Engine for analyzing binaries on macOS systems to identify potential vulnerabilities

• Install pyimg4

pip3 install pyimg4
# And make sure you have the binary pyimg4 in PATH

• Install trustcache

Download it from https://github.com/CRKatri/trustcache and put it in the PATH

• Create a copy of $HOME/Library/Application Support/com.apple.TCC/TCC.db. From Terminal with FDA permissions:

cp "$HOME/Library/Application Support/com.apple.TCC/TCC.db" /tmp/TCC_user.db && sudo chmod +r /tmp/TCC_user.db

• Create a copy of /Library/Application Support/com.apple.TCC/TCC.db. From Terminal with FDA permissions:

cp "/Library/Application Support/com.apple.TCC/TCC.db" /tmp/TCC_system.db && chmod +r /tmp/TCC_system.db

• Create a copy of /var/db/auth.db. From Terminal with FDA permissions:

sudo cp "/var/db/auth.db" /tmp/auth.db && sudo chmod +r /tmp/auth.db

Run:

./MacHawkEye-engine  --user-tcc-db /tmp/TCC_user.db --system-tcc-db /tmp/TCC_system.db --auth-db /tmp/auth.db -o /tmp/executables.db

• Open the GUI project on Xcode and click the Run button (it will build and run the GUI automatically)

• Build the project on Xcode (Product -> Build)

• Navigate to the build (location is under File -> Project Settings on Xcode):

cd $HOME/Library/Developer/Xcode/DerivedData/MacHawkEye-gui-{RANDOM}

• Execute the GUI:

./MacHawkEye-gui.app/Contents/MacOS/MacHawkEye-gui

• Enter the path to the generated DB from the engine under the Configuration tab (default location is /tmp/executables.db):

• Run prebuilt queries or customize your own queries and run them against the DB:

• Visualize the results: