mit einem Klick
mac-reversing-station
mac-reversing-station enthält 37 gesammelte Skills von UnsaltedHash42, mit Repository-Berufsabdeckung und Skill-Detailseiten auf SkillsMP.
Skills in diesem Repository
Use when choosing or adding macOS research machines: primary, crash-test, cross-platform Apple Silicon, and Intel baseline. Fires on "add a lab machine", "which machine should run this", "primary lab host", "crash-test", "Intel baseline", and "cross-platform verification".
Use when driving Ghidra headless from Cursor for macOS reverse engineering: opening Mach-O binaries, listing functions, decompiling by address, running custom Ghidra scripts, or doing breadth sweeps across many targets. Fires on "ghidra-mcp", "decompile with Ghidra", "run a Ghidra script", "list functions in this binary", and systemic-class scan setup.
Use when starting a macOS reversing pass from an app bundle, installer, framework, XPC bundle, helper, or bare binary path. Fires on "start target", "inventory this app", "point at this bundle", "begin PASS", and "target intake".
Use when mapping a macOS target's attack surfaces to reusable vulnerability classes, generating hunt hypotheses for a new third-party app, or deciding which playbook or scanner applies. Fires on "vulnerability ontology", "bug-class map", "what bug classes apply", "generate hypotheses", and "classify this macOS surface".
Use when a macOS target appears to be Electron-based and needs ASAR, package, preload, IPC, native module, fuse, sandbox, or update review.
Use when a question touches the lab topology: what runs on the workstation, what runs on the primary lab host, how `ghidra-mcp` and `macre-vm-mcp` are wired, how to start a findings repo, which machine role to use, why Hopper is manual-only, or how to troubleshoot MCP/SSH/script sync failures.
Use for open-source or in-house macOS targets where source is available but the shipped binary remains the evidence source of truth.
Use when auditing user-mode binaries that drive a kernel driver via IOKit user clients: EDR drivers, GPU userspace stacks, USB/HID stacks, vendor kexts, DriverKit dexts, helper binaries that call IOServiceOpen + IOConnectCallMethod. Fires on "iokit user client", "ioconnect call", "external method", "iokit selector hunt", "kernel driver user surface".
Use when auditing apps and helpers for keychain confused-deputy bugs: shared access groups, kSecAttrAccessGroup queries, application-groups entitlements, ACLs that don't pin to the calling app's identity, keychain items written by app A that app B in the same access group can read. Fires on "keychain access group", "kSecAttrAccessGroup", "shared keychain acl", "keychain confused deputy".
Use when auditing daemons or kernel components that expose a Mach Interface Generator (MIG) subsystem: routine numbers dispatched through mach_msg, MIG-generated server stubs, mig_server_routine tables, and MIG-derived kernel traps. Covers user-space MIG (cfprefsd, lockd, bootstrap_server, KernelEventAgent) and kernel MIG (host_priv, task_self_trap subsystems). Fires on "mig subsystem", "mig routine", "mig server stubs", "mach trap audit", "subsystem audit".
Use when auditing macOS binaries for dynamic-loading paths an attacker can influence: weak-linked PrivateFrameworks, dlopen with attacker- controlled paths, NSClassFromString / NSSelectorFromString driven by user input, Sparkle-style updater dylib resolution, runtime symbol resolution that trusts an unsigned dylib. Fires on "private framework hijack", "dylib hijack", "weak link bypass", "nsclassfromstring abuse", "dynamic symbol resolution audit".
Use when auditing TCC-mediating daemons or apps for prompt-attribution bugs: a daemon prompts the user about app A but the request actually came from app B; responsible-process accounting laundered through a launchd intermediary; a privileged daemon proxies a request and asks for consent on behalf of itself rather than its caller. Fires on "tcc prompt attribution", "wrong responsible process", "tcc responsibility laundering", "consent on behalf of", "audit token vs responsible parent".
Use when auditing macOS apps for custom URL scheme registration and inbound URL handling: bundles that claim a scheme via CFBundleURLTypes, dispatchers that trust URL host / query without validation, schemes that overlap with other apps, apps that take privileged actions in application:openURL:. Fires on "url scheme hijack", "openURL handler audit", "cfbundleurlschemes", "deep link bypass".
