User profile for user: Samurai184
Samurai184 Author
User level: Level 1
8 points

My macbook pro has a virus/trojan that is resetting the EFI via apci and it is getting root access privileges. It seems to be creating multiple aliases that bundle with rogue apps and preferences so it is very difficult to control or fix. Please help..

My macbook pro has a virus/trojan that is resetting the EFI via apci and it is getting root access privileges. It seems to be creating multiple aliases that bundle with rogue apps and preferences so it is very difficult to control or fix. Please help..It all stems from the "about donwloads" PDF which kicks off the restructuring of the OS..

MacBook Pro, OS X Mountain Lion (10.8.3)

Posted on May 6, 2013 11:32 PM

Reply
77 replies
User profile for user: Samurai184
Samurai184 Author
User level: Level 1
8 points

May 9, 2013 2:04 PM in response to thomas_r.

Okay guys this will be my last post since it is so evident that nobody is going to address anybodys issues that brings up how easy it is to hack the "Oh so Sacred unhackable Mac". It's understandable being that alot of your time and effort has gone into the development of the OS and for many years this was true... But here is a little tidbit for you guys...I'm not some idiot that doesn't know about OS's.. As a matter of fact I've been a developer for over 30 years and have been a very successful Independent Contractor for 20 of those 30 years. Granted, I am not a Mac developer, I am a developer of Business Systems that run muti miliiion and billion dollar industries all over the world.. I will not name exactly what my specialty is because it doesn't make a bit of diffference regarding this thread.. I am bringing it up though since as a developer whenever ANY issue is brought to my attention that could either be a potential pitfall for a security compromise or not. I always address the issue and do my due diligence to analyze all the pieces before I say NO, NO, NO. this can't be happening because it's a Mac and OSX isn't susceptible to those things, and I am a developer of this system and because of that its impenetrable. PLEASE spare me the BS... Like I mentioned in my first post,this is my 3rd Mac in a year and a half. I have been to apple over 100 times... My motherboards and drives have had to be replaced multiple times in between my exchanges. So not 1 person has been of any help at all, and I have gone through **** and back.. You wanted more detail as to the symptoms... I'm going to post an apple community feed that was written awhile back from another ****** off apple consumer who experienced exactly to the letter what me and alot of others are experiencing.


In short my mac always turns into a managed client right from the recovery. It is kicked off through a bad safari extension that holds all the confiuguration details for the network, the localizations, the streaming out to twitter, facebook, google apis are used to basically link my ipad, iphone and macbook together. You can say it makes the "Oh so sacred unhackable mac" into a very expensive IOS device. Everything is synced. It takes bits of all the executables and bundles them with their malware and symlinks everything back.. DNS is managed. I mean it's the hack of the **** century and you guys refuse to even admit it... Anyway, please remember me, because I can guarantee that we shall see each other fairly soon in the very near future. ...Keep up the good work.LOL


I wil post 2 out of maybe 100 or more that I have come across online describing the same issue to the letter..

________________________________________________________________________________ _____________________________________________________



Can someone confirm the legitimacy of these "Unknown" restore images?

921 Views 3 Replies Latest reply: Nov 24, 2011 8:42 AM by goscuter1 User uploaded file


User uploaded fileUser uploaded fileLevel 1 (20 points)



goscuter1



Nov 19, 2011 3:51 PM



-bash-3.2# mount

/dev/disk3s3 on / (hfs, local, read-only)

devfs on /dev (devfs, local, nobrowse)

/dev/disk4 on /Volumes (hfs, local, union, nobrowse)

/dev/disk5 on /private/var/tmp (hfs, local, union, nobrowse)

/dev/disk6 on /private/var/run (hfs, local, union, nobrowse)

/dev/disk7 on /System/Installation (hfs, local, union, nobrowse)

/dev/disk8 on /private/var/db (hfs, local, union, nobrowse)

/dev/disk9 on /private/var/folders (hfs, local, union, nobrowse)

/dev/disk10 on /private/var/root/Library (hfs, local, union, nobrowse)

/dev/disk11 on /Library/ColorSync/Profiles/Displays (hfs, local, union, nobrowse)

/dev/disk12 on /Library/Preferences (hfs, local, union, nobrowse)

/dev/disk13 on /Library/Preferences/SystemConfiguration (hfs, local, union, nobrowse)

/dev/disk14 on /Library/Keychains (hfs, local, union, nobrowse)

/dev/disk0s2 on /Volumes/Untitled 1 (hfs, local, journaled)

/dev/disk1s3 on /Volumes/Image Volume (hfs, local, read-only, journaled)

-bash-3.2# diskutil list

/dev/disk0

#: TYPE NAME SIZE IDENTIFIER

0: GUID_partition_scheme *121.3 GB disk0

1: EFI 209.7 MB disk0s1

2: Apple_HFS Untitled 1 121.0 GB disk0s2

3: Apple_Boot 134.2 MB disk0s3

/dev/disk1

#: TYPE NAME SIZE IDENTIFIER

0: GUID_partition_scheme *15.7 GB disk1

1: EFI 209.7 MB disk1s1

2: Apple_HFS meh 14.9 GB disk1s2

3: Apple_Boot Recovery HD 650.0 MB disk1s3

/dev/disk3

#: TYPE NAME SIZE IDENTIFIER

0: Apple_partition_scheme *1.4 GB disk3

1: Apple_partition_map 30.7 KB disk3s1

2: Apple_Driver_ATAPI 2.0 KB disk3s2

3: Apple_HFS Mac OS X Base System 1.4 GB disk3s3

/dev/disk4

#: TYPE NAME SIZE IDENTIFIER

0: untitled *524.3 KB disk4

/dev/disk5

#: TYPE NAME SIZE IDENTIFIER

0: untitled *524.3 KB disk5

/dev/disk6

#: TYPE NAME SIZE IDENTIFIER

0: untitled *524.3 KB disk6

/dev/disk7

#: TYPE NAME SIZE IDENTIFIER

0: untitled *524.3 KB disk7

/dev/disk8

#: TYPE NAME SIZE IDENTIFIER

0: untitled *524.3 KB disk8

/dev/disk9

#: TYPE NAME SIZE IDENTIFIER

0: untitled *6.3 MB disk9

/dev/disk10

#: TYPE NAME SIZE IDENTIFIER

0: untitled *2.1 MB disk10

/dev/disk11

#: TYPE NAME SIZE IDENTIFIER

0: untitled *1.0 MB disk11

/dev/disk12

#: TYPE NAME SIZE IDENTIFIER

0: untitled *524.3 KB disk12

/dev/disk13

#: TYPE NAME SIZE IDENTIFIER

0: untitled *524.3 KB disk13

/dev/disk14

#: TYPE NAME SIZE IDENTIFIER

0: untitled *1.0 MB disk14

/dev/disk15

#: TYPE NAME SIZE IDENTIFIER

0: GUID_partition_scheme *500.1 GB disk15

1: EFI 209.7 MB disk15s1

2: Apple_CoreStorage 499.7 GB disk15s2

3: Apple_Boot Boot OS X 134.2 MB disk15s3

-bash-3.2#


--------------------


Something is messed up here, because the system is partitioning the Boot volumes non-sensically.


But when I boot from the Recovery Partition or the Internet recovery process, these images all get loaded up every time. I have reason to believe they're dubious, although with this new Apple, it's so hard to know - it might just be incompetence. But some of these images are rw, some are read-only.


Some can be dismounted. Some are IMPOSSIBLE to dismount (cleanly or otherwise).


And if they're legitimate, Apple could really do with not being so sloppy / lazy. "untitled" isn't exactly what people pay 2x market prices for.


nb. disk0 is my Apple SSD. disk1 is my 16GB USB HD. Neither of which boot, obviously. disk15 is my Time Machine with 30 completed backups on it. I've tried all 30. Looks like we won't be booting into an OS today. The rest of the disks ostensibly belong to disk2, which I have reason to believe is highly suspect.


And not just because it's a 1.4GB image, which comes out of 650MB Recovery partition.

MacBook Air, Mac OS X (10.7.2)



Categories: Unix


  • User uploaded fileUser uploaded fileLevel 9 (63,085 points)
    Linc Davis
    Re: Can someone confirm the legitimacy of these "Unknown" restore images?Nov 19, 2011 4:20 PM ( in response to goscuter1)


    A new MBA can netboot from Apple's data center and install the Mac OS, even if the internal drive is completely wiped. If you have reason to suspect that your recovery partition has been tampered with, that's what you should do.


    User uploaded fileUser uploaded fileLevel 1 (20 points)
    goscuter1


    Linc Davis wrote: A new MBA can netboot from Apple's data center and install the Mac OS, even if the internal drive is completely wiped. If you have reason to suspect that your recovery partition has been tampered with, that's what you should do.
    Unfortunately, the OP mounts are the result of the process you advise above. I've tried so many times now. That's the image that comes down, which boots into the virtual drive to download the 4gb phase. I'm unsure what more I can say, as there are house rules I've learned about recently - which I must respect. It's strange. I'm usually the most respectful person in the room and I never lie, and yet I'm subject to endless sanction. Very peculiar.
    What's the basis for your fears?
    Apple frontline CS say it's not standard, which seems to be the general consensus - although I see variations of this question (different sets of images, however) posted on forums - no answers, obviously. I can't get an answer from anyone to what I think is an incredibly simple and valid query: Why would my MacBook Air and another identical Intel Macbook Air have different firmware, kernels, driver packages, extensions, etc? It seems almost overwhelmingly peculiar that the process wouldn't be close to identical for all Intel Macbook Air laptops. It all seems incredibly queer to me, but not nearly as strange as no one being interested in being drawn into a discussion about it. Thoughts? Aside from that, the basis for my concerns are: 10 months destroyed, 17 systems destroyed, 6 figures USD handed to creeps who really only freak me out when they get queer about accepting more of it (I'm not passing counterfeit bills around, but you could be forgiven for thinking I was the way people hate money suddenly), surely ~10,000 questions I've asked now, a tiny handful of unverifiable answers (the unknowns and the workarounds are just too horrific to contemplate, frankly), 1000 supplied lies which is sad - they seem to think I'm their enemy, I wonder why. I don't know why I'm in this mess, honestly. Creeps don't exactly put their hand up and claim responsibility like in the News. But my gut says it's related to child exploitation. I started to write about it, and the backlash was...whoa. I was still reeling when my world came crashing down. Spent most of the year just trying to get online, but then I'm pretty dull in many ways. I've mostly been OD'ing on creepy discoveries since then. I'm happy to supply more specific information, but if I'm gonna get out of this mess, I'm gonna need a lot of help with UEFI - that's where all the unanswered questions start. Apple don't seem to know anything about it. Intel aren't concerned, but they are sympathetic. Not enough to give answers to direct questions or look at evidence of BIOS / EFI partition corruption / manipulation, just sympathetic enough to offer me refunds and to tell me not to worry. I wasn't worried, until then. I have hundreds of non-default images, drivers, unknown's, my RAM is a god-awful mess I think...ah it's all a huge mess in there (and you can probably surmise my level of 'expertise'). Secure Boot? I'm going to be sick. And it's mostly write-protected, attempts to delete especially peculiar handles come up as "unsupported function" or similar so...not sure how it works from this point, does Apple have an escalated Support number? Cause I can't keep on calling their frontline and going around in circles when they don't know anything about UEFI or the system boot process.     MacBook Air, Mac OS X (10.7.2)


  • User uploaded fileUser uploaded fileLevel 8 (44,940 points)
    Camelot San Jose, CA
    Re: Can someone confirm the legitimacy of these "Unknown" restore images?Nov 19, 2011 10:38 PM (in response to goscuter1)


    But when I boot from the Recovery Partition or the Internet recovery process, these images all get loaded up every time. I have reason to believe they're dubious What's the basis for your fears? That looks like a typical Recovery Boot setup. I suspect it's due to the fact the various recovery mount points are stored as compressed disk images and are uncompressed on mount (which is why you get 1.4GB of data out of a 650MB partition. In short, I'm not worried about it. Why do you think it's wrong.

    -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ---------------------------------------------------------------


    2 Answers

    up vote6down voteaccepted


    It's rather complicated, and actually a lot of the complexity is to avoid wasting space; I don't think you can "reclaim" anything without breaking it.

    Let me start at the beginning: your hard drive (/dev/disk0) has two relevant partitions: Macintosh HD (your regular startup volume), and Recovery HD.

    Recovery HD is marked in the partition table with the type Apple_Boot, but is actually in the normal HFS+ format. It contains minimal booter files and kernel, and at /com.apple.recovery.boot/BaseSystem.dmg, a disk image with a stripped-down and tweaked copy of OS X. The booter mounts this volume (it attaches as /dev/disk1), and transfers to OS X running on it. This is the Mac OS X Base System.

    Notice that the Recovery HD is only 650MB, but Mac OS X Base System is 1.4GB? That's because it's a compressed disk image (and I'm pretty sure that compression is the reason they bother with all this disk image trickery). Actually, BaseSystem.dmg is compressed down to only 451MB (at least in OS X v10.7.0).

    Also, the volume naming is somewhat inconsistent. You've got /dev/disk1s3 named "Recovery HD", but for some reason it's mounted as "/Volumes/Image Volume" in recovery mode. BaseSystem.dmg has a volume named "Mac OS X Base System".

