![]() These importers are made for various filetypes, typically documents, which will be able to parse the file and extract useful, indexable content from it. Spotlight will search in its index, and that index is being built by Spotlight Importers. When you press CMD+SPACE a searcher comes up (that’s Spotlight) and you can type in whatever you look for. Spotlight on OSX / macOS is basically an indexing / search service. So I decided to experiment with it and see what can or cannot be done. ![]() Talk: Patrick Wardle Writing OS X Malware on Vimeo (This is the Immunity one, as he cut this part from the actual BH talk)īut I didn’t find anything beyond this, nothing about how to persist this way. Typically there is nothing new in InfoSec, so after a quick Google search I found that Patrick Wardle already mentioned this in his BlackHat USA / Immunity talk back in 2015. book (user mode - *OS Internals: - Welcome!), and I got to the chapter where he talks about Spotlight importers, and my first thought was that it would be an awesome way to persist on macOS. I’m reading Jonathan Levin’s *OS Internals Vol I. If you have a way to escape sandbox then go for it, or could be used as part of a multi-part malware. It works, but very limited due to heavy sandboxing, you can only read and copy files to your sandbox folder or consume some CPU power.
0 Comments
Leave a Reply. |