Analysis: Inspecting Mach Messages in macOS Kernel-Mode Part II: Sniffing the received Mach messages

By Kai Lu | October 26, 2018

In this blog, we will review how to inspect the received Mach messages by setting up a kernel inline hooking for function mach_msg_receive_results().


In part 1 of this blog, we discussed how to inspect the sending of Mach messages in kernel-mode perspective. In part II, I will continue to define how to inspect received Mach messages by setting up a kernel inline hook. Let’s get started!


Receiving Mach messages


As mentioned in Part I, in the section “Messaging Implementation”, the functions mach_msg() and mach_msg_overwrite() can also both be used to receive Mach message. Let’s take a look at their execution flow:


Fortinet FortiGuard Labs Threat ResearchFigure 1. Receiving the Mach message


You can read the source code of the function mach_msg_overwrite_trap(), which is implemented in xnu-4570.71.2/osfmk/ipc/mach_msg.c. The function mach_msg_overwrite_trap() can invoke the function mach_msg_receive_results() to receive a Mach message. The following is a code snippet that handles received messages in the function mach_msg_overwrite_trap():

Full Article.

Take a look at the best antivirus, anti-malware, anti-spy, etc. software