precursor: the Boot ROM

Normal boot

Recovery Mode

DFU Mode

iOS software images (.ipsw) and OTA images (dydiff, etc)

iBoot - Structure and flow

APTickets, SHSHs, etc

~~Hibernation~~
moved to Vol II

Chapter 7. The Alpha and Omega - Launchd and the GUI Shells
- Launchd
  - Starting Launchd
  - System-Wide vs. per User (pre 10.10/8)
  - Daemons and Agents
  - The Many Faces of Launchd
  - 10.10/8 - Launchd, reborn - updates on new features in launchd
  - Experiment: Using launchctl (10.10/8)
- Launch Services
- GUI Environments
  - Finder (OS X)
  - SpringBoard (iOS) Updated to include SB APIs
  - SwitchBoard (and the alleged iOS "prototypes")
  - Handling GUI events
    - Tracing the flow of an event - from hardware to UI Message
    - Intercepting and injecting GUI events
    - Experiment: fun with MultiTouch on OS X and iOS

... at this rate, this might end up being a mini book of its own.. :-)

New Chapter: OS X and iOS Security

OS X and iOS Security Mechanisms

The Security framework, in depth

MACF

KAuth

Keychains, Keybags, and more

Filesystem Encryption

OS X (FileVault 2)

iOS

Rootless (OS X 10.11, iOS9

Patch guard (iOS 9)

Code signing (greatly expanded to describe LC_CODE_SIGNATURE, 10.10 mods (csr..)

Compartmentalization (Sandboxing)

Entitlements: Making the Sandbox Tighter Still

The SecTask APIs

csops

List of known entitlements

Device provisioning and Management (MDM)

Developer Certificates

Enforcing the Sandbox

The evolution of sandboxd - from seatbelt (10.5) to 10.10

AMFI New content, up to AMFI ~~130~~ 150 (10.11)

System Integrity Protection ("rootless") (10.11)

OS X: Vulnerabilities, past and present

dyld issues in 10.10.x

rootpipe

tpwn

iOS: Jailbreaking, a history Explanation of iOS Exploits

JailBreakMe 1-3

The LimeRa1n exploit
colorful sn0w

evasi0n

evasi0n7

Pangu

Pangu 8

Taig (8.1.2)

Taig 2

Pangu 9!

Privacy and TCCd