Skip to main content
在 Manus 中运行任何 Skill
一键导入
GitHub 仓库

mac-reversing-station

mac-reversing-station 收录了来自 UnsaltedHash42 的 37 个 skills,并提供仓库级职业覆盖和站内 skill 详情页。

已收集 skills
37
Stars
0
更新
2026-05-14
Forks
0
职业覆盖
2 个职业分类 · 已分类 100%
仓库浏览

这个仓库中的 skills

offensive-macos-lab-roster
信息安全分析师

Use when choosing or adding macOS research machines: primary, crash-test, cross-platform Apple Silicon, and Intel baseline. Fires on "add a lab machine", "which machine should run this", "primary lab host", "crash-test", "Intel baseline", and "cross-platform verification".

2026-05-14
offensive-macos-tooling-ghidra-headless
信息安全分析师

Use when driving Ghidra headless from Cursor for macOS reverse engineering: opening Mach-O binaries, listing functions, decompiling by address, running custom Ghidra scripts, or doing breadth sweeps across many targets. Fires on "ghidra-mcp", "decompile with Ghidra", "run a Ghidra script", "list functions in this binary", and systemic-class scan setup.

2026-05-13
offensive-macos-bundle-intake
信息安全分析师

Use when starting a macOS reversing pass from an app bundle, installer, framework, XPC bundle, helper, or bare binary path. Fires on "start target", "inventory this app", "point at this bundle", "begin PASS", and "target intake".

2026-05-13
offensive-macos-vuln-ontology
信息安全分析师

Use when mapping a macOS target's attack surfaces to reusable vulnerability classes, generating hunt hypotheses for a new third-party app, or deciding which playbook or scanner applies. Fires on "vulnerability ontology", "bug-class map", "what bug classes apply", "generate hypotheses", and "classify this macOS surface".

2026-05-13
offensive-macos-electron-surface-pack
信息安全分析师

Use when a macOS target appears to be Electron-based and needs ASAR, package, preload, IPC, native module, fuse, sandbox, or update review.

2026-05-13
offensive-macos-station-topology
信息安全分析师

Use when a question touches the lab topology: what runs on the workstation, what runs on the primary lab host, how `ghidra-mcp` and `macre-vm-mcp` are wired, how to start a findings repo, which machine role to use, why Hopper is manual-only, or how to troubleshoot MCP/SSH/script sync failures.

2026-05-13
offensive-macos-source-binary-correlation
信息安全分析师

Use for open-source or in-house macOS targets where source is available but the shipped binary remains the evidence source of truth.

2026-05-08
offensive-macos-hunt-iokit-userclient
信息安全分析师

Use when auditing user-mode binaries that drive a kernel driver via IOKit user clients: EDR drivers, GPU userspace stacks, USB/HID stacks, vendor kexts, DriverKit dexts, helper binaries that call IOServiceOpen + IOConnectCallMethod. Fires on "iokit user client", "ioconnect call", "external method", "iokit selector hunt", "kernel driver user surface".

2026-05-08
offensive-macos-hunt-keychain-access-group
信息安全分析师

Use when auditing apps and helpers for keychain confused-deputy bugs: shared access groups, kSecAttrAccessGroup queries, application-groups entitlements, ACLs that don't pin to the calling app's identity, keychain items written by app A that app B in the same access group can read. Fires on "keychain access group", "kSecAttrAccessGroup", "shared keychain acl", "keychain confused deputy".

2026-05-08
offensive-macos-hunt-mig-subsystem
信息安全分析师

Use when auditing daemons or kernel components that expose a Mach Interface Generator (MIG) subsystem: routine numbers dispatched through mach_msg, MIG-generated server stubs, mig_server_routine tables, and MIG-derived kernel traps. Covers user-space MIG (cfprefsd, lockd, bootstrap_server, KernelEventAgent) and kernel MIG (host_priv, task_self_trap subsystems). Fires on "mig subsystem", "mig routine", "mig server stubs", "mach trap audit", "subsystem audit".

2026-05-08
offensive-macos-hunt-private-framework-hijack
信息安全分析师

Use when auditing macOS binaries for dynamic-loading paths an attacker can influence: weak-linked PrivateFrameworks, dlopen with attacker- controlled paths, NSClassFromString / NSSelectorFromString driven by user input, Sparkle-style updater dylib resolution, runtime symbol resolution that trusts an unsigned dylib. Fires on "private framework hijack", "dylib hijack", "weak link bypass", "nsclassfromstring abuse", "dynamic symbol resolution audit".

2026-05-08
offensive-macos-hunt-tcc-prompt-attribution
信息安全分析师

Use when auditing TCC-mediating daemons or apps for prompt-attribution bugs: a daemon prompts the user about app A but the request actually came from app B; responsible-process accounting laundered through a launchd intermediary; a privileged daemon proxies a request and asks for consent on behalf of itself rather than its caller. Fires on "tcc prompt attribution", "wrong responsible process", "tcc responsibility laundering", "consent on behalf of", "audit token vs responsible parent".

2026-05-08
offensive-macos-hunt-url-scheme-hijack
信息安全分析师

Use when auditing macOS apps for custom URL scheme registration and inbound URL handling: bundles that claim a scheme via CFBundleURLTypes, dispatchers that trust URL host / query without validation, schemes that overlap with other apps, apps that take privileged actions in application:openURL:. Fires on "url scheme hijack", "openURL handler audit", "cfbundleurlschemes", "deep link bypass".

2026-05-08
offensive-macos-hunt-catalyst-porting-gap
信息安全分析师

Use when auditing Mac Catalyst or platform-conditional entitlement logic: strings like `is-catalyst-binary`, `MacCatalyst`, `non macos platform`, platform checks that skip entitlements, or service behavior that differs for Catalyst/iOS-on-mac clients. Fires on "Catalyst bypass", "platform-conditional entitlement", "Mac Catalyst entitlement", and "porting gap".

2026-05-08
offensive-macos-hunt-defaults-bypass
信息安全分析师

Use when auditing macOS binaries for security decisions controlled by user-writable defaults: `NSUserDefaults`, `CFPreferences`, `defaults write`, debug/test/internal keys, entitlement bypass strings, or feature flags that can disable validation. Fires on "defaults bypass", "user-defaults security gate", "defaults write bypass", and "scan for defaults-gated checks".

2026-05-08
offensive-macos-scriptorium-evidence
信息安全分析师

Use when linking claims, artifacts, decisions, and handoff state across a macOS reversing project.

2026-05-08
offensive-macos-hunt-wrong-door
信息安全分析师

Use when auditing macOS daemons for "entitlement on the wrong door" bugs: multiple XPC MachServices, privileged/internal service names, missing or inconsistent `shouldAcceptNewConnection:` gates, post-connection entitlement checks, or unprivileged UID 501 reachability. Fires on "wrong-door", "entitlement on wrong interface", "audit this daemon for XPC gates", and "run the wrong-door scan".

2026-05-08
offensive-macos-poc-authoring
信息安全分析师

Use when a confirmed candidate or chain-discovery hypothesis is ready for a proof-of-concept harness. The skill guides primitive selection, lab-state preparation, harness scaffolding, reliability capture, and evidence linking back to Scriptorium without losing the discipline that separates a proof from a writeup. Fires on "PoC authoring", "write a PoC", "harness this primitive", "PoC scaffolding", "stand up a chain harness", and "reliability pass".

2026-05-08
offensive-macos-chain-discovery
信息安全分析师

Use when corpus state contains two or more candidate primitives that could combine into a higher-impact chain - sandbox escape stitched to TCC bypass, helper authorization gap stitched to file-write primitive, updater trust failure stitched to privileged install, keychain trust slip stitched to scoped-bookmark replay. Fires on "chain discovery", "vuln chain", "primitive chain", "exploitability ladder", "stitch primitives", and "what does this primitive get me".