Use when auditing Mac Catalyst or platform-conditional entitlement logic: strings like `is-catalyst-binary`, `MacCatalyst`, `non macos platform`, platform checks that skip entitlements, or service behavior that differs for Catalyst/iOS-on-mac clients. Fires on "Catalyst bypass", "platform-conditional entitlement", "Mac Catalyst entitlement", and "porting gap".
Use when auditing macOS binaries for security decisions controlled by user-writable defaults: `NSUserDefaults`, `CFPreferences`, `defaults write`, debug/test/internal keys, entitlement bypass strings, or feature flags that can disable validation. Fires on "defaults bypass", "user-defaults security gate", "defaults write bypass", and "scan for defaults-gated checks".
Use when linking claims, artifacts, decisions, and handoff state across a macOS reversing project.
Use when auditing macOS daemons for "entitlement on the wrong door" bugs: multiple XPC MachServices, privileged/internal service names, missing or inconsistent `shouldAcceptNewConnection:` gates, post-connection entitlement checks, or unprivileged UID 501 reachability. Fires on "wrong-door", "entitlement on wrong interface", "audit this daemon for XPC gates", and "run the wrong-door scan".
Use when a confirmed candidate or chain-discovery hypothesis is ready for a proof-of-concept harness. The skill guides primitive selection, lab-state preparation, harness scaffolding, reliability capture, and evidence linking back to Scriptorium without losing the discipline that separates a proof from a writeup. Fires on "PoC authoring", "write a PoC", "harness this primitive", "PoC scaffolding", "stand up a chain harness", and "reliability pass".
Use when corpus state contains two or more candidate primitives that could combine into a higher-impact chain - sandbox escape stitched to TCC bypass, helper authorization gap stitched to file-write primitive, updater trust failure stitched to privileged install, keychain trust slip stitched to scoped-bookmark replay. Fires on "chain discovery", "vuln chain", "primitive chain", "exploitability ladder", "stitch primitives", and "what does this primitive get me".
Use when a macOS bug-hunting session is stuck, drifting, brute-forcing, choosing machines, handling crashes, or coordinating agent work. Fires on "failure taxonomy", "RE parallel rule", "I'm stuck", "which machine should I run this on", "commit cadence", "no /tmp", and "lsof after every action".
Use when auditing Apple OS internals on macOS - Apple-signed app bundles, daemons, agents, frameworks, PrivateFrameworks, system extensions, network extensions, Endpoint Security clients, DriverKit/IOKit-adjacent components, XPC services, and launchd/MachService surfaces. Fires on "OS component", "Apple OS internals", "system daemon", "PrivateFramework", "system extension", "network extension", "Endpoint Security", "DriverKit", and "launchd MachService".
Use when carrying Ghidra-derived symbols, functions, or addresses into LLDB confirmation and writing the dynamic result back to project evidence.
Use when selecting or maintaining investigation recipes that map goals to skills, scripts, MCP tools, outputs, and project-state updates.
Use when turning target intake, dossier facts, and first-pass static sweeps into decision support for a macOS reversing pass.
Use when debugging or dynamically analyzing a macOS binary with lldb. Covers non-interactive scripted runs via the macre-vm-mcp ``lldb_run`` and ``lldb_break_and_inspect`` tools, as well as interactive-style debugging patterns expressed as batch scripts. Fires on questions like "set a breakpoint on -[Foo bar:]", "dump registers at _objc_msgSend", "read 64 bytes at $sp", "patch this instruction live", "attach lldb to pid 1234", "what does x16 look like at this syscall site". Works against non-Apple-signed binaries freely on the configured lab host, with caveats noted for Apple-signed targets.
Use when auditing macOS developer tools such as terminals, editors, package managers, build helpers, virtualization tools, local CI agents, plugins, or language runtimes. Fires on "developer tool", "package manager", "build helper", "terminal app", and "plugin trust".
Use when auditing enterprise, security, EDR-adjacent, MDM, network-filter, telemetry, or device-management macOS agents. Fires on "enterprise agent", "security agent", "EDR", "MDM client", and "endpoint agent".
