macos-bundles.md

macOS Bundles

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

• Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
• Discover The PEASS Family, our collection of exclusive NFTs
• Get the official PEASS & HackTricks swag
• Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
• Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.

Basic Information

Basically, a bundle is a directory structure within the file system. Interestingly, by default this directory looks like a single object in Finder.

The common frequent bundle we will encounter is the .app bundle, but many other executables are also packaged as bundles, such as .framework and .systemextension or .kext.

The types of resources contained within a bundle may consist of applications, libraries, images, documentation, header files, etc. All these files are inside <application>.app/Contents/

ls -lR /Applications/Safari.app/Contents

• Contents/_CodeSignature -> Contains code-signing information about the application (i.e., hashes, etc.).
  • openssl dgst -binary -sha1 /Applications/Safari.app/Contents/Resources/Assets.car | openssl base64
• Contents/MacOS -> Contains the application’s binary (which is executed when the user double-clicks the application icon in the UI).
• Contents/Resources -> Contains UI elements of the application, such as images, documents, and nib/xib files (that describe various user interfaces).
• Contents/Info.plist -> The application’s main “configuration file.” Apple notes that “the system relies on the presence of this file to identify relevant information about [the] application and any related files”.

  • Plist files contains configuration information. You can find find information about the meaning of they plist keys in https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Introduction/Introduction.html

  • Pairs that may be of interest when analyzing an application include:\

    • CFBundleExecutable

    Contains the name of the application’s binary (found in Contents/MacOS).

    • CFBundleIdentifier

    Contains the application’s bundle identifier (often used by the system to globally identify the application).

    • LSMinimumSystemVersion

    Contains the oldest version of macOS that the application is compatible with.

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

• Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
• Discover The PEASS Family, our collection of exclusive NFTs
• Get the official PEASS & HackTricks swag
• Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
• Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.