parent |
---|
Binaries |
The santabundleservice
is a small daemon responsible for creating
non-execution events for the contents of a bundle. When an execution is blocked,
the santabundleservice
is tasked with determining if the binary is part of a
bundle and, if so, locating other executables contained within that bundle.
Finally, the service is responsible for generating the
bundle hash and creating events for all found
binaries.
macOS application bundles are formed by a directory with a
loosely-defined structure.
Bundles may also contain nested bundles (e.g. XPC services, app extensions,
etc.). santabundleservice
applies some heuristics to locate the highest
ancestor bundle containing the blocked binary.
Bundle structures for macOS applications is a loosely defined structure and is
further complicated by supporting nested bundles for common scenarios (e.g. XPC
services, app extensions, etc.). santabundleservice
applies some heuristics to
locate the highest ancestor bundle containing the blocked binary.
- Example 1
- Binary:
/Applications/DVD Player.app/Contents/MacOS/DVD Player
- Containing Bundle:
/Applications/DVD Player.app
- Binary:
- Example 2
- Binary:
/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS CacheDeleteExtension
- Containing Bundle:
/Applications/Safari.app
- Binary:
- Example 3
- Binary:
/bin/launchctl
- Containing Bundle: N/A
- Binary:
Once the containing bundle is identified, the directory tree is scanned for all contained binaries. Pseudo-events are created for each entry that contain all of the same information as normal execution events. These events can be sent to the sync server if requested (see the Event Upload section of the Sync Protocol for more information).
To compute the bundle hash, the found events are sorted by their file SHA-256 hash. The hashes are concatenated and then SHA-256 hashed. This is a strong indicator of what Mach-O executables were within the bundle at the time of scan. The sync server can then verify the hashes when deciding to generate rules.