    So that's disk0 and disk1; what about the rest? I'm not certain, but I'm pretty sure they are RAM disks to save temporary data in folders OS X modifies as it runs (remember that in recovery mode, you're running from a read-only disk image). Running the

    mount
    command in recovery mode is informative:

    $ mount /dev/disk1s3 on / (hfs, local, read-only) devfs on /dev (devfs, local, nobrowse) /dev/disk2 on /Volumes (hfs, local, union, nobrowse) /dev/disk3 on /private/var/tmp (hfs, local, union, nobrowse) /dev/disk4 on /private/var/run (hfs, local, union, nobrowse) /dev/disk5 on /System/Installation (hfs, local, union, nobrowse) /dev/disk6 on /private/var/db (hfs, local, union, nobrowse) /dev/disk7 on /private/var/folders (hfs, local, union, nobrowse) /dev/disk8 on /private/var/root/Library (hfs, local, union, nobrowse) /dev/disk9 on /Library/ColorSync/Profiles/Displays (hfs, local, union, nobrowse) /dev/disk10 on /Library/Preferences (hfs, local, union, nobrowse) /dev/disk11 on /Library/Preferences/SystemConfiguration (hfs, local, union, nobrowse) /dev/disk12 on /Library/Keychains (hfs, local, union, nobrowse) /dev/disk0s2 on /Volumes/Macintosh HD (hfs, local, journaled) /dev/disk0s3 on /Volumes/Image Volume (hfs, local, read-only, journaled)

    Those "union" attributes mean that things in the relevant folder in the startup volume will be visible, but anything modified gets stored in what I'm pretty sure is a RAM disk.

    If you want to look at this stuff yourself, you can mount the relevant volumes from the regular OS:

    # Mount "Recovery HD": $ diskutil mount /dev/disk0s3 # Mount "Mac OS X Base System": $ hdiutil mount /Volumes/Recovery\ HD/com.apple.recovery.boot/BaseSystem.dmg -noverify

    shareimprove this answer



    Thanks! I think I got what I needed. So essentially, the whole 
    disk1
    is nothing but a mounted realization of the disk image stored in 
    Recovery HD
    . It only exists if and when Recovery mode is run. Only the 
    Recovery HD disk0
    partition is actually taking up physical disk space. I suppose I could merge this partition with my 
    Macintosh HD
    partition if I really wanted to get the space back, but of course Recovery mode would not be available then.    Jason Waldrop Aug 25 '11 at 17:42


    Yup, that's about it.Gordon Davisson Aug 25 '11 at 17:54

    If you have broadband Internet and are ready to totally wipe the drive, you could use theInternet Recovery method of Lion Recovery to free up the disk0 and partition / erase the drive.

    Be sure you have verified a backup of any data you want to save as this will wipe the SSD clean and let you install Lion and the normal recovery HD as it should be.

    AppleCare will certainly walk you through this for free as you are in the complimentary support window for 90 days after purchase.

    shareimprove this answer


    answered Aug 24 '11 at 1:58


    http://apple.stackexchange.com/users/5472/bmike

    User uploaded file

    bmike
    54.1k966176



    What is the 'Mac OS X Base System' disk image on my 2011 MacBook AIr?




    On my 2011 MacBook Air with Mac OS X Lion, and I boot into Recovery mode via holding the command-R key during startup, if I go into Terminal and do a 

    diskutil list
    , I get a list of 12(!) logical disks. 
    disk0
    is of course the disk holding the main HD and the Recovery HD partitions (along with the GUID partition and the EFI partition). But there is also a 
    disk1
    with partitions including one titled 
    Mac OS X Base System
    that is approximately 1.39 GB big. There also are 10 other disks of varying but small sizes.

    What are these other logical disks (and partitions) and is there any way to reclaim their space?

    Update: Here is a copy of the 

    diskutil list
    output: output


    On occasion people have received macs where the factory imaging process left data not intended to ship. I'd love a peek at the exact listing out of curiosity before you nuke it.bmike Aug 24 '11 at 1:51



    I have done this but this approach does not erase these other logical disks. In fact, you can see 
    Mac OS X Base System
    in Disk Utility (under Recovery mode of course) but Disk Utility won't let you erase it. I'm wondering if it forms some sort of "core" of Mac OS X Lion to use during the recovery process since when doing an Internet Recovery it says "downloading additional components".    Jason Waldrop Aug 24 '11 at 2:06


    If you are not booted from a network image or an external drive, Disk Utility always prevents you from erasing a drive that is in use. Normal recovery might not have enough freedom to undo this if it's core storage or something else tricky from the factory imaging process.bmike Aug 24 '11 at 2:21

    Your Answer
Reply
User profile for user: willyrhythm
willyrhythm
User level: Level 1
0 points

Aug 15, 2013 11:43 PM in response to snarez

I am currently victim of the most sophisticated rootkit I have ever encountered and I believe it exists at the EFI/BOIS level (beyond my Mac comps.. also owned the ROM in my Apple USB keyboard, all comps/external HDs, iPhone/Pad, PCs). I think that it is insulting to users (enlightened or not) to deny the possibility of their suspicions and to publicly flame them on an official discussion board. Check this (and it's a year old..) http://ho.ax/De_Mysteriis_Dom_Jobsivs_Black_Hat_Paper.pdf


Just got back from a fresh OS install @ Apple store and my MacBook's network activity is off the charts.. busy at the botnet party haha. All my hardware is trash right now as far as I'm concerned.

Reply
User profile for user: chase_daniel
chase_daniel
User level: Level 1
91 points

Jun 6, 2017 8:09 AM in response to JerryS1109

Yeah I'd like to agree. Just found some really odd stuff in the nvram of a newly wiped and restored Mac with nothing installed yet. It's very odd because it refers to an app from the Mac App Store that I had not been installed on the computer which had its hard drive wiped before a restore. Of course it's giving this message that says a critical update is required (doesn't sound right and I've been getting the same message after restoring on at least 10.12.3 - 10.12.5, also a process called "Unknown" is generating log message in the installer log.


The nvram output refers to Thor Anti-Virus which is currently the #2 seller on the App Store. It's complete garbage and I don't say that easily about AV software but this one and its developer "Amelia Dyballa" who uses all of these unusual images of what I think what is implying is the developer that give me the vibe something is off. I don't get how the nvram would refer to something which has never been on the computer in fact I was only able to boot by using safe mode which I then turned the computer off after 5 minutes and booted to recovery to check the nvram and look around there.


I personally think I may have a mach rootkit https://www.blackhat.com/presentations/bh-usa-09/DAIZOVI/BHUSA09-Daizovi-AdvOSXR ootkits-SLIDES.pdf and using rootkit hunter previously has identified a range of issues with the configuration of my computers. Not entirely sure if that's due to malware or Sierra. Wonderful thing to wonder though.


Invalid kext and invalid certificates are a obvious issue on the computer and it's funny that its 2017 but many of the people who I thought would have be knowledgeable or of some assistance are stuck in the 2012 attitude of the people who responded to this post can't even use the terminal. While the OP may have been a little paranoid, referencing some poorly written material or not providing clear evidence, the people who responded are just as poorly informed. Here's some early stuff from 2009 Mac OS X Rootkit Tools Released | The Mac Security Blog and some info on stack exchange from users who probably wouldn't touch this forum with a 10 foot firewire macosx - Rootkits on Mac OS X - Information Security Stack Exchange.

Reply
User profile for user: red_menace
red_menace
User level: Level 6
17,066 points

Aug 16, 2013 1:46 PM in response to willyrhythm

As already mentioned, you can't just run a tool like netstat without knowing what the results are and call it proof of some kind of malware. You would also be better served by creating your own topic with your own specific details, instead of tacking onto an existing topic that has been abandoned months ago by most that could help with whatever problem you do have.


And by the way, those results don't show any specific connections and look normal to me (the system has a lot of "network" traffic such as time servers, CUPS, Bonjour, etc) - you can look up standard port numbers and their uses at sites such as Wikipedia.

Reply
User profile for user: Samurai184
Samurai184 Author
User level: Level 1
8 points

May 9, 2013 2:06 PM in response to etresoft

Here is a little bit of knowledge for you guys who either seem to turn a blind eye or are in complete denial of the facts.. Read up and learn:



DE MYSTERIIS DOM JOBSIVS Mac EFI Rootkits

Black Hat USA 2012

Loukas K (snare)

assurance



Table of Contents

Introduction ............................................................................... ..................... 3

Background ............................................................................... ..................... 3 What is EFI?........................................................................... ................................ 3 EFI architecture & boot process........................................................................ .. 4 Developing for EFI ............................................................................... ................. 5

Attacks using EFI ............................................................................... ............ 6 Attacking FileVault...................................................................... .......................... 6 Patching the kernel......................................................................... ...................... 7

Persistence & loading drivers .................................................................... 10 Boot device......................................................................... ................................. 10 PCI expansion ROMs ............................................................................... ........... 11

Expansion ROMs on external devices .............................................................. 12

EFI firmware flash ............................................................................... ................ 14

Exploring firmware volumes .............................................................................. 15 Writing to firmware flash.......................................................................... .......... 15

Defense ............................................................................... .......................... 17 Firmware password ............................................................................... ............. 17 Secure Boot........................................................................... .............................. 17

Conclusion ............................................................................... ..................... 17 References..................................................................... ............................... 18 About the author ............................................................................... ........... 19



Introduction

Attacks against PC firmware have been a threat since the early days of malware, beginning with the venerable MBR virus and quickly moving on to more advanced attacks. In 1998 we saw the CIH/Chernobyl malware infect many systems around the world, rendering some systems completely unbootable by corrupting the system's BIOS. In more recent times we have seen proof-of-concept rootkits (such as IceLord and Rakshasa[1]), and malware in the wild (such as Mebromi) that are able to overwrite the BIOS with a malicious version that enables the malware to persist in the system and interfere with the boot process. This type of malware can persist solely in the BIOS EEPROM on the motherboard, without requiring the storage of any files on the system’s internal hard disk. This means that the malware can persist across operating system reinstalls, disk formats, and even the replacement of the hard disk.

With the advent of the Extensible Firmware Interface (EFI), malware developers are given new opportunities to infect a wide range of new systems. A detailed specification, common reference implementation upon which most vendor implementations are based, and a full-featured development kit enable both legitimate firmware developers and malware developers alike to build cross-platform code with much greater ease than developing for the legacy BIOS.

Apple was one of the earliest adopters of the EFI firmware when they utilised it in their range of Intel-based Macs beginning in 2006. Apple's EFI implementation includes support for a number of common hardware components used in Mac systems, and Mac-specific features like the HFS+ filesystem, but is still based on the same specification and reference implementation as other vendors. More recently, EFI has been implemented by a number of PC motherboard vendors to replace the legacy PC BIOS, further highlighting the possibility for attacks against EFI.

This paper discusses the current state of EFI-based malware, and how it may be implemented in order to attack Apple Mac systems. In the presentation accompanying this paper, proof-of-concept attacks will be demonstrated that utilise a number of the techniques discussed herein.

Background

What is EFI?

In 1998, Intel began a project initially known as the Intel Boot Initiative to develop a specification for a replacement for the PC BIOS, in an attempt to address some of its limitations. This project was eventually renamed EFI (Extensible Firmware Interface) and was developed by Intel until 2005 (EFI version 1.10), at which point it was handed over to a community group, the Unified EFI Consortium, and renamed UEFI (Unified Extensible Firmware



Interface). Alongside the development of the specification, Intel developed a reference implementation called the Intel Platform Innovation Framework, codenamed "Tiano", and also known as “the Framework”. Tiano is the "preferred" implementation according to Intel, and it is the basis on which most IBVs (independent BIOS vendors) build their own implementation of the specification.

When Apple began manufacturing hardware using the Intel x86 CPU architecture in 2006, they also adopted EFI in favour of OpenFirmware, which they were previously using on their PowerPC-based hardware. Apple's EFI implementations are based on version 1.10 of the EFI specification, and presumably the same version of Intel's reference implementation.

EFI architecture & boot process

An EFI environment comprises a number of components – EFI core modules (SEC, PEI, DXE and BDS), drivers, applications and bootloaders. Generally, an EFI firmware image contains the core modules and a set of drivers for supporting at least the core hardware on the motherboard. It may also contain other common drivers, or applications such as the EDK Shell, a command shell for interacting with the EFI pre-boot environment. Apple's EFI implementations differ, as expected, from machine to machine depending on the hardware used in each type of system.

When an EFI system is powered on, the SEC (Security) phase of EFI is the first code that is executed within EFI. This phase serves as a root of trust for the system and handles platform reset events, among other things. The SEC phase hands off to the PEI (Pre-EFI Initialisation) phase, which is responsible for initialising the CPU and main memory, before handing execution off to the DXE phase.

The DXE (Driver eXecution Environment) phase is where the majority of the system initialisation takes place. First, the DXE core produces a set of Boot and Runtime Services. Boot Services provide drivers, applications and bootloaders that run within the EFI environment with a number of services such as allocating memory and loading executable images. Runtime Services provide services such as converting memory addresses from physical to virtual during the handover to the kernel, and resetting the CPU, to code running within the EFI environment or within the OS kernel once it has taken control of the system. Once these services have been established, the DXE dispatcher discovers and executes drivers from the firmware volume, expansion ROMs on devices connected to the PCIe bus, and connected disks.

When drivers are initialised they register “protocols”, which are blocks of pointers to functions and data structures that serve as the interface to the driver. The UEFI specification defines a number of core protocols that provide some of the main services like console input and output (Simple Text Input Protocol, Simple Text Output Protocol and Graphics Output Protocol), media access (Simple File System Protocol, EFI File Protocol, Disk I/O Protocol, etc), PCI bus support (PCI Root Bridge I/O Protocol, PCI I/O Protocol, etc),



USB support (USB2 Host Controller Protocol and USB I/O Protocol), a series of network-related protocols, and many more. See the UEFI Specification[2] for a complete list of these protocols and the detail of their implementation.

