macOS Malware Analysis Tools
Static Analysis
file – Display the type of a file (Mach-O, FAT, other types).
strings – Extracts strings from a file.
diff – Differentiate between files
nm – Extracts symbol table (function imports, exports).
codesign – Extracts code signing certification status and more.
spctl – Checks if a certification of a file is revoked and more.
curl – Download and send files via HTTP.
xattr – Check if and which attributes file contains (such as Quarantine flag for GateKeeper checks).
otool – Examine binary files, extract assembly instructions, view the segments, sections, and more.
JTool – A better variation of otool.
What’s your Sign – Checks code-signing certification status, display hashes, and more.
Dynamic Analysis
ProcessMonitor – Monitors processes activities.
FileMonitor – Monitors file system events.
AppMon – Automated framework for monitoring and tampering system API calls based on Frida.
Wireshark – Network analysis tool.
tcpdump – Network analysis tool.
MiTMProxy – An interactive SSL/TLS-capable intercepting HTTP proxy (great for HTTPS inspection).
NetworkMiner – Sniffer and PCAP parser.
Fiddler – The free web debugging proxy for any browser, system, or platform.
FSMonitor – Monitors file system events (read, write, etc.).
Netiquette – Monitors for network connections.
LuLu – Checks for network suspicious activity and display them.
TaskExplorer – Visually explore all running processes.
ReiKey – Dynamically intercepts and detects keylogging activity.
BlockBlock – Dynamically intercepts persistent actions on the system.
Reverse Engineering
LLDB – GDB-like macOS debugger.
IDA Free/Pro – Disassembler and debugger.
Hopper (Demo/Pro) – Disassembler and debugger.
radare2 – Free and open source disassembler and debugger.
Cutter – GUI for radare2.
Binary Ninja – A New Type of Reversing Platform.
Unpacking & Deobfuscation
FLOSS – Automatically extract obfuscated strings from malware.
NoMoreXor – Tool to help guess files 256 byte XOR key by using frequency analysis.
Packing
iPakk – MacOSX Mach-O (PPC) packer.
muncho – MacOSX Mach-O (Intel) packer.
oneKpaq – MacOSX Mach-O (Intel) packer.
Forensics
dcfldd – Hard drive forensics acquisition tool.
Autopsy – Hard drive forensics analysis tool.
mac_apt – Hard drive forensics analysis tool.
OSXPMem – Memory forensics acquisition tool.
Volatility – Memory forensics analysis framework.
Rekall – Memory Forensic Framework.
FOG Project – A free open-source network computer cloning and management solution.
Other
KnockKnock – Scans for persistency objects and uploads them to VirusTotal.
KextViewr – Display all loaded texts, along with their signing status, full path, VirusTotal detection ratios, and more.
Dylib Hijack Scanner – Scan for potentially Dylib-Hijackable applications around the system.
Cuckoo Sandbox – Free and open-source automated malware analysis sandbox.