A collection of open source MacOS tools
Applications
Monitoring
- redcanaryco/mac-monitor - Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOS security research. Beginning with Endpoint Security (ES), it collects and enriches system events, displaying them graphically, with an expansive feature set designed to reduce noise
- objective-see/ProcessMonitor - Process Monitor Library (based on Apple's new Endpoint Security Framework)
- objective-see/FileMonitor - File Monitor Library (based on Apple's new Endpoint Security Framework)
- SuprHackerSteve/Crescendo - Crescendo is a swift based, real time event viewer for macOS. It utilizes Apple's Endpoint Security Framework
- xorrior/appmon - Appmon is a command line tool for capturing events from Apple's Endpoint Security Framework
- objective-see/sniffMK - sniff mouse and keyboard events
- droe/xnumon - monitor macOS for malicious activity
- google/santa - A binary whitelisting/blacklisting system for Mac OS X
- didi/kemon - An Open-Source Pre and Post Callback-Based Framework for macOS Kernel Monitoring
- trailofbits/sinter - A user-mode application authorization system for MacOS written in Swift
- objective-see/KnockKnock - Enumerate persistently installed software
Sandbox / TCC
- r3ggi/electroniz3r - Take over macOS Electron apps' TCC permissions
- asaurusrex/modified-tcc-clickjack - modified version of Ron Masas's TCC-Clickjack Swift project
- breakpointHQ/TCC-ClickJacking - A proof of concept for a clickjacking attack on macOS - 纯demo,按钮都点不动的
- cedowens/Spotlight-Enum-Kit - JXA and swift code that can perform some macOS situational awareness without generating TCC prompts - 用mdfind查询文件不会触发TCC提示,是个思路但是没啥用
- cedowens/JXA-RemoveQuarantine - JXA script based on research by Jeff Johnson on leveraging TextEdit to remove quarantine attributes on files
- Mac sandbox escape, April 27 2020 by Jeff Johnson - com.apple.security.files.user-selected.executable entitlements 利用
XPC
- ChiChou/XpcScope
- XPoCe - XPC Snooping utilties for MacOS and iOS (version 2.0)
- blankwall/Offensive-Con - Talk and materials for Offensive Con presentation - Privileged Helper Tools
Persistence
- xorrior/macOSTools - 各种神器 evilAuthPlugin/HIDMan/MigrationToolPayload/SpecialDelivery/..
- checkymander/iMessagesBackdoor - A script to help set up an event handler in order to install a persistent backdoor that can be activated by sending a message
- synack/DylibHijack - python utilities related to dylib hijacking on OS X
- KJCracks/yololib - dylib injector for mach-o binaries
- FSecureLABS/CalendarPersist - JXA script to allow programmatic persistence via macOS Calendar.app alerts
MDM tools
- ProfileCreator/ProfileCreator - macOS app to create standard or customized configuration profiles
- iMazing Profile Editor Download
Uncategorized
- https://nomad.menu/
- objective-see/DumpBTM - And open-source version of % sfltool dumpbtm
- steventroughtonsmith/cartool - Export images from OS X / iOS .car CoreUI archives
- acidanthera/Lilu - Arbitrary kext and process patching on macOS
- cocoahuke/maclook4ref - Quickly find references to the specified Immediate number, or find the function call of specifies offset, and generate C++ functions call backtrace
- cocoahuke/mackextdump - Dump Kext information from Macos. Support batch analysis
- antons/dyld-shared-cache-big-sur - Modifications to Apple's dyld project to fix Objective-C information when extracting dyld_shared_cache from macOS Big Sur to help Hopper generate readable pseudocode
- cedowens/SwiftBelt - A macOS enumeration tool inspired by harmjoy's Windows-based Seatbelt enumeration tool - 有个TCC权限探测模块
- FSecureLABS/Jamf-Attack-Toolkit - Suite of tools to facilitate attacks against the Jamf macOS management platform
- axelexic/CSOps - Utility to manipulate codesigned application in Mac OS X. Demonstrate the use of csops system call
- hexploitable/MEMSCAN - A memory scanning tool which uses mach_vm* to either dump memory or look for a specific sequence of bytes
- plamoni/SiriProxy - A (tampering) proxy server for Apple's Siri
- shinh/maloader - mach-o loader for linux
- richardkiss/speakerpipe-osx - A pair of utilities to "cat" to the speaker and from the microphone on Mac OS X
- sidaf/homebrew-pentest - Homebrew Tap - Pen Test Tools
- Suspicious Package - 分析 pkg 包内容的神器
- ChiChou/FreeTheSandbox - Process Management and Directory Listing w/o jailbreak