Drivers can register for a number of notifications of events that occur within the EFI pre-boot environment. For example, a driver can request that it be notified whenever new protocols are installed on device handles, or it can request to be notified when the ExitBootServices() function is called to prepare the environment for the execution of the kernel.

Once the DXE phase has loaded and executed all the necessary drivers, it hands off execution to the BDS (Boot Device Selection) phase. This phase is responsible for discovering the possible boot devices, selecting one to boot from, loading the bootloader and executing it. On a Mac, when a boot device is selected as the default to boot from, the device path is stored in the system’s NVRAM. When the BDS phase is executed, it locates the disk using this NVRAM data, locates the bootloader using the HFS+ volume header, and executes it.

The bootloader is responsible for loading the kernel and executing it. Prior to executing the kernel, the bootloader calls the ExitBootServices() function from the Boot Services table, which informs EFI that it should prepare the environment for the kernel to take over control of the system. During this preparation, drivers who have registered for the ExitBootServices() event are notified so that they can free unnecessary memory and perform any other clean up tasks prior to the kernel’s execution.

The EFI boot process.

Developing for EFI

The open source part of Tiano is the EFI Development Kit (EDK), which contains the framework’s foundation code and some sample drivers. The current version of the EDK is EDK2 and is available for download from



SourceForge[3]. EDK2 can be used in conjunction with a standard development toolchain to build drivers, applications and bootloaders for execution within an EFI environment. The majority of the EDK2 is written in C, with some assembly language components for various platforms, and some additional tools written in Python, Bash and other languages.

EFI components are developed in C, whereas modifications for the legacy PC BIOS generally need to be written in assembly language. A number of platforms can be targeted from this code, often without resorting to a great deal of low-level, platform-specific implementation (obviously this depends on the particular application). This process is further assisted by the EFI Byte Code format (EBC), which can be run on any EFI implementation. This is helpful to malware developers as they can easily deploy universal malware to target various different platforms.

EFI uses a modified subset of the PE32+ format for its executable images, which is a common executable format used by Microsoft Windows that many tools can generate and parse. This is also helpful for reverse engineering efforts, as common tools used for reverse engineering can understand and parse this format. IDA Pro, an advanced tool for disassembling binary images, can parse PE32+ and disassemble the EBC format.

Attacks using EFI

EFI's flexibility is a boon to driver and malware developers alike, as it makes building modular code that can be loaded and executed on a wide variety of EFI implementations much simpler than targeting the traditional PC BIOS. The simplest way to deploy malicious code for execution within the EFI environment is to build an EFI DXE driver that attacks the system, rather than supporting hardware. Once it is loaded into the system, such a driver can interfere with the boot process by hooking various protocols in the pre-boot environment, or by gaining execution within the context of the bootloader and patching the kernel prior to its execution.

Attacking FileVault

Deploying Apple’s full-disk encryption implementation, FileVault, slightly changes the boot process. On a non-FileVault system, the bootloader (boot.efi) is stored on the main OS partition in /System/Library/CoreServices. On a FileVault-encrypted system, the main OS partition is encrypted and cannot be accessed by the early stages of EFI in order to load the bootloader. As such, when FileVault is enabled the bootloader is relocated to the “recovery” partition, which is a partition at the end of the partition table otherwise used to boot the system into recovery mode for troubleshooting or reinstallation. When the system is booted, the bootloader is loaded from the recovery partition and presents the passphrase entry screen. The bootloader then uses the passphrase to “unlock” the CoreStorage volume on the primary OS partition and continue the boot process. An in-depth analysis of FileVault and the CoreStorage format has recently been undertaken by researchers[4].



It is recommended that this be referred to for more information on the internals of FileVault.

One way in which FileVault can be attacked from an EFI driver is by employing a traditional key-logging technique in order to capture the passphrase as it is entered by the user. Keystrokes are processed in the EFI pre-boot environment by the Simple Text Input protocol, which defines a function called ReadKeyStroke():

_EFI_SIMPLE_TEXT_INPUT_PROTOCOL { EFI_INPUT_RESET Reset; EFI_INPUT_READ_KEY ReadKeyStroke; EFI_EVENT WaitForKey;

} EFI_SIMPLE_TEXT_INPUT_PROTOCOL;

The relevant instance of this protocol is the one installed on the console device handle, and referred to by the EFI System Table’s ConIn variable:

typedef struct {
EFI_TABLE_HEADER Hdr;
CHAR16 *FirmwareVendor;
UINT32 FirmwareRevision;
EFI_HANDLE ConsoleInHandle; EFI_SIMPLE_TEXT_INPUT_PROTOCOL *ConIn; EFI_HANDLE ConsoleOutHandle; EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL *ConOut; EFI_HANDLE StandardErrorHandle; EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL *StdErr; EFI_RUNTIME_SERVICES *RuntimeServices; EFI_BOOT_SERVICES *BootServices;
UINTN NumberOfTableEntries; EFI_CONFIGURATION_TABLE *ConfigurationTable;

} EFI_SYSTEM_TABLE;

The instance of the Simple Text Input Protocol that is initially installed and assigned to ConIn is replaced by the bootloader when the passphrase entry screen is called. As such, we need a way to update this new instance of the protocol before the passphrase is entered. In order to do so we can register for notifications when new protocols are installed on device handles, using the RegisterProtocolNotify() boot service. When the event is triggered and our driver is notified, we can save a pointer to the ReadKeyStroke() function in the Simple Text Input protocol instance, and overwrite the pointer with a pointer to our own function. When our ReadKeyStroke() function is called, we simply save the key that was pressed into a buffer and call the real ReadKeyStroke(). When the driver is unloaded, or the ExitBootServices() function is called and the malicious driver is notified, it can write the key buffer to a file or transmit it over the network to the waiting attacker.

Patching the kernel

Pre-boot malware typically interferes with the loading of the OS kernel, and patches it before it is executed, in order to modify the kernel’s behaviour once it is in control. In order to do this from a malicious EFI driver we need to wait until the kernel has been loaded, as the kernel is not in memory at the point that the EFI driver is loaded and initialised. The notification for the



ExitBootServices() function happens to be triggered once the kernel is in memory, so it is an opportune time at which to patch the kernel image.

Before we can patch the kernel in memory we need to locate it. Inspecting the kernel Mach-O binary image informs us of its virtual memory location once it is loaded:

$ otool -l /mach_kernel /mach_kernel:
Load command 0

cmd LC_SEGMENT_64 cmdsize 472

segname __TEXT
vmaddr 0xffffff8000200000 vmsize 0x000000000052e000

We can see that the first segment of the kernel image is loaded at the VM address 0xffffff8000200000. If we inspect this memory location on a booted Mac OS X system using GDB we can see that the value at this address is the magic number that corresponds to a 64-bit Mach-O binary:

gdb$ x/x 0xffffff8000200000 0xffffff8000200000: 0xfeedfacf

EFI uses a flat, 32-bit memory model, rather than the 64-bit memory model with canonical upper and lower halves that the OS kernel uses, so in the EFI environment the kernel image is located at 0x00200000.

Since the kernel is not executing at this point and we do not have the facility to allocate memory in the kernel’s memory map, we need a location in the kernel image in which we can store our payload. In the proof-of-concept rootkit implemented by the author, the age-old technique of storing a payload in the page-alignment padding between binary segments[5] is used.

The simplest proof-of-concept implemented to demonstrate patching the kernel from EFI is a basic syscall-hooking technique, as follows:

  1. Injectabinarypayloadintothepage-alignmentpadding
  2. Locatethesysenttablewithinthekernelimage
  3. Overwritetheaddressinthesysenttableofthekill()syscallwiththe address of the payload

The payload is called when the kill() syscall is called by the kernel, and performs the following operations:

1. Calltheoriginalkill()implementation
2. Checktheparametersforatriggervalue
3. Ifthetriggervalueispresent,promotethecallingprocesstouid0

Below is an example of a driver patching the kernel at boot time to deliver this type of payload:



Proof-of-concept rootkit “Defile” patching the kernel at boot.

The main limitation of this approach is the limited space in which we can store a payload. Mach-O binary segments are aligned on page boundaries, and pages are 4096 bytes in size. This means we have an absolute maximum of 4KB in which to store our payload, but in practice we have less due to the actual kernel code encroaching on our buffer space. There are various payload storage options available to the malware developer to solve this problem; however, the author chose to store the payload in the system’s NVRAM in the proof-of-concept implementation. We could also store the second stage payload in Runtime Services memory, or load it over a network connection.

Prior to patching the kernel, the EFI driver stores the second-stage payload in NVRAM using the SetVariable() Boot Services function. In order to access the second-stage payload in NVRAM, a small first-stage payload is injected into the page-alignment padding as discussed above. In the proof-of-concept implementation, the author chose to “hook” the execution of the kernel early in its initialisation stages in order to load the second stage payload from NVRAM before the user or the kernel has much opportunity to detect and/or interfere with the payload. This was achieved by overwriting the first instructions of the load_init_program() function in the XNU kernel with a jump to the first-



stage payload located in the page-alignment padding. The first-stage payload performs the following operations:

  1. SavethestateoftheCPU
  2. LocatetheNVRAMdeviceviaIOKit
  3. Locatethesecond-stagepayloadwithinNVRAM
  4. Callthesecond-stagepayloadinitialisation
  5. Restore the patched instructions at the beginning of

    load_init_program()

  6. RestorethestateoftheCPU
  7. Jumpbacktothepatchedfunction,load_init_program()

In the proof-of-concept implementation, the second-stage payload’s

initialisation process performs the following tasks:

  1. Allocatesomememoryinthekernelmemorymap
  2. Copy the hooked kill() syscall payload used previously to this memory
  3. Locatethesysenttable
  4. Overwrite the kill()syscall in the sysent table with a pointer to our function

This may seem like a convoluted design to deploy such a simple payload like a hooked syscall, but it demonstrates the possibilities that could be implemented for a larger, more complex rootkit payload.

Persistence & loading drivers

There are a number of locations in which EFI-based malware can be stored in order to persist on a system – the primary boot device (ie. HDD or SSD), expansion ROMs on PCI devices, and the EEPROM containing the EFI firmware itself.

Boot device

The obvious place for malware to persist is the system's boot device. EFI- based malware, unlike malware targeting the OS kernel or applications, has fairly limited options for infecting the Mac OS X boot device. The EFI specification defines a partition at the beginning of the partition table called the EFI System Partition (ESP). This partition is to be used to store drivers and bootloaders for various platforms and operating systems. Unfortunately for the malware developer, Apple’s implementation does not use this partition for its intended purpose. Instead, the ESP is used to stage firmware updates (see below).

The most useful option for infecting the boot device with EFI-based malware is patching or replacing the Mac OS X bootloader – boot.efi. In much the same way that a replacement bootloader, such as rEFIt[6] is installed, a



malicious bootloader can be installed onto the drive and assigned as the live bootloader using the bless utility (or a replication of its functionality). This method has been discussed previously[7] and was not explored extensively in this research.

Furthermore, simple “evil maid” attacks can be carried out on systems not protected by an EFI firmware password by using the BDS phase’s boot menu (holding down the Option key at boot) to boot from an external USB mass storage device (such as a USB flash disk), FireWire disk, or network boot source.

PCI expansion ROMs

Attacks utilising PCI expansion (or "option") ROMs have been considered for some time now. John Heasman discussed the possibilities for option ROM- based attacks in his 2007 paper, Implementing and Detecting a PCI Rootkit [8], and it is the author's opinion that the threat has not diminished since then.

Modern Macs use a PCI Express (PCIe) bus to connect on-board peripherals such as the graphics card to the system. PCIe is also used to connect external peripherals to the system via the Thunderbolt expansion port. When the EFI firmware initialises the PCIe bus in the early stages of platform initialisation, it enumerates devices on the PCIe bus and executes drivers it finds in expansion ROMs connected to these devices. This operation is performed as a part of the normal initialisation of the system, as the firmware contained in the primary EFI flash chip on the logic board may not necessarily contain appropriate drivers to interact with all connected devices in the pre- boot environment. For example, when booting from a SA T A adapter connected to the PCIe bus, the firmware needs to be able to interact with the SATA controller in order to read disks connected to this adapter.

In the same way that they are used to store legitimate drivers to support hardware, expansion ROMs can be used to store malicious EFI drivers. Addendums to the EFI specification provide details on how PCI option ROM images are to be structured in order to contain EFI DXE drivers. It is also possible for an option ROM image to contain both an EFI driver and a traditional BIOS driver – allowing for cross-platform payloads that can be used to attack legacy BIOS and EFI systems alike.

A number of current Mac systems utilise on-board PCIe devices that contain option ROMs. For example, some MacBook Pro systems contain an expansion ROM on the higher-performance video card. The video cards used in iMacs also contain expansion ROMs, as do some Ethernet chipsets used in various models of Macs. These are all very stealthy locations for malware to be stored, where it is unlikely to be detected.

Expansion ROMs can be written to from Mac OS X using a kernel-space driver, like DirectHW.kext[9]. The flashrom[10] utility communicates with various chipsets using the DirectHW driver to read and write the attached EEPROM or flash chips via the SPI protocol. Many vendors, for example Broadcom and ATI, also provide utilities for flashing the expansion ROMs on their devices.



Expansion ROMs on external devices

As described previously, PCIe devices are enumerated during the early stages of EFI initialisation, and any drivers discovered are loaded and executed. This applies to on-board devices and devices connected via PCIe bus expansions such as ExpressCard and Thunderbolt.

