Proof-of-concept showing a method to hide system calls on XNU (arm64 macOS and iOS) from static analysis.

As a bonus, I also compare it’s functionality to its normal equivalent (i.e., system calls which are compiled into the program binary).

This syscall trick works by utilizing an arm64 XNU kernel function, such as __mmap, to jump to its syscall instruction (SVC 0x80). As a result, static analysis of a program using this trick will not show any usage of syscalls; __mmap was chosen for its non-exotic function name that would attract less attention compared to some of the other functions I tested.

As a happy side effect of my hastily written assembly code, if either syscall function is decompiled in IDA (7.7, I tested) at least once, any functions calling it will produce a decompilation error! 🙂

Find the code on GitHub here.