Use when auditing third-party macOS apps with privileged helpers, updaters, installers, Sparkle services, LaunchDaemons, or root XPC services. Fires on "privileged helper", "updater audit", "Sparkle", "SMJobBless", and "helper tool".
Use when auditing macOS apps with heavy privacy permissions: TCC, Accessibility, Screen Recording, Automation, camera, microphone, Desktop/Documents, Full Disk Access, security-scoped bookmarks, or file authority transfer. Fires on "TCC-heavy", "privacy permissions", "Accessibility audit", "screen recording", and "security-scoped bookmarks".
Use when analyzing a Mach-O binary's file layout — header, load commands, segments, sections, symbol tables, chained fixups, code signature, entitlements — or when reading the dyld shared cache, fat/universal binaries, or any artifact where understanding the Mach-O container itself is the prerequisite for the next step. Fires on questions like "what are the load commands of this binary", "which dylibs does it link", "is this arm64 or universal", "where is the __TEXT segment", "how do chained fixups work in macOS 14+", or "extract the dyld shared cache".
Use when reversing a Swift-heavy macOS binary and the Objective-C runtime view (class-dump, Ghidra's ObjC sidebar) is incomplete or shows mangled names. Fires on questions like "demangle this Swift symbol", "what's in __swift5_types", "how do I find a Swift method's implementation", "why does class-dump fail on this app", "what's a value witness table", "how does Swift's reabstraction / partial application work", or "is this class @objc or pure Swift". Covers Swift 5+ stable ABI; older name mangling (Swift 3/4) is noted as legacy.
Use when writing, reading, or analyzing ARM64 shellcode on macOS. Covers AArch64 calling conventions, macOS syscall numbering (``x16`` = syscall number; ``svc #0x80``), execv payloads, bind-shell construction, eliminating PC-relative addressing, stub elimination, locating libc functions via the dyld shared cache, and the dtrace / lldb confirmation loop. Framed as RE-enablement (understanding injected payloads during analysis), not operational payload authoring for live third-party targets.
Use when a question is answerable by command-line static inspection of a Mach-O binary without loading it into Ghidra or running it. Covers otool, nm, jtool2, codesign, spctl, strings, class-dump, plutil, lipo, dyld_info, and their MCP wrappers. Fires on "what dylibs does this link", "is this binary signed", "dump its entitlements", "show the class list", "convert this plist", "strip the symbol table", "show imports", "list rpaths", "inspect universal binary slices".
Use when you want to observe a macOS binary's runtime behavior at scale — syscall traces, ``objc_msgSend`` dispatch volume, file-IO patterns, PID-specific function-entry counts — without the per-hit overhead of lldb breakpoints. Covers DTrace probes (syscall, pid, objc, plockstat), D-language aggregations, action and predicate filtering, and the ``macre-vm-mcp`` ``dtrace_script`` / ``dtrace_oneliner`` tool wrappers. Fires on "trace syscalls", "count objc messages", "who opens this file", "stack trace every call to foo", "dtrace one-liner for X".
One to three sentences written in Cursor's auto-invoke voice. Name the INPUT SITUATION (e.g. "when analyzing a Mach-O binary's load commands", "when auditing an XPC service for client-signature validation"), not the output capability. Max 1024 characters. Be specific — vague descriptions prevent auto-invocation.
Use when reversing an Objective-C binary and you need to recover class layout, selector-to-IMP mapping, protocol conformance, property lists, or understand how ``objc_msgSend`` dispatches on ARM64. Fires on questions like "what classes are in this binary", "where is the -[Foo bar:] method", "how does objc_msgSend work on arm64", "dump selectors", "find all callers of setObject:forKey:", "what's in __objc_classlist", or "how do I call a Swift-bridged Objective-C method at runtime". Prerequisite to the ObjC method-swizzling, hooking, and XPC-audit skills in Waves 2–3.
Use when turning a verified macOS bug into an audience-aware finding packet: vendor disclosure, internal remediation, red-team reporting, Apple/platform disclosure, PoC hardening, evidence packaging, affected versions, root-cause summary, and follow-up tracking. Fires on "prep this finding", "report packet", "vendor disclosure", "internal remediation", "red-team report", "submit to Apple", "security.apple.com", and "rdar".