The author has implemented proof-of-concept “evil maid” attacks utilising the recently-released Apple Thunderbolt to Gigabit Ethernet Adapter and an ExpressCard SATA adapter as payload delivery mechanisms. To prepare the delivery mechanism for such an attack, we need to generate an option ROM image from our malicious EFI driver. This can be achieved using the EfiRom utility, which is part of the BaseTools package in EDK2. The chipset in question is a Broadcom BCM57762, the PCI vendor ID for which is 0x14E4, and the device ID is 0x1682, but the Broadcom utility seems to want 0x0001 as the PCI vendor ID and 0x8003 is the PCI device ID, so that’s what we’ll use:

$ EfiRom -f 0x0001 -i 0x8003 -e defile.efi -o defile.rom

We can also use the EfiRom utility to inspect the ROM image we’ve created:



$ EfiRom -d defile.rom Image 1 -- Offset 0x0 ROM header contents

Signature
PCIR offset Signature
Vendor ID
Device ID
Length
Revision DeviceListOffset Class Code

0xAA55 0x001C PCIR

0x0001 0x8003 0x001C 0x0003 0x00 0x000000 0x4E00 0x0000 0x00



Image size
Code revision: MaxRuntimeImageLength ConfigUtilityCodeHeaderOffset 0x00 DMTFCLPEntryPointOffset 0x00



Indicator

Code type
EFI ROM header contents

EFI Signature Compression Type Machine type Subsystem

EFI image offset

0x80 (last image) 0x03 (EFI image)

0x0EF1
0x0000 (not compressed)
0x8664 (unknown)
0x000B (EFI boot service driver) 0x0038 (@0x38)



Once we have the malicious driver in an option ROM image we can boot into a FreeDOS system with the adapter connected and use the Broadcom B57UDIAG.EXE utility to flash it to the expansion ROM on the Thunderbolt to Gigabit Ethernet Adapter as its PXE firmware:

C:\B57UDIAG\> b57udiag.exe –ppxe defile.rom

Once the option ROM image has been written, we can boot the machine into Mac OS X with the adapter connected and the device driver will be loaded at



boot time, and the kernel patched at the ExitBootServices() callback as previously described.

Initially this attack was developed using an ExpressCard SATA adapter connected to the Mac via an ExpressCard to Thunderbolt adapter, pictured below.



The first incarnation of the “evil maid” attack apparatus.

This attack was then adapted to utilise the Apple Thunderbolt to Gigabit Ethernet Adapter, resulting in a much stealthier payload delivery mechanism.



The second incarnation of the “evil maid” attack – pretty stealthy.

The output of lspci shows the presence of an expansion ROM on the adapter:

08:00.0 Ethernet controller: Broadcom Corporation Device 1682 Subsystem: Apple Computer Inc. Device 00f6
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop-

ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort-

<TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 128 bytes
Interrupt: pin A routed to IRQ 11
Region 0: Memory at acb00000 (64-bit, prefetchable) [size=64K] Region 2: Memory at acb10000 (64-bit, prefetchable) [size=64K] Expansion ROM at acb20000 [disabled] [size=64K]

--snip--

EFI firmware flash

The ultimate goal for this type of malware is to persist within the EFI firmware itself. If this is done successfully, as it has been done in the past on some PC motherboards[11], the attacker can modify everything within the firmware volume – the core phases of EFI and all other executables contained within the firmware image.



Exploring firmware volumes

The firmware image format used on Apple Mac systems is the same format specified by Intel’s documentation[12][13][14].

While investigating the EFI firmware volume format, the author developed a tool in Python to disassemble firmware volumes. This tool has not been released; however, other tools have been released for doing similar disassembly. Example output from this tool showing some of the EFI drivers contained within the MacBook’s firmware image:



[Firmware Volume] Offset

FileSystemGuid FvLength Signature Attributes HeaderLength Checksum Revision [FvBlockMap]

0x0 (0) 7a9354d9-0468-444a-81ce-0bf617d890df 0x190000 (1638400)
'_FVH'
0xffff8eff (4294938367)
0x48 (72)
0xdefd (57085)
0x1 (1)



NumBlocks 25, BlockLength 65536 Files:

11527125-78b2-4d3e-a0df-41e75c221f5a 4d37da42-3a0c-4eda-b9eb-bc0e1db4713b 35b898ca-b6a9-49ce-8c72-904735cc49b7 c3e36d09-8294-4b97-a857-d5288fe33e28 bae7599f-3c6b-43b7-bdf0-9ce07aa91aa6 b601f8c4-43b7-4784-95b1-f4226cb40cee 51c9f40c-5243-4473-b265-b3c8ffaff9fa 53bcc14f-c24f-434c-b294-8ed2d4cc1860 ca515306-00ce-4032-874e-11b755ff6866 9f455d3b-2b8a-4c06-960b-a71b9714b9cd a62d933a-9293-4d9f-9a16-ce81994cc4f2 1c6b2faf-d8bd-44d1-a91e-7321b4c2f3d1 f1efb523-3d59-4888-bb71-eaa5a96628fa a6f691ac-31c8-4444-854c-e2c1a6950f92 07a9330a-f347-11d4-9a49-0090273fc14d e424c009-cd92-4fec-8029-d79d3f1cf3de 79ca4208-bba1-4a9a-8456-e1e66a81484e 45424d0c-e6af-4af2-ad99-fa77168742d1 378d7b65-8da9-4773-b6e4-a47826a833e1 28df6de0-188f-4200-9959-46fefe971362 8d460379-bf70-41c9-9a23-1808cdbbe8cd 6db75c4a-5e6c-4fc8-a234-f5bb27d5c2d5 2daaa7f4-3167-4883-8a06-6c14f08515c7 1e843ad6-e237-42fc-bda2-de78542e16dd 4c862fc6-0e54-4e36-8c8f-ff6f3167951f cbd2e4d5-7068-4ff5-b462-9822b4ad8d60

--snip—-

Writing to firmware flash

(EFI_FV_FILETYPE_PEIM) (EFI_FV_FILETYPE_PEIM) (EFI_FV_FILETYPE_DXE_CORE) (EFI_FV_FILETYPE_FREEFORM) (EFI_FV_FILETYPE_DRIVER) (EFI_FV_FILETYPE_DRIVER) (EFI_FV_FILETYPE_DRIVER) (EFI_FV_FILETYPE_DRIVER) (EFI_FV_FILETYPE_DRIVER) (EFI_FV_FILETYPE_DRIVER) (EFI_FV_FILETYPE_DRIVER) (EFI_FV_FILETYPE_DRIVER) (EFI_FV_FILETYPE_DRIVER) (EFI_FV_FILETYPE_DRIVER) (EFI_FV_FILETYPE_DRIVER) (EFI_FV_FILETYPE_DRIVER) (EFI_FV_FILETYPE_DRIVER) (EFI_FV_FILETYPE_DRIVER) (EFI_FV_FILETYPE_DRIVER) (EFI_FV_FILETYPE_DRIVER) (EFI_FV_FILETYPE_DRIVER) (EFI_FV_FILETYPE_DRIVER) (EFI_FV_FILETYPE_DRIVER) (EFI_FV_FILETYPE_DRIVER) (EFI_FV_FILETYPE_DRIVER) (EFI_FV_FILETYPE_DRIVER)



It is possible to communicate with the flash chip containing the EFI firmware on many Mac systems, and overwrite the EFI flash image. For example, we can communicate with the Intel ICH8M chipset on this MacBook with flashrom, and see the SST 25VF016B flash chip containing the EFI firmware:



# flashrom
flashrom v0.9.5-r1504 on Darwin 11.3.0 (x86_64), built with libpci 3.1.7, LLVM Clang 3.1 (tags/Apple/clang-318.0.54), little endian flashrom is free software, get the source code at http://www.flashrom.org

Calibrating delay loop... OK.
Mapping low megabyte at 0x00000400, unaligned size 0xffc00.
Mapping low megabyte, 0xffc00 bytes at unaligned 0x00000400.
sh: dmidecode: command not found
dmidecode execution unsuccessful - continuing without DMI info Found chipset "Intel ICH8M". Enabling flash write... BBAR offset is unknown on ICH8!
OK. Found SST flash chip "SST25VF016B" (2048 kB, SPI) at physical address 0xffe00000. No operations were specified.

When the author overwrote the firmware flash with a new (valid) firmware image containing the original firmware and a malicious driver, the machine ceased to boot. Manual intervention was required to re-flash the original firmware by using an external flashing tool (a Bus Pirate by Dangerous Prototypes) to communicate directly with the flash chip via SPI:



Anecdotal evidence has indicated that Mac systems also contain a “boot ROM”, which is executed before the EFI firmware and verifies the integrity of the firmware image including its cryptographic signature at the end of the firmware volume. If the firmware image is not deemed to be valid, the system generates the “S.O.S.” beep sound (literally “S O S” in Morse code) and refuses to boot. The author has not explored this any further; however, it may be a future area of research.



Defense

There are a number of defensive measures that can be taken against this kind of attack – some by the user, and some by the vendor.

Firmware password

Apple has implemented password-protection on the BDS (Boot Device Selection) phase of the EFI firmware in order to prevent "evil maid" attacks where an attacker has gained physical access to a system and can interfere with the boot process. This mechanism prevents attackers from executing malicious EFI drivers and applications from devices connected to the USB, FireWire and network interfaces, but does not protect the user from malicious drivers loaded from devices connected directly to the PCIe bus via ExpressCard or Thunderbolt.

Furthermore, there have been a number of examples where the firmware password protection has been bypassed by techniques involving removing memory from the system. Newer Mac notebooks do not have removable memory, so these attacks may not be applicable to them.

Despite the attacks against the EFI firmware password protection, and the fact that this mechanism does not protect the user from drivers loaded from PCI devices, it is recommended that users apply this setting to their systems to mitigate the risk of simple “evil maid” attacks.

Secure Boot

The UEFI 2.3.1 specification defines a process for authenticating executable images to be executed by the EFI environment, known as “Secure Boot”. Approved vendors sign their drivers, bootloaders and applications with a cryptographic key. A database of allowed vendor keys is stored in secure, non-volatile storage, and these keys are used to verify the signatures within executables that are to be loaded and executed. Executables that are not signed by approved vendors are refused execution. A successful implementation of this process would mitigate the risk of many attacks described herein.

Previous generations of Mac systems have included a Trusted Platform Module (TPM) on the logic board, which was, to the knowledge of the author, unused. In an implementation of Secure Boot by Apple, the TPM would be used to store and generate cryptographic keys used in the Secure Boot process.

Attacks against, and the implementation of, Secure Boot have not been explored thoroughly in this research, however it is suggested that Apple implement Secure Boot in a future version of their EFI firmware.

Conclusion

This paper has demonstrated that there are a number of ways in which the EFI firmware used in modern Macs and other systems can be used in attacks



against the operating system and the user. These attacks can be undertaken against a wide range of hardware and software configurations with a great deal of ease, compared to similar attacks against the legacy PC BIOS, due to the standardised and cross-platform nature of the EFI specification and its supporting technologies.

References

  1. Hardware Backdooring is Practical – Jonathan Brossard & Florentin Demetrescu, Hackito Ergo Sum 2012

    http://2012.hackitoergosum.org/blog/wp-content/uploads/2012/04/HES- 2012-jbrossard_fdemetrescu-Hardware-Backdooring-is-pratical.pdf

  2. UEFISpecification

    http://www.uefi.org/specs/

  3. EFIDevelopmentKitII

    http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=EDK2

  4. Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption

    http://eprint.iacr.org/2012/374.pdf

  5. RuntimeKernelkmemPatching–SilvioCesare

    http://althing.cs.dartmouth.edu/local/vsc07.html

  6. rEFIt

    http://refit.sourceforge.net/

  7. HackingtheExtensibleFirmwareInterface–JohnHeasman,2007

    https://www.blackhat.com/presentations/bh-usa- 07/Heasman/Presentation/bh-usa-07-heasman.pdf

  8. ImplementingandDetectingaPCIRootkit–JohnHeasman,2007

    http://www.blackhat.com/presentations/bh-dc-07/Heasman/Paper/bh-dc- 07-Heasman-WP .pdf

  9. DirectHW,partoftheCoreBootproject

    http://www.coreboot.org/DirectHW

10. Flashrom

http://flashrom.org/

11.Attacking the Intel BIOS – Invisible Things Labs, 2009

http://invisiblethingslab.com/resources/bh09usa/Attacking%20Intel%20BIO S.pdf

12.Intel Platform Innovation Framework for EFI – Firmware Volume Specification



http://download.intel.com/technology/framework/docs/Fv.pdf

13.Intel Platform Innovation Framework for EFI – Capsule Specification

http://download.intel.com/technology/framework/docs/Capsule.pdf

14.Intel Platform Innovation Framework for EFI – Firmware File System Specification

http://download.intel.com/technology/framework/docs/Ffs.pdf

About the author

Loukas is the Principal Consultant at Assurance Pty Ltd in Melbourne, Australia. Assurance is a specialist, vendor-neutral consultancy providing security and mobility services for critical infrastructure, financial services and government.


<E-mail Edited by Host>

Reply
User profile for user: g_wolfman
g_wolfman
User level: Level 4
3,472 points

May 7, 2013 10:20 AM in response to Samurai184

Not only is there no known malware of this sort for OS X, as Thomas has said, but you're claiming that it is triggerred by the "About Downloads" PDF that appears in the Dock downloads stack of a fresh install. That is effectively claiming that OS X ships, from Apple, with a pre-installed rootkit embedded in it.


I'm also not aware of any way by which the ACPI subsystem can be used to "reset" (whatever that means) the EFI firmware. And what do you mean by "rogue apps", because that also is hard to interpret.


What is actually wrong with your system, symptomatically?

