![]() Looking at the stack trace, it becomes obvious that the actual implementation used is actually the similarly named SLDispla圜reateImage function from the SkyLight private framework. * thread #1, queue = '-thread', stop reason = instruction step over So, there is a good chance that this is where we should start tracing. This is where the command line arguments are processed see _text:100002640 and _text:10000287E. Starting the trace at the very beginning. So, I decided to reverse it and see how it actually does the capturing. It is a useful utility and, I'm guessing, screencapture is what gets executed when I press the right key combinations on the desktop to take full or partial screenshots. MacOS comes with a utility for capturing the screen pixels into an image file: /usr/sbin/screencapture. The binaries are from MacOS High Sierra version 10.13.3. If you wish to reproduce or follow the steps I've taken, linked below are the binaries that I used for the reverse engineering. He also looks at some Mac malware from 2013 that captured desktop images, and suggests methods for detecting screen capturing!Įnjoy his writeup "Who Moved My Pixels?!" In this guest blog post, my good friend Mikhail Sosonkin ( reverses Apple's screencapture utility in order to peak behind the (figurative) curtain and uncover how it works. "Sandboxed Mac Apps Can Take Screenshots"."The mystery of a Mac malware called 'FruitFly'". ![]() (Ab)using the built-in capabilities of macOS in order to surreptitiously capture screenshots has recently been in the news:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |