:%!xdd
:%!xxd -r
%
character ensures that the command is applied to the contents of the file, while the !
is used to call the external command line utility xxd
. We use xxd
‘s -r
switch to revert the hex dump back to binary format. Vi can have a steep learning curve, but it will pay you back in spades. Start here for a quick intro. hexdump
and xxd
utilities sufficient for my needs, but Hex Fiend is a useful GUI alternative.$ xcode-select --install
strings
, nm
, python3
, otool
and lldb
..pkg
files is the free SuspiciousPackage tool from developers Mothers Ruin software. What I particularly love about this application is the robust AppleScript support, which makes it possible to automate searching packages for specific capabilities, items and strings.otool
and lldb
, which along with Hopper and radare2, are my personal favorites for macOS static and dynamic reversing work. $ apropos snoop
fs_usage
utility is still useful for displaying system calls relating to the filesystem, and to that end FSMonitor provides a convenient graphical interface. Once free, the tool is now proprietary, but it’s very reasonably priced (~$19 at the time of writing)./.fseventsd
. In order to access them, you’ll have to drop down to root and CD in to the dir, but inside you’ll be met by some very unfriendly gzip
compressed data. Fortunately, FSEventsParser comes to the rescue here. This free tool allows you to parse and extract data relevant to specific enquiries. You can define your own but lots of pre-made queries are available that will help you to report on most aspects of file activity. ps
and top
. Jaron Bradley’s TrueTree repo offers a more nuanced look at process hierarchies while Patrick Wardle’s TaskExplorer offers a convenient way to explore processes and see the signature status, loaded dylibs, open files, network connections and even VirusTotal status for each file backing a running process. top
, try Jonathan Levin’s Process Explorer, which has a more useful interactive mode than the native tool. For example, pressing the Enter key on a process line will reveal more details about it, and processes can be filtered by name using the “/” key and specifying the process name.nc
(aka netcat), ping
, trace
, ipconfig
and so on. Note that both ftp
and telnet
are not available by default on the Mac since 10.13, High Sierra.sqlite3
command line utility built-in, a front-end to the SQLite library that can evaluate queries interactively and display the results in multiple formats. codesign
and spctl
utilities, and provides a very quick, nice and informative overview of the validity of an application bundle’s codesigning status. Unfortunately, the app appears to be in legacy status, but it still works well enough on the current version of macOS Catalina. strings
utility. It’s worth noting that the macOS version of this tool is a little different from its Linux cousin, and in particular does not handle the same range of encodings. Fortunately, there is a great, free alternative called Floss that will serve you much better.