Reply
User profile for user: Samurai184
Samurai184 Author
User level: Level 1
8 points

May 7, 2013 10:54 AM in response to thomas_r.

Well given the fact that it is not just myself who is infected and also that this is my 3rd macbook in 1 year because the other 2 efi's were compromised to the point where they were unusable, and also that I must've been to the mac store no less than 100 times in a year for these issues, I beg to differ. Here is what I can show you. This has been ongoing for over a year now.


I will try and show you as much as I can.


1) Here is what I see when I run mount from terminal:

/dev/disk0s2 on / (hfs, local, journaled)
devfs on /dev (devfs, local, nobrowse)
map -hosts on /net (autofs, nosuid, automounted, nobrowse)
map auto_home on /home (autofs, automounted, nobrowse)
localhost:/4zOta2Q9FMiMnRjTROIbhU on /Volumes/MobileBackups (mtmfs, nosuid, read-only, nobrowse)


Why on earth is /Volumes/MobildBackups my localhost is beyond me. I don't use iCloud and Mobile me is obsolete.


2) Here is what I show when I run ls -al /*/*/*/*.efi from root
-rw-r--r-- 1 root wheel 994464 May 1 00:33 /System/Library/CoreServices/boot.efi
-rw-r--r-- 1 root wheel 994464 Oct 2 2012 /usr/standalone/i386/boot.efi
-rwxr-xr-x 1 root wheel 115716 Dec 13 14:08 /usr/standalone/i386/tmbootpicker.efi


As far as I know my boot.efi should not change everytime I boot my machine.


3) Here is something very interesting. When I run cd /dev followed by ls -al look what I have;


total 9
dr-xr-xr-x 3 root wheel 4597 May 6 08:48 .
drwxrwxr-t 32 root admin 1156 May 6 01:20 ..
crw------- 1 root wheel 14, 1 May 6 08:48 afsc_type5
crw------- 1 root wheel 8, 0 May 6 08:48 auditpipe
crw-r--r-- 1 root wheel 7, 1 May 6 08:48 auditsessions
crw------- 1 root wheel 18, 0 May 6 08:48 autofs
crw------- 1 root wheel 31, 0 May 6 08:48 autofs_control
crw-rw-rw- 1 root wheel 22, 0 May 6 08:48 autofs_homedirmounter
crw-rw-rw- 1 root wheel 21, 0 May 6 08:48 autofs_notrigger
crw-rw-rw- 1 root wheel 19, 13 May 6 08:48 autofs_nowait
crw------- 1 root wheel 23, 0 May 6 08:48 bpf0
crw------- 1 root wheel 23, 1 May 7 13:16 bpf1
crw------- 1 root wheel 23, 2 May 7 13:16 bpf2
crw------- 1 root wheel 23, 3 May 6 08:48 bpf3
crw------- 1 MP staff 0, 0 May 7 13:16 console
crw-rw-rw- 1 root wheel 33, 1 May 6 08:49 **.Bluetooth-Modem
crw-rw-rw- 1 root wheel 33, 3 May 6 08:49 **.SerialPort
brw-r----- 1 root operator 1, 0 May 6 08:48 disk0
brw-r----- 1 root operator 1, 2 May 6 08:48 disk0s1
brw-r----- 1 root operator 1, 1 May 6 08:48 disk0s2
brw-r----- 1 root operator 1, 3 May 6 08:48 disk0s3
crw-rw-rw- 1 root wheel 24, 2 May 6 08:48 dtrace
crw-rw-rw- 1 root wheel 25, 0 May 6 08:48 dtracehelper
crw-rw-rw- 1 root wheel 0, 0 May 6 08:48 fbt
dr-xr-xr-x 1 root wheel 0 May 6 08:48 fd
crw-r--r-- 1 root wheel 11, 0 May 6 08:48 fsevents
crw-rw-rw- 1 root wheel 17, 7 May 7 13:16 io8log
cr--r--r-- 1 root wheel 17, 2 May 6 08:48 io8logmt
crw------- 1 root wheel 6, 0 May 6 08:48 klog
crw-rw-rw- 1 root wheel 0, 0 May 6 08:48 lockstat
crw-rw-rw- 1 root wheel 0, 0 May 6 08:48 machtrace
crw-rw-rw- 1 root wheel 3, 2 May 7 13:16 null
crw------- 1 root wheel 9, 0 May 6 08:48 pf
crw------- 1 root wheel 9, 1 May 6 08:48 pfm
crw------- 1 root operator 20, 0 May 6 08:48 pmCPU
crw-rw-rw- 1 root wheel 0, 0 May 6 08:48 profile
crw-rw-rw- 1 root tty 15, 3 May 7 13:35 ptmx
crw-rw-rw- 1 root wheel 5, 0 May 6 08:48 ptyp0
crw-rw-rw- 1 root wheel 5, 1 May 6 08:48 ptyp1
crw-rw-rw- 1 root wheel 5, 2 May 6 08:48 ptyp2
crw-rw-rw- 1 root wheel 5, 3 May 6 08:48 ptyp3
crw-rw-rw- 1 root wheel 5, 4 May 6 08:48 ptyp4
crw-rw-rw- 1 root wheel 5, 5 May 6 08:48 ptyp5
crw-rw-rw- 1 root wheel 5, 6 May 6 08:48 ptyp6
crw-rw-rw- 1 root wheel 5, 7 May 6 08:48 ptyp7
crw-rw-rw- 1 root wheel 5, 8 May 6 08:48 ptyp8
crw-rw-rw- 1 root wheel 5, 9 May 6 08:48 ptyp9
crw-rw-rw- 1 root wheel 5, 10 May 6 08:48 ptypa
crw-rw-rw- 1 root wheel 5, 11 May 6 08:48 ptypb
crw-rw-rw- 1 root wheel 5, 12 May 6 08:48 ptypc
crw-rw-rw- 1 root wheel 5, 13 May 6 08:48 ptypd
crw-rw-rw- 1 root wheel 5, 14 May 6 08:48 ptype
crw-rw-rw- 1 root wheel 5, 15 May 6 08:48 ptypf
crw-rw-rw- 1 root wheel 5, 16 May 6 08:48 ptyq0
crw-rw-rw- 1 root wheel 5, 17 May 6 08:48 ptyq1
crw-rw-rw- 1 root wheel 5, 18 May 6 08:48 ptyq2
crw-rw-rw- 1 root wheel 5, 19 May 6 08:48 ptyq3
crw-rw-rw- 1 root wheel 5, 20 May 6 08:48 ptyq4
crw-rw-rw- 1 root wheel 5, 21 May 6 08:48 ptyq5
crw-rw-rw- 1 root wheel 5, 22 May 6 08:48 ptyq6
crw-rw-rw- 1 root wheel 5, 23 May 6 08:48 ptyq7
crw-rw-rw- 1 root wheel 5, 24 May 6 08:48 ptyq8
crw-rw-rw- 1 root wheel 5, 25 May 6 08:48 ptyq9
crw-rw-rw- 1 root wheel 5, 26 May 6 08:48 ptyqa
crw-rw-rw- 1 root wheel 5, 27 May 6 08:48 ptyqb
crw-rw-rw- 1 root wheel 5, 28 May 6 08:48 ptyqc
crw-rw-rw- 1 root wheel 5, 29 May 6 08:48 ptyqd
crw-rw-rw- 1 root wheel 5, 30 May 6 08:48 ptyqe
crw-rw-rw- 1 root wheel 5, 31 May 6 08:48 ptyqf
crw-rw-rw- 1 root wheel 5, 32 May 6 08:48 ptyr0
crw-rw-rw- 1 root wheel 5, 33 May 6 08:48 ptyr1
crw-rw-rw- 1 root wheel 5, 34 May 6 08:48 ptyr2
crw-rw-rw- 1 root wheel 5, 35 May 6 08:48 ptyr3
crw-rw-rw- 1 root wheel 5, 36 May 6 08:48 ptyr4
crw-rw-rw- 1 root wheel 5, 37 May 6 08:48 ptyr5
crw-rw-rw- 1 root wheel 5, 38 May 6 08:48 ptyr6
crw-rw-rw- 1 root wheel 5, 39 May 6 08:48 ptyr7
crw-rw-rw- 1 root wheel 5, 40 May 6 08:48 ptyr8
crw-rw-rw- 1 root wheel 5, 41 May 6 08:48 ptyr9
crw-rw-rw- 1 root wheel 5, 42 May 6 08:48 ptyra
crw-rw-rw- 1 root wheel 5, 43 May 6 08:48 ptyrb
crw-rw-rw- 1 root wheel 5, 44 May 6 08:48 ptyrc
crw-rw-rw- 1 root wheel 5, 45 May 6 08:48 ptyrd
crw-rw-rw- 1 root wheel 5, 46 May 6 08:48 ptyre
crw-rw-rw- 1 root wheel 5, 47 May 6 08:48 ptyrf
crw-rw-rw- 1 root wheel 5, 48 May 6 08:48 ptys0
crw-rw-rw- 1 root wheel 5, 49 May 6 08:48 ptys1
crw-rw-rw- 1 root wheel 5, 50 May 6 08:48 ptys2
crw-rw-rw- 1 root wheel 5, 51 May 6 08:48 ptys3
crw-rw-rw- 1 root wheel 5, 52 May 6 08:48 ptys4
crw-rw-rw- 1 root wheel 5, 53 May 6 08:48 ptys5
crw-rw-rw- 1 root wheel 5, 54 May 6 08:48 ptys6
crw-rw-rw- 1 root wheel 5, 55 May 6 08:48 ptys7
crw-rw-rw- 1 root wheel 5, 56 May 6 08:48 ptys8
crw-rw-rw- 1 root wheel 5, 57 May 6 08:48 ptys9
crw-rw-rw- 1 root wheel 5, 58 May 6 08:48 ptysa
crw-rw-rw- 1 root wheel 5, 59 May 6 08:48 ptysb
crw-rw-rw- 1 root wheel 5, 60 May 6 08:48 ptysc
crw-rw-rw- 1 root wheel 5, 61 May 6 08:48 ptysd
crw-rw-rw- 1 root wheel 5, 62 May 6 08:48 ptyse
crw-rw-rw- 1 root wheel 5, 63 May 6 08:48 ptysf
crw-rw-rw- 1 root wheel 5, 64 May 6 08:48 ptyt0
crw-rw-rw- 1 root wheel 5, 65 May 6 08:48 ptyt1
crw-rw-rw- 1 root wheel 5, 66 May 6 08:48 ptyt2
crw-rw-rw- 1 root wheel 5, 67 May 6 08:48 ptyt3
crw-rw-rw- 1 root wheel 5, 68 May 6 08:48 ptyt4
crw-rw-rw- 1 root wheel 5, 69 May 6 08:48 ptyt5
crw-rw-rw- 1 root wheel 5, 70 May 6 08:48 ptyt6
crw-rw-rw- 1 root wheel 5, 71 May 6 08:48 ptyt7
crw-rw-rw- 1 root wheel 5, 72 May 6 08:48 ptyt8
crw-rw-rw- 1 root wheel 5, 73 May 6 08:48 ptyt9
crw-rw-rw- 1 root wheel 5, 74 May 6 08:48 ptyta
crw-rw-rw- 1 root wheel 5, 75 May 6 08:48 ptytb
crw-rw-rw- 1 root wheel 5, 76 May 6 08:48 ptytc
crw-rw-rw- 1 root wheel 5, 77 May 6 08:48 ptytd
crw-rw-rw- 1 root wheel 5, 78 May 6 08:48 ptyte
crw-rw-rw- 1 root wheel 5, 79 May 6 08:48 ptytf
crw-rw-rw- 1 root wheel 5, 80 May 6 08:48 ptyu0
crw-rw-rw- 1 root wheel 5, 81 May 6 08:48 ptyu1
crw-rw-rw- 1 root wheel 5, 82 May 6 08:48 ptyu2
crw-rw-rw- 1 root wheel 5, 83 May 6 08:48 ptyu3
crw-rw-rw- 1 root wheel 5, 84 May 6 08:48 ptyu4
crw-rw-rw- 1 root wheel 5, 85 May 6 08:48 ptyu5
crw-rw-rw- 1 root wheel 5, 86 May 6 08:48 ptyu6
crw-rw-rw- 1 root wheel 5, 87 May 6 08:48 ptyu7
crw-rw-rw- 1 root wheel 5, 88 May 6 08:48 ptyu8
crw-rw-rw- 1 root wheel 5, 89 May 6 08:48 ptyu9
crw-rw-rw- 1 root wheel 5, 90 May 6 08:48 ptyua
crw-rw-rw- 1 root wheel 5, 91 May 6 08:48 ptyub
crw-rw-rw- 1 root wheel 5, 92 May 6 08:48 ptyuc
crw-rw-rw- 1 root wheel 5, 93 May 6 08:48 ptyud
crw-rw-rw- 1 root wheel 5, 94 May 6 08:48 ptyue
crw-rw-rw- 1 root wheel 5, 95 May 6 08:48 ptyuf
crw-rw-rw- 1 root wheel 5, 96 May 6 08:48 ptyv0
crw-rw-rw- 1 root wheel 5, 97 May 6 08:48 ptyv1
crw-rw-rw- 1 root wheel 5, 98 May 6 08:48 ptyv2
crw-rw-rw- 1 root wheel 5, 99 May 6 08:48 ptyv3
crw-rw-rw- 1 root wheel 5, 100 May 6 08:48 ptyv4
crw-rw-rw- 1 root wheel 5, 101 May 6 08:48 ptyv5
crw-rw-rw- 1 root wheel 5, 102 May 6 08:48 ptyv6
crw-rw-rw- 1 root wheel 5, 103 May 6 08:48 ptyv7
crw-rw-rw- 1 root wheel 5, 104 May 6 08:48 ptyv8
crw-rw-rw- 1 root wheel 5, 105 May 6 08:48 ptyv9
crw-rw-rw- 1 root wheel 5, 106 May 6 08:48 ptyva
crw-rw-rw- 1 root wheel 5, 107 May 6 08:48 ptyvb
crw-rw-rw- 1 root wheel 5, 108 May 6 08:48 ptyvc
crw-rw-rw- 1 root wheel 5, 109 May 6 08:48 ptyvd
crw-rw-rw- 1 root wheel 5, 110 May 6 08:48 ptyve
crw-rw-rw- 1 root wheel 5, 111 May 6 08:48 ptyvf
crw-rw-rw- 1 root wheel 5, 112 May 6 08:48 ptyw0
crw-rw-rw- 1 root wheel 5, 113 May 6 08:48 ptyw1
crw-rw-rw- 1 root wheel 5, 114 May 6 08:48 ptyw2
crw-rw-rw- 1 root wheel 5, 115 May 6 08:48 ptyw3
crw-rw-rw- 1 root wheel 5, 116 May 6 08:48 ptyw4
crw-rw-rw- 1 root wheel 5, 117 May 6 08:48 ptyw5
crw-rw-rw- 1 root wheel 5, 118 May 6 08:48 ptyw6
crw-rw-rw- 1 root wheel 5, 119 May 6 08:48 ptyw7
crw-rw-rw- 1 root wheel 5, 120 May 6 08:48 ptyw8
crw-rw-rw- 1 root wheel 5, 121 May 6 08:48 ptyw9
crw-rw-rw- 1 root wheel 5, 122 May 6 08:48 ptywa
crw-rw-rw- 1 root wheel 5, 123 May 6 08:48 ptywb
crw-rw-rw- 1 root wheel 5, 124 May 6 08:48 ptywc
crw-rw-rw- 1 root wheel 5, 125 May 6 08:48 ptywd
crw-rw-rw- 1 root wheel 5, 126 May 6 08:48 ptywe
crw-rw-rw- 1 root wheel 5, 127 May 6 08:48 ptywf
crw-rw-rw- 1 root wheel 13, 0 May 7 13:26 random
crw-r----- 1 root operator 1, 0 May 6 08:48 rdisk0
crw-r----- 1 root operator 1, 2 May 6 08:48 rdisk0s1
crw-r----- 1 root operator 1, 1 May 6 08:48 rdisk0s2
crw-r----- 1 root operator 1, 3 May 6 08:48 rdisk0s3
crw-rw-rw- 1 root wheel 0, 0 May 6 08:48 sdt
lr-xr-xr-x 1 root wheel 0 May 6 08:48 stderr -> fd/2
lr-xr-xr-x 1 root wheel 0 May 6 08:48 stdin -> fd/0
lr-xr-xr-x 1 root wheel 0 May 6 08:48 stdout -> fd/1
crw-rw-rw- 1 root wheel 0, 0 May 6 08:48 systrace
crw-rw---- 1 root wheel 34, 0 May 7 06:18 tap0
crw-rw---- 1 root wheel 34, 1 May 7 06:18 tap1
crw-rw---- 1 root wheel 34, 10 May 7 06:18 tap10
crw-rw---- 1 root wheel 34, 11 May 7 06:18 tap11
crw-rw---- 1 root wheel 34, 12 May 7 06:18 tap12
crw-rw---- 1 root wheel 34, 13 May 7 06:18 tap13
crw-rw---- 1 root wheel 34, 14 May 7 06:18 tap14
crw-rw---- 1 root wheel 34, 15 May 7 06:18 tap15
crw-rw---- 1 root wheel 34, 2 May 7 06:18 tap2
crw-rw---- 1 root wheel 34, 3 May 7 06:18 tap3
crw-rw---- 1 root wheel 34, 4 May 7 06:18 tap4
crw-rw---- 1 root wheel 34, 5 May 7 06:18 tap5
crw-rw---- 1 root wheel 34, 6 May 7 06:18 tap6
crw-rw---- 1 root wheel 34, 7 May 7 06:18 tap7
crw-rw---- 1 root wheel 34, 8 May 7 06:18 tap8
crw-rw---- 1 root wheel 34, 9 May 7 06:18 tap9
crw-rw-rw- 1 root wheel 2, 0 May 6 08:48 tty
crw-rw-rw- 1 root wheel 33, 0 May 6 08:49 tty.Bluetooth-Modem
crw-rw-rw- 1 root wheel 33, 2 May 6 08:49 tty.SerialPort
crw-rw-rw- 1 root wheel 4, 0 May 6 08:48 ttyp0
crw-rw-rw- 1 root wheel 4, 1 May 6 08:48 ttyp1
crw-rw-rw- 1 root wheel 4, 2 May 6 08:48 ttyp2
crw-rw-rw- 1 root wheel 4, 3 May 6 08:48 ttyp3
crw-rw-rw- 1 root wheel 4, 4 May 6 08:48 ttyp4
crw-rw-rw- 1 root wheel 4, 5 May 6 08:48 ttyp5
crw-rw-rw- 1 root wheel 4, 6 May 6 08:48 ttyp6
crw-rw-rw- 1 root wheel 4, 7 May 6 08:48 ttyp7
crw-rw-rw- 1 root wheel 4, 8 May 6 08:48 ttyp8
crw-rw-rw- 1 root wheel 4, 9 May 6 08:48 ttyp9
crw-rw-rw- 1 root wheel 4, 10 May 6 08:48 ttypa
crw-rw-rw- 1 root wheel 4, 11 May 6 08:48 ttypb
crw-rw-rw- 1 root wheel 4, 12 May 6 08:48 ttypc
crw-rw-rw- 1 root wheel 4, 13 May 6 08:48 ttypd
crw-rw-rw- 1 root wheel 4, 14 May 6 08:48 ttype
crw-rw-rw- 1 root wheel 4, 15 May 6 08:48 ttypf
crw-rw-rw- 1 root wheel 4, 16 May 6 08:48 ttyq0
crw-rw-rw- 1 root wheel 4, 17 May 6 08:48 ttyq1
crw-rw-rw- 1 root wheel 4, 18 May 6 08:48 ttyq2
crw-rw-rw- 1 root wheel 4, 19 May 6 08:48 ttyq3
crw-rw-rw- 1 root wheel 4, 20 May 6 08:48 ttyq4
crw-rw-rw- 1 root wheel 4, 21 May 6 08:48 ttyq5
crw-rw-rw- 1 root wheel 4, 22 May 6 08:48 ttyq6
crw-rw-rw- 1 root wheel 4, 23 May 6 08:48 ttyq7
crw-rw-rw- 1 root wheel 4, 24 May 6 08:48 ttyq8
crw-rw-rw- 1 root wheel 4, 25 May 6 08:48 ttyq9
crw-rw-rw- 1 root wheel 4, 26 May 6 08:48 ttyqa
crw-rw-rw- 1 root wheel 4, 27 May 6 08:48 ttyqb
crw-rw-rw- 1 root wheel 4, 28 May 6 08:48 ttyqc
crw-rw-rw- 1 root wheel 4, 29 May 6 08:48 ttyqd
crw-rw-rw- 1 root wheel 4, 30 May 6 08:48 ttyqe
crw-rw-rw- 1 root wheel 4, 31 May 6 08:48 ttyqf
crw-rw-rw- 1 root wheel 4, 32 May 6 08:48 ttyr0
crw-rw-rw- 1 root wheel 4, 33 May 6 08:48 ttyr1
crw-rw-rw- 1 root wheel 4, 34 May 6 08:48 ttyr2
crw-rw-rw- 1 root wheel 4, 35 May 6 08:48 ttyr3
crw-rw-rw- 1 root wheel 4, 36 May 6 08:48 ttyr4
crw-rw-rw- 1 root wheel 4, 37 May 6 08:48 ttyr5
crw-rw-rw- 1 root wheel 4, 38 May 6 08:48 ttyr6
crw-rw-rw- 1 root wheel 4, 39 May 6 08:48 ttyr7
crw-rw-rw- 1 root wheel 4, 40 May 6 08:48 ttyr8
crw-rw-rw- 1 root wheel 4, 41 May 6 08:48 ttyr9
crw-rw-rw- 1 root wheel 4, 42 May 6 08:48 ttyra
crw-rw-rw- 1 root wheel 4, 43 May 6 08:48 ttyrb
crw-rw-rw- 1 root wheel 4, 44 May 6 08:48 ttyrc
crw-rw-rw- 1 root wheel 4, 45 May 6 08:48 ttyrd
crw-rw-rw- 1 root wheel 4, 46 May 6 08:48 ttyre
crw-rw-rw- 1 root wheel 4, 47 May 6 08:48 ttyrf
crw-rw-rw- 1 root wheel 4, 48 May 6 08:48 ttys0
crw--w---- 1 MP tty 16, 0 May 7 13:34 ttys000
crw--w---- 1 MP tty 16, 1 May 7 13:34 ttys001
crw--w---- 1 MP tty 16, 2 May 7 13:35 ttys002
crw-rw-rw- 1 root wheel 4, 49 May 6 08:48 ttys1
crw-rw-rw- 1 root wheel 4, 50 May 6 08:48 ttys2
crw-rw-rw- 1 root wheel 4, 51 May 6 08:48 ttys3
crw-rw-rw- 1 root wheel 4, 52 May 6 08:48 ttys4
crw-rw-rw- 1 root wheel 4, 53 May 6 08:48 ttys5
crw-rw-rw- 1 root wheel 4, 54 May 6 08:48 ttys6
crw-rw-rw- 1 root wheel 4, 55 May 6 08:48 ttys7
crw-rw-rw- 1 root wheel 4, 56 May 6 08:48 ttys8
crw-rw-rw- 1 root wheel 4, 57 May 6 08:48 ttys9
crw-rw-rw- 1 root wheel 4, 58 May 6 08:48 ttysa
crw-rw-rw- 1 root wheel 4, 59 May 6 08:48 ttysb
crw-rw-rw- 1 root wheel 4, 60 May 6 08:48 ttysc
crw-rw-rw- 1 root wheel 4, 61 May 6 08:48 ttysd
crw-rw-rw- 1 root wheel 4, 62 May 6 08:48 ttyse
crw-rw-rw- 1 root wheel 4, 63 May 6 08:48 ttysf
crw-rw-rw- 1 root wheel 4, 64 May 6 08:48 ttyt0
crw-rw-rw- 1 root wheel 4, 65 May 6 08:48 ttyt1
crw-rw-rw- 1 root wheel 4, 66 May 6 08:48 ttyt2
crw-rw-rw- 1 root wheel 4, 67 May 6 08:48 ttyt3
crw-rw-rw- 1 root wheel 4, 68 May 6 08:48 ttyt4
crw-rw-rw- 1 root wheel 4, 69 May 6 08:48 ttyt5
crw-rw-rw- 1 root wheel 4, 70 May 6 08:48 ttyt6
crw-rw-rw- 1 root wheel 4, 71 May 6 08:48 ttyt7
crw-rw-rw- 1 root wheel 4, 72 May 6 08:48 ttyt8
crw-rw-rw- 1 root wheel 4, 73 May 6 08:48 ttyt9
crw-rw-rw- 1 root wheel 4, 74 May 6 08:48 ttyta
crw-rw-rw- 1 root wheel 4, 75 May 6 08:48 ttytb
crw-rw-rw- 1 root wheel 4, 76 May 6 08:48 ttytc
crw-rw-rw- 1 root wheel 4, 77 May 6 08:48 ttytd
crw-rw-rw- 1 root wheel 4, 78 May 6 08:48 ttyte
crw-rw-rw- 1 root wheel 4, 79 May 6 08:48 ttytf
crw-rw-rw- 1 root wheel 4, 80 May 6 08:48 ttyu0
crw-rw-rw- 1 root wheel 4, 81 May 6 08:48 ttyu1
crw-rw-rw- 1 root wheel 4, 82 May 6 08:48 ttyu2
crw-rw-rw- 1 root wheel 4, 83 May 6 08:48 ttyu3
crw-rw-rw- 1 root wheel 4, 84 May 6 08:48 ttyu4
crw-rw-rw- 1 root wheel 4, 85 May 6 08:48 ttyu5
crw-rw-rw- 1 root wheel 4, 86 May 6 08:48 ttyu6
crw-rw-rw- 1 root wheel 4, 87 May 6 08:48 ttyu7
crw-rw-rw- 1 root wheel 4, 88 May 6 08:48 ttyu8
crw-rw-rw- 1 root wheel 4, 89 May 6 08:48 ttyu9
crw-rw-rw- 1 root wheel 4, 90 May 6 08:48 ttyua
crw-rw-rw- 1 root wheel 4, 91 May 6 08:48 ttyub
crw-rw-rw- 1 root wheel 4, 92 May 6 08:48 ttyuc
crw-rw-rw- 1 root wheel 4, 93 May 6 08:48 ttyud
crw-rw-rw- 1 root wheel 4, 94 May 6 08:48 ttyue
crw-rw-rw- 1 root wheel 4, 95 May 6 08:48 ttyuf
crw-rw-rw- 1 root wheel 4, 96 May 6 08:48 ttyv0
crw-rw-rw- 1 root wheel 4, 97 May 6 08:48 ttyv1
crw-rw-rw- 1 root wheel 4, 98 May 6 08:48 ttyv2
crw-rw-rw- 1 root wheel 4, 99 May 6 08:48 ttyv3
crw-rw-rw- 1 root wheel 4, 100 May 6 08:48 ttyv4
crw-rw-rw- 1 root wheel 4, 101 May 6 08:48 ttyv5
crw-rw-rw- 1 root wheel 4, 102 May 6 08:48 ttyv6
crw-rw-rw- 1 root wheel 4, 103 May 6 08:48 ttyv7
crw-rw-rw- 1 root wheel 4, 104 May 6 08:48 ttyv8
crw-rw-rw- 1 root wheel 4, 105 May 6 08:48 ttyv9
crw-rw-rw- 1 root wheel 4, 106 May 6 08:48 ttyva
crw-rw-rw- 1 root wheel 4, 107 May 6 08:48 ttyvb
crw-rw-rw- 1 root wheel 4, 108 May 6 08:48 ttyvc
crw-rw-rw- 1 root wheel 4, 109 May 6 08:48 ttyvd
crw-rw-rw- 1 root wheel 4, 110 May 6 08:48 ttyve
crw-rw-rw- 1 root wheel 4, 111 May 6 08:48 ttyvf
crw-rw-rw- 1 root wheel 4, 112 May 6 08:48 ttyw0
crw-rw-rw- 1 root wheel 4, 113 May 6 08:48 ttyw1
crw-rw-rw- 1 root wheel 4, 114 May 6 08:48 ttyw2
crw-rw-rw- 1 root wheel 4, 115 May 6 08:48 ttyw3
crw-rw-rw- 1 root wheel 4, 116 May 6 08:48 ttyw4
crw-rw-rw- 1 root wheel 4, 117 May 6 08:48 ttyw5
crw-rw-rw- 1 root wheel 4, 118 May 6 08:48 ttyw6
crw-rw-rw- 1 root wheel 4, 119 May 6 08:48 ttyw7
crw-rw-rw- 1 root wheel 4, 120 May 6 08:48 ttyw8
crw-rw-rw- 1 root wheel 4, 121 May 6 08:48 ttyw9
crw-rw-rw- 1 root wheel 4, 122 May 6 08:48 ttywa
crw-rw-rw- 1 root wheel 4, 123 May 6 08:48 ttywb
crw-rw-rw- 1 root wheel 4, 124 May 6 08:48 ttywc
crw-rw-rw- 1 root wheel 4, 125 May 6 08:48 ttywd
crw-rw-rw- 1 root wheel 4, 126 May 6 08:48 ttywe
crw-rw-rw- 1 root wheel 4, 127 May 6 08:48 ttywf
crw-rw---- 1 root wheel 35, 0 May 7 13:35 tun0
crw-rw---- 1 root wheel 35, 1 May 7 06:18 tun1
crw-rw---- 1 root wheel 35, 10 May 7 06:18 tun10
crw-rw---- 1 root wheel 35, 11 May 7 06:18 tun11
crw-rw---- 1 root wheel 35, 12 May 7 06:18 tun12
crw-rw---- 1 root wheel 35, 13 May 7 06:18 tun13
crw-rw---- 1 root wheel 35, 14 May 7 06:18 tun14
crw-rw---- 1 root wheel 35, 15 May 7 06:18 tun15
crw-rw---- 1 root wheel 35, 2 May 7 06:18 tun2
crw-rw---- 1 root wheel 35, 3 May 7 06:18 tun3
crw-rw---- 1 root wheel 35, 4 May 7 06:18 tun4
crw-rw---- 1 root wheel 35, 5 May 7 06:18 tun5
crw-rw---- 1 root wheel 35, 6 May 7 06:18 tun6
crw-rw---- 1 root wheel 35, 7 May 7 06:18 tun7
crw-rw---- 1 root wheel 35, 8 May 7 06:18 tun8
crw-rw---- 1 root wheel 35, 9 May 7 06:18 tun9
crw-rw-rw- 1 root wheel 13, 1 May 6 08:48 urandom
brw------- 1 root operator 2, 0 May 6 08:48 vn0
brw------- 1 root operator 2, 1 May 6 08:48 vn1
brw------- 1 root operator 2, 2 May 6 08:48 vn2
brw------- 1 root operator 2, 3 May 6 08:48 vn3
crw-rw-rw- 1 root wheel 3, 3 May 6 08:48 zero


4) ioreg -w 120

Please take note of everything that is unregistered (!registered)


+-o Root <class IORegistryEntry, id 0x100000100, retain 12>

+-o MacBookPro9,1 <class IOPlatformExpertDevice, id 0x100000110, registered, matched, active, busy 0 (16654 ms), ret$

+-o AppleACPIPlatformExpert <class AppleACPIPlatformExpert, id 0x100000111, registered, matched, active, busy 0 (5$

| +-o IOPMrootDomain <class IOPMrootDomain, id 0x100000114, registered, matched, active, busy 0 (14 ms), retain 47$

| | +-o IORootParent <class IORootParent, id 0x100000115, !registered, !matched, active, busy 0, retain 7>

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x1000002e3, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x1000002e4, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x1000002e5, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x1000002e6, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x1000002e8, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x1000002eb, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x1000002ee, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x1000002f2, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x1000003df, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x100000428, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x100000448, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x10000058f, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x100002cef, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x100002cf7, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x100002d1d, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x100002d1e, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x100002d24, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x100002d25, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x100002d26, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x100002d29, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x100002d2a, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x100002d2b, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x100002d2d, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x100002d2f, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x100002d39, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x100002d3a, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x100002d42, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x100002d59, !registered, !matched, active, busy 0, r$

| | +-o RootDomainUserClient <class RootDomainUserClient, id 0x100002d5b, !registered, !matched, active, busy 0, r$

| +-o cpus <class IOPlatformDevice, id 0x100000117, registered, matched, active, busy 0 (0 ms), retain 14>

| +-o CPU0@0 <class IOACPIPlatformDevice, id 0x100000118, registered, matched, active, busy 0 (412 ms), retain 8>

| | +-o AppleACPICPU <class AppleACPICPU, id 0x100000125, registered, matched, active, busy 0 (406 ms), retain 8>

| | +-o AppleACPICPUInterruptController <class AppleACPICPUInterruptController, id 0x10000012d, registered, matc$

| | +-o X86PlatformPlugin <class X86PlatformPlugin, id 0x100000301, registered, matched, active, busy 0 (309 ms)$

| | +-o IOPlatformEnabler <class IOPlatformPluginDevice, id 0x10000036f, registered, matched, active, busy 0 ($

| | +-o AGPMEnabler <class IOPlatformPluginDevice, id 0x100000370, registered, matched, active, busy 0 (8 ms),$

| | | +-o AGPMController <class AGPMController, id 0x100000373, !registered, !matched, active, busy 0, retain $

| | +-o X86PlatformShim <class X86PlatformShim, id 0x100000371, !registered, !matched, active, busy 0, retain $

| +-o CPU1@2 <class IOACPIPlatformDevice, id 0x100000119, registered, matched, active, busy 0 (6 ms), retain 8>

| | +-o AppleACPICPU <class AppleACPICPU, id 0x100000126, registered, matched, active, busy 0 (0 ms), retain 6>

| +-o CPU2@4 <class IOACPIPlatformDevice, id 0x10000011a, registered, matched, active, busy 0 (7 ms), retain 8>

| | +-o AppleACPICPU <class AppleACPICPU, id 0x100000127, registered, matched, active, busy 0 (0 ms), retain 6>

| +-o CPU3@6 <class IOACPIPlatformDevice, id 0x10000011b, registered, matched, active, busy 0 (8 ms), retain 8>

| | +-o AppleACPICPU <class AppleACPICPU, id 0x100000128, registered, matched, active, busy 0 (0 ms), retain 6>

| +-o CPU4@1 <class IOACPIPlatformDevice, id 0x10000011c, registered, matched, active, busy 0 (9 ms), retain 8>

| | +-o AppleACPICPU <class AppleACPICPU, id 0x100000129, registered, matched, active, busy 0 (0 ms), retain 6>

| +-o CPU5@3 <class IOACPIPlatformDevice, id 0x10000011d, registered, matched, active, busy 0 (10 ms), retain 8>

| | +-o AppleACPICPU <class AppleACPICPU, id 0x10000012a, registered, matched, active, busy 0 (0 ms), retain 6>

| +-o CPU6@5 <class IOACPIPlatformDevice, id 0x10000011e, registered, matched, active, busy 0 (11 ms), retain 8>

| | +-o AppleACPICPU <class AppleACPICPU, id 0x10000012b, registered, matched, active, busy 0 (0 ms), retain 6>

| +-o CPU7@7 <class IOACPIPlatformDevice, id 0x10000011f, registered, matched, active, busy 0 (12 ms), retain 8>

| | +-o AppleACPICPU <class AppleACPICPU, id 0x10000012c, registered, matched, active, busy 0 (0 ms), retain 6>

| +-o io-apic@fec00000 <class IOACPIPlatformDevice, id 0x100000120, registered, matched, active, busy 0 (0 ms), re$

| | +-o AppleAPICInterruptController <class AppleAPICInterruptController, id 0x10000012f, registered, matched, act$

| +-o AppleACPIEventController <class AppleACPIEventController, id 0x100000130, !registered, !matched, active, bus$

| +-o boot-ec <class IOACPIPlatformDevice, id 0x100000131, registered, matched, active, busy 0 (1 ms), retain 7>

| | +-o AppleACPIEC <class AppleACPIEC, id 0x100000132, !registered, !matched, active, busy 0, retain 5>

| +-o bios <class IOPlatformDevice, id 0x100000133, registered, matched, active, busy 0 (0 ms), retain 6>

| | +-o AppleSMBIOS <class AppleSMBIOS, id 0x100000134, registered, matched, active, busy 0 (0 ms), retain 5>

| +-o PCI0@0 <class IOACPIPlatformDevice, id 0x100000138, registered, matched, active, busy 0 (5300 ms), retain 43$

| | +-o AppleACPIPCI <class AppleACPIPCI, id 0x1000001d5, registered, matched, active, busy 0 (5288 ms), retain 37$

| | | +-o MCHC@0 <class IOPCIDevice, id 0x100000196, registered, matched, active, busy 0 (215 ms), retain 10>

| | | | +-o AppleSMCPDRC <class AppleSMCPDRC, id 0x100000306, registered, matched, active, busy 0 (0 ms), retain 5$

| | | +-o P0P2@1 <class IOPCIDevice, id 0x100000197, registered, matched, active, busy 0 (203 ms), retain 13>

| | | | +-o IOPCI2PCIBridge <class IOPCI2PCIBridge, id 0x1000001f5, registered, matched, active, busy 0 (198 ms), $

| | | | +-o GFX0@0 <class IOPCIDevice, id 0x100000198, registered, matched, active, busy 0 (109 ms), retain 27>

| | | | | +-o NVDAHal <class IOService, id 0x10000032b, registered, matched, active, busy 0 (4 ms), retain 6>

| | | | | +-o NVDAgl <class IOService, id 0x10000032c, registered, matched, active, busy 0 (4 ms), retain 6>

| | | | | +-o NVDA,Display-A@0 <class IONDRVDevice, id 0x10000032f, registered, matched, active, busy 0 (47 ms),$

| | | | | | +-o NVDA <class NVDA, id 0x10000033d, registered, matched, active, busy 0 (40 ms), retain 16>

| | | | | | +-o AppleMCCSControlModule <class AppleMCCSControlModule, id 0x100000341, registered, matched, act$

| | | | | | | +-o AppleMCCSParameterHandler <class AppleMCCSParameterHandler, id 0x100000343, registered, matc$

| | | | | | +-o AppleUpstreamUserClientDriver <class AppleUpstreamUserClientDriver, id 0x100000342, registered$

| | | | | | +-o AGPM <class AGPM, id 0x100000375, registered, matched, active, busy 0 (2 ms), retain 8>

| | | | | | +-o AppleGraphicsControlBacklightNub <class AppleGraphicsControlBacklightNub, id 0x10000038b, !reg$

| | | | | | +-o gpu-sensor <class IOService, id 0x1000003b3, registered, matched, active, busy 0 (23 ms), reta$

| | | | | | +-o IOFramebufferI2CInterface <class IOFramebufferI2CInterface, id 0x1000003b6, registered, matche$

| | | | | | +-o IOFramebufferSharedUserClient <class IOFramebufferSharedUserClient, id 0x1000003eb, !registere$

| | | | | | +-o IOFramebufferUserClient <class IOFramebufferUserClient, id 0x100002ce4, !registered, !matched,$

| | | | | +-o NVKernel <class NVKernel, id 0x100000336, registered, matched, active, busy 0 (0 ms), retain 19>

| | | | | | +-o NV2DContextTesla <class NV2DContextTesla, id 0x100002ce9, !registered, !matched, active, busy 0,$

| | | | | | +-o NV2DContextTesla <class NV2DContextTesla, id 0x100002cea, !registered, !matched, active, busy 0,$

| | | | | | +-o NV2DContextTesla <class NV2DContextTesla, id 0x100002ceb, !registered, !matched, active, busy 0,$

| | | | | | +-o NV2DContextTesla <class NV2DContextTesla, id 0x100002cec, !registered, !matched, active, busy 0,$

| | | | | | +-o nvDeviceTesla <class nvDeviceTesla, id 0x100002cf2, !registered, !matched, active, busy 0, retai$

| | | | | | +-o nvFermiGLContextTesla <class nvFermiGLContextTesla, id 0x100002cf4, !registered, !matched, activ$

| | | | | | +-o nvDeviceTesla <class nvDeviceTesla, id 0x100002d47, !registered, !matched, active, busy 0, retai$

| | | | | | +-o nvFermiGLContextTesla <class nvFermiGLContextTesla, id 0x100002d49, !registered, !matched, activ$

