Process X-Ray Details Window

This post introduces Process X-Ray’s details window. All the information shown in the window is provided by Apple’s preferred APIs for endpoint analysis.

Background

Three months ago I discussed the Challenges Security Analysts Face and built a program to provide concrete examples of these problems. To enhance the data presented by the network tool, I had also written a simple endpoint tool as well.

The endpoint data is valuable enough by itself that I’ve written a stand-alone program for it - Process X-Ray. This post shows some of the information we can identify about your system using Apple’s supported APIs.

The “Apple supported APIs” issue is important because Apple is banning key techniques used by many (most?) endpoint security programs, namely kernel extensions and process injection. Once you upgrade to macOS 10.15.4, you may start seeing alerts by Apple about your current security products.

Details window

Below is a screenshot of Process X-Ray’s details window. It shows some of the information collected about a single process. Below is a discussion of the four major information groups in the window.

Process X-Ray’s Details window

Group 1: The process

At the top of the window is general information about the process: its Process ID, the timestamp of the first event we saw for this process, and the timestamp we saw for the most recent event.

Process ID 24850 was first observed at 18:00:32 GMT on April 1, 2020. The last activity we observed for this process was at 18:01:52. As will be seen at the end, we saw the entire life of this process, so it ran for 1 minute and 19 seconds.

Group 2: Most recent program

On UNIX-type systems, a single process can run different programs through its life. As we will see later, this program ran three different programs during its life. Group 2 provides information about the current (or most recent) program the process was executing.

We see the process was running a program called “Diagrams” in the “Applications” folder. We know the program was signed by the team identified as 794PTYRX57 (Apple knows who this team is). The program was last modified (read “created”) on Feb 22 at 16 minutes after midnight GMT, and it was downloaded a little over 18 hours later to my machine. We also have a hash of the program, so we can identify the same binary if it runs under a different name or on a different machine.

Group 3: Parent process

This group identifies the process that created this process and the program the parent was running. The parent’s process ID is 1, which commonly launches many of the programs on the system. It is running the launchd program. Most of the information here is the same as Group 2.

Group 4: Process’s execution history

The final group shows the key events we observed for the process. It started when it was forked by launchd. For a split second this process was running launchd code. It immediately executes the xpcproxy program, and almost immediately after that it executes the Diagrams program.

This launchd-xpcproxy-program triple is a very common pattern on the Mac.

Finally we see the process exit, so we know this process is dead. Since we have the “fork” and the “exit”, we know the entire lifespan of this process (see timestamps Group 1).

Summary

Using Apple’s approved system extensions API, we can identify when a process was created, how it was created, which sequence of programs it executed, and when the program exited. We also know when each program was created, when it was installed on this Mac, where it lives on this Mac, and which developer signed this code.