2026-05-08
offensive-macos-agent-discipline
信息安全分析师

Use when a macOS bug-hunting session is stuck, drifting, brute-forcing, choosing machines, handling crashes, or coordinating agent work. Fires on "failure taxonomy", "RE parallel rule", "I'm stuck", "which machine should I run this on", "commit cadence", "no /tmp", and "lsof after every action".

2026-05-08
offensive-macos-family-os-components
信息安全分析师

Use when auditing Apple OS internals on macOS - Apple-signed app bundles, daemons, agents, frameworks, PrivateFrameworks, system extensions, network extensions, Endpoint Security clients, DriverKit/IOKit-adjacent components, XPC services, and launchd/MachService surfaces. Fires on "OS component", "Apple OS internals", "system daemon", "PrivateFramework", "system extension", "network extension", "Endpoint Security", "DriverKit", and "launchd MachService".

2026-05-08
offensive-macos-gatehouse-ghidra-lldb
信息安全分析师

Use when carrying Ghidra-derived symbols, functions, or addresses into LLDB confirmation and writing the dynamic result back to project evidence.

2026-05-07
offensive-macos-maproom-recipes
信息安全分析师

Use when selecting or maintaining investigation recipes that map goals to skills, scripts, MCP tools, outputs, and project-state updates.

2026-05-07
offensive-macos-watch-static-analysis
信息安全分析师

Use when turning target intake, dossier facts, and first-pass static sweeps into decision support for a macOS reversing pass.

2026-05-07
offensive-macos-tooling-lldb
信息安全分析师

Use when debugging or dynamically analyzing a macOS binary with lldb. Covers non-interactive scripted runs via the macre-vm-mcp ``lldb_run`` and ``lldb_break_and_inspect`` tools, as well as interactive-style debugging patterns expressed as batch scripts. Fires on questions like "set a breakpoint on -[Foo bar:]", "dump registers at _objc_msgSend", "read 64 bytes at $sp", "patch this instruction live", "attach lldb to pid 1234", "what does x16 look like at this syscall site". Works against non-Apple-signed binaries freely on the configured lab host, with caveats noted for Apple-signed targets.

2026-05-07
offensive-macos-family-developer-tools
信息安全分析师

Use when auditing macOS developer tools such as terminals, editors, package managers, build helpers, virtualization tools, local CI agents, plugins, or language runtimes. Fires on "developer tool", "package manager", "build helper", "terminal app", and "plugin trust".

2026-05-07
offensive-macos-family-enterprise-agents
信息安全分析师

Use when auditing enterprise, security, EDR-adjacent, MDM, network-filter, telemetry, or device-management macOS agents. Fires on "enterprise agent", "security agent", "EDR", "MDM client", and "endpoint agent".

2026-05-07
offensive-macos-family-privileged-helpers
信息安全分析师

Use when auditing third-party macOS apps with privileged helpers, updaters, installers, Sparkle services, LaunchDaemons, or root XPC services. Fires on "privileged helper", "updater audit", "Sparkle", "SMJobBless", and "helper tool".

2026-05-07
offensive-macos-family-tcc-heavy-apps
信息安全分析师

Use when auditing macOS apps with heavy privacy permissions: TCC, Accessibility, Screen Recording, Automation, camera, microphone, Desktop/Documents, Full Disk Access, security-scoped bookmarks, or file authority transfer. Fires on "TCC-heavy", "privacy permissions", "Accessibility audit", "screen recording", and "security-scoped bookmarks".

2026-05-07
offensive-macos-foundations-macho
信息安全分析师

Use when analyzing a Mach-O binary's file layout — header, load commands, segments, sections, symbol tables, chained fixups, code signature, entitlements — or when reading the dyld shared cache, fat/universal binaries, or any artifact where understanding the Mach-O container itself is the prerequisite for the next step. Fires on questions like "what are the load commands of this binary", "which dylibs does it link", "is this arm64 or universal", "where is the __TEXT segment", "how do chained fixups work in macOS 14+", or "extract the dyld shared cache".

2026-05-07
offensive-macos-foundations-swift-abi
信息安全分析师

Use when reversing a Swift-heavy macOS binary and the Objective-C runtime view (class-dump, Ghidra's ObjC sidebar) is incomplete or shows mangled names. Fires on questions like "demangle this Swift symbol", "what's in __swift5_types", "how do I find a Swift method's implementation", "why does class-dump fail on this app", "what's a value witness table", "how does Swift's reabstraction / partial application work", or "is this class @objc or pure Swift". Covers Swift 5+ stable ABI; older name mangling (Swift 3/4) is noted as legacy.

2026-05-07
offensive-macos-shellcode-arm64
信息安全分析师

Use when writing, reading, or analyzing ARM64 shellcode on macOS. Covers AArch64 calling conventions, macOS syscall numbering (``x16`` = syscall number; ``svc #0x80``), execv payloads, bind-shell construction, eliminating PC-relative addressing, stub elimination, locating libc functions via the dyld shared cache, and the dtrace / lldb confirmation loop. Framed as RE-enablement (understanding injected payloads during analysis), not operational payload authoring for live third-party targets.

2026-05-07
offensive-macos-tooling-cli-static
网络与计算机系统管理员

Use when a question is answerable by command-line static inspection of a Mach-O binary without loading it into Ghidra or running it. Covers otool, nm, jtool2, codesign, spctl, strings, class-dump, plutil, lipo, dyld_info, and their MCP wrappers. Fires on "what dylibs does this link", "is this binary signed", "dump its entitlements", "show the class list", "convert this plist", "strip the symbol table", "show imports", "list rpaths", "inspect universal binary slices".

2026-05-07
offensive-macos-tooling-dtrace
信息安全分析师

Use when you want to observe a macOS binary's runtime behavior at scale — syscall traces, ``objc_msgSend`` dispatch volume, file-IO patterns, PID-specific function-entry counts — without the per-hit overhead of lldb breakpoints. Covers DTrace probes (syscall, pid, objc, plockstat), D-language aggregations, action and predicate filtering, and the ``macre-vm-mcp`` ``dtrace_script`` / ``dtrace_oneliner`` tool wrappers. Fires on "trace syscalls", "count objc messages", "who opens this file", "stack trace every call to foo", "dtrace one-liner for X".

2026-05-07
offensive-macos-slug
信息安全分析师

One to three sentences written in Cursor's auto-invoke voice. Name the INPUT SITUATION (e.g. "when analyzing a Mach-O binary's load commands", "when auditing an XPC service for client-signature validation"), not the output capability. Max 1024 characters. Be specific — vague descriptions prevent auto-invocation.

2026-05-07
offensive-macos-foundations-objc-runtime
信息安全分析师

Use when reversing an Objective-C binary and you need to recover class layout, selector-to-IMP mapping, protocol conformance, property lists, or understand how ``objc_msgSend`` dispatches on ARM64. Fires on questions like "what classes are in this binary", "where is the -[Foo bar:] method", "how does objc_msgSend work on arm64", "dump selectors", "find all callers of setObject:forKey:", "what's in __objc_classlist", or "how do I call a Swift-bridged Objective-C method at runtime". Prerequisite to the ObjC method-swizzling, hooking, and XPC-audit skills in Waves 2–3.

2026-05-07
offensive-macos-submission-packet
信息安全分析师

Use when turning a verified macOS bug into an audience-aware finding packet: vendor disclosure, internal remediation, red-team reporting, Apple/platform disclosure, PoC hardening, evidence packaging, affected versions, root-cause summary, and follow-up tracking. Fires on "prep this finding", "report packet", "vendor disclosure", "internal remediation", "red-team report", "submit to Apple", "security.apple.com", and "rdar".

2026-05-07