| | | | | | +-o nvFermiGLContextTesla <class nvFermiGLContextTesla, id 0x100002d4b, !registered, !matched, activ$

| | | | | | +-o nvDeviceTesla <class nvDeviceTesla, id 0x100002d60, !registered, !matched, active, busy 0, retai$

| | | | | | +-o nvFermiGLContextTesla <class nvFermiGLContextTesla, id 0x100002d62, !registered, !matched, activ$

| | | | | | +-o nvFermiGLContextTesla <class nvFermiGLContextTesla, id 0x100002d64, !registered, !matched, activ$

| | | | | | +-o nvFermiGLContextTesla <class nvFermiGLContextTesla, id 0x100002d6c, !registered, !matched, activ$

| | | | | | +-o nvFermiGLContextTesla <class nvFermiGLContextTesla, id 0x100002d6f, !registered, !matched, activ$

| | | | | +-o NVDA,Display-B@1 <class IONDRVDevice, id 0x100000330, registered, matched, active, busy 0 (1 ms), $

| | | | | | +-o NVDA <class NVDA, id 0x100000345, registered, matched, active, busy 0 (1 ms), retain 12>

| | | | | | +-o AppleMCCSControlModule <class AppleMCCSControlModule, id 0x100000349, registered, matched, act$

| | | | | | | +-o AppleMCCSParameterHandler <class AppleMCCSParameterHandler, id 0x10000034c, registered, matc$

| | | | | | +-o AppleUpstreamUserClientDriver <class AppleUpstreamUserClientDriver, id 0x10000034a, registered$

| | | | | | +-o IOFramebufferI2CInterface <class IOFramebufferI2CInterface, id 0x1000003bb, registered, matche$

| | | | | | +-o IOFramebufferUserClient <class IOFramebufferUserClient, id 0x100002ce5, !registered, !matched,$

| | | | | +-o NVDA,Display-C@2 <class IONDRVDevice, id 0x100000331, registered, matched, active, busy 0 (6 ms), $

| | | | | | +-o NVDA <class NVDA, id 0x10000034e, registered, matched, active, busy 0 (1 ms), retain 12>

| | | | | | +-o AppleMCCSControlModule <class AppleMCCSControlModule, id 0x100000351, registered, matched, act$

| | | | | | | +-o AppleMCCSParameterHandler <class AppleMCCSParameterHandler, id 0x100000354, registered, matc$

| | | | | | +-o AppleUpstreamUserClientDriver <class AppleUpstreamUserClientDriver, id 0x100000352, registered$

| | | | | | +-o IOFramebufferI2CInterface <class IOFramebufferI2CInterface, id 0x1000003bd, registered, matche$

| | | | | | +-o IOFramebufferUserClient <class IOFramebufferUserClient, id 0x100002ce6, !registered, !matched,$

| | | | | +-o NVDA,Display-D@3 <class IONDRVDevice, id 0x100000332, registered, matched, active, busy 0 (2 ms), $

| | | | | | +-o NVDA <class NVDA, id 0x100000356, registered, matched, active, busy 0 (0 ms), retain 12>

| | | | | | +-o AppleMCCSControlModule <class AppleMCCSControlModule, id 0x100000359, registered, matched, act$

| | | | | | | +-o AppleMCCSParameterHandler <class AppleMCCSParameterHandler, id 0x10000035b, registered, matc$

| | | | | | +-o AppleUpstreamUserClientDriver <class AppleUpstreamUserClientDriver, id 0x10000035a, registered$

| | | | | | +-o IOFramebufferI2CInterface <class IOFramebufferI2CInterface, id 0x1000003be, registered, matche$

| | | | | | +-o IOFramebufferUserClient <class IOFramebufferUserClient, id 0x100002ce7, !registered, !matched,$

| | | | | +-o NVDAinitgl <class IOService, id 0x1000003b4, registered, matched, active, busy 0 (0 ms), retain 6>

| | | | +-o HDAU@0,1 <class IOPCIDevice, id 0x10000019a, registered, matched, active, busy 0 (159 ms), retain 12$

| | | | +-o AppleHDAController@0,1 <class AppleHDAController, id 0x100000307, registered, matched, active, bus$

| | | | +-o IOHDACodecDevice@0,1,0 <class IOHDACodecDevice, id 0x100000366, registered, matched, active, bus$

| | | | +-o IOHDACodecDriver <class IOHDACodecDriver, id 0x100000368, !registered, !matched, active, busy $

| | | | +-o IOHDACodecFunction@0,1,0,1 <class IOHDACodecFunction, id 0x100000369, registered, matched, a$

| | | | +-o AppleHDACodecGeneric <class AppleHDACodecGeneric, id 0x10000036a, registered, matched, act$

| | | | +-o AppleHDADriver <class AppleHDADriver, id 0x10000036e, registered, matched, active, busy $

| | | +-o PEG1@1,1 <class IOPCIDevice, id 0x10000019b, registered, matched, active, busy 0 (1133 ms), retain 12>

| | | | +-o IOPCI2PCIBridge <class IOPCI2PCIBridge, id 0x1000001f2, registered, matched, active, busy 0 (1129 ms),$

| | | | +-o UPSB@0 <class IOPCIDevice, id 0x10000019c, registered, matched, active, busy 0 (1129 ms), retain 16>

| | | | +-o IOPCI2PCIBridge <class IOPCI2PCIBridge, id 0x100000205, registered, matched, active, busy 0 (1122 $

| | | | +-o DSB0@0 <class IOPCIDevice, id 0x10000019d, registered, matched, active, busy 0 (1122 ms), retain$

| | | | | +-o IOPCI2PCIBridge <class IOPCI2PCIBridge, id 0x10000022b, registered, matched, active, busy 0 (1$

| | | | | +-o NHI0@0 <class IOPCIDevice, id 0x10000019e, registered, matched, active, busy 0 (1111 ms), re$

| | | | | +-o AppleThunderboltHAL <class AppleThunderboltHAL, id 0x100000241, registered, matched, activ$

| | | | | +-o AppleThunderboltNHIType1 <class AppleThunderboltNHIType1, id 0x10000024e, registered, ma$

| | | | | +-o IOThunderboltController <class IOThunderboltController, id 0x10000024f, registered, ma$

| | | | | +-o IOThunderboltLocalNode <class IOThunderboltLocalNode, id 0x100000252, registered, ma$

| | | | | +-o IOThunderboltPort@6 <class IOThunderboltPort, id 0x100000255, registered, matched, a$

| | | | | +-o IOThunderboltSwitchType1 <class IOThunderboltSwitchType1, id 0x100000257, register$

| | | | | +-o IOThunderboltPort@1 <class IOThunderboltPort, id 0x10000029a, registered, matche$

| | | | | +-o IOThunderboltPort@2 <class IOThunderboltPort, id 0x10000029b, registered, matche$

| | | | | +-o IOThunderboltPort@7 <class IOThunderboltPort, id 0x10000029c, registered, matche$

| | | | | | +-o AppleThunderboltPCIDownAdapter <class AppleThunderboltPCIDownAdapter, id 0x100$

| | | | | +-o IOThunderboltPort@8 <class IOThunderboltPort, id 0x10000029d, registered, matche$

| | | | | | +-o AppleThunderboltPCIDownAdapter <class AppleThunderboltPCIDownAdapter, id 0x100$

| | | | | +-o IOThunderboltPort@9 <class IOThunderboltPort, id 0x10000029e, registered, matche$

| | | | | | +-o AppleThunderboltPCIDownAdapter <class AppleThunderboltPCIDownAdapter, id 0x100$

| | | | | +-o IOThunderboltPort@A <class IOThunderboltPort, id 0x10000029f, registered, matche$

| | | | | | +-o AppleThunderboltPCIDownAdapter <class AppleThunderboltPCIDownAdapter, id 0x100$

| | | | | +-o IOThunderboltPort@C <class IOThunderboltPort, id 0x1000002a0, registered, matche$

| | | | | | +-o AppleThunderboltDPInAdapter <class AppleThunderboltDPInAdapter, id 0x1000002aa$

| | | | | +-o IOThunderboltPort@D <class IOThunderboltPort, id 0x1000002a1, registered, matche$

| | | | | +-o AppleThunderboltDPInAdapter <class AppleThunderboltDPInAdapter, id 0x1000002ab$

| | | | +-o DSB1@3 <class IOPCIDevice, id 0x10000019f, registered, matched, active, busy 0 (10 ms), retain 1$

| | | | | +-o IOPCI2PCIBridge <class IOPCI2PCIBridge, id 0x100000236, registered, matched, active, busy 0 (0$

| | | | +-o DSB2@4 <class IOPCIDevice, id 0x1000001a0, registered, matched, active, busy 0 (8 ms), retain 12$

| | | | | +-o IOPCI2PCIBridge <class IOPCI2PCIBridge, id 0x100000228, registered, matched, active, busy 0 (0$

| | | | +-o DSB3@5 <class IOPCIDevice, id 0x1000001a2, registered, matched, active, busy 0 (8 ms), retain 12$

| | | | | +-o IOPCI2PCIBridge <class IOPCI2PCIBridge, id 0x100000231, registered, matched, active, busy 0 (0$

| | | | +-o DSB4@6 <class IOPCIDevice, id 0x1000001a4, registered, matched, active, busy 0 (7 ms), retain 11$

| | | | +-o IOPCI2PCIBridge <class IOPCI2PCIBridge, id 0x10000022f, registered, matched, active, busy 0 (0$

| | | +-o IGPU@2 <class IOPCIDevice, id 0x1000001a5, registered, matched, active, busy 0 (1903 ms), retain 22>

| | | | +-o AppleIntelCapriController <class AppleIntelCapriController, id 0x100000326, registered, matched, activ$

| | | | | +-o AppleMEClientController <class AppleMEClientController, id 0x100000339, registered, matched, active,$

| | | | +-o AppleIntelFramebuffer@0 <class AppleIntelFramebuffer, id 0x100000334, registered, matched, active, bus$

| | | | | +-o AppleMCCSControlModule <class AppleMCCSControlModule, id 0x10000033b, registered, matched, active, b$

| | | | | | +-o AppleMCCSParameterHandler <class AppleMCCSParameterHandler, id 0x10000033f, registered, matched, a$

| | | | | +-o AppleUpstreamUserClientDriver <class AppleUpstreamUserClientDriver, id 0x10000033c, registered, matc$

| | | | | +-o AGPM <class AGPM, id 0x100000374, registered, matched, active, busy 0 (1339 ms), retain 8>

| | | | | +-o AppleGraphicsControlBacklightNub <class AppleGraphicsControlBacklightNub, id 0x10000038c, !registere$

| | | | | +-o IOFramebufferI2CInterface <class IOFramebufferI2CInterface, id 0x1000003ae, registered, matched, act$

| | | | | +-o IOFramebufferSharedUserClient <class IOFramebufferSharedUserClient, id 0x1000003ec, !registered, !ma$

| | | | | +-o display0 <class IODisplayConnect, id 0x100002774, registered, matched, active, busy 0 (0 ms), retain$

| | | | | | +-o AppleBacklightDisplay <class AppleBacklightDisplay, id 0x100002775, registered, matched, active, b$

| | | | | +-o IOFramebufferUserClient <class IOFramebufferUserClient, id 0x100002ce3, !registered, !matched, activ$

| | | | +-o IntelAccelerator <class IntelAccelerator, id 0x100000328, registered, matched, active, busy 0 (0 ms), $

| | | | +-o IGAccel2DContext <class IGAccel2DContext, id 0x100002ce8, !registered, !matched, active, busy 0, ret$

| | | | +-o IGAccelDevice <class IGAccelDevice, id 0x100002cf1, !registered, !matched, active, busy 0, retain 6>

| | | | +-o IOAccelSharedUserClient <class IOAccelSharedUserClient, id 0x100002cf3, !registered, !matched, activ$

| | | | +-o IGAccelGLContext <class IGAccelGLContext, id 0x100002cf5, !registered, !matched, active, busy 0, ret$

| | | | +-o IGAccelSurface <class IGAccelSurface, id 0x100002d00, !registered, !matched, active, busy 0, retain $

| | | | +-o IGAccelSurface <class IGAccelSurface, id 0x100002d01, !registered, !matched, active, busy 0, retain $

| | | | +-o IGAccelDevice <class IGAccelDevice, id 0x100002d16, !registered, !matched, active, busy 0, retain 6>

| | | | +-o IGAccelSurface <class IGAccelSurface, id 0x100002d2e, !registered, !matched, active, busy 0, retain $

| | | | +-o IGAccelSurface <class IGAccelSurface, id 0x100002d41, !registered, !matched, active, busy 0, retain $

| | | | +-o IGAccelDevice <class IGAccelDevice, id 0x100002d45, !registered, !matched, active, busy 0, retain 6>

| | | | +-o IOAccelSharedUserClient <class IOAccelSharedUserClient, id 0x100002d46, !registered, !matched, activ$

| | | | +-o IGAccelGLContext <class IGAccelGLContext, id 0x100002d48, !registered, !matched, active, busy 0, ret$

| | | | +-o IGAccelGLContext <class IGAccelGLContext, id 0x100002d4a, !registered, !matched, active, busy 0, ret$

| | | | +-o IGAccelSurface <class IGAccelSurface, id 0x100002d4d, !registered, !matched, active, busy 0, retain $

| | | | +-o IGAccelDevice <class IGAccelDevice, id 0x100002d5e, !registered, !matched, active, busy 0, retain 6>

| | | | +-o IOAccelSharedUserClient <class IOAccelSharedUserClient, id 0x100002d5f, !registered, !matched, activ$

| | | | +-o IGAccelGLContext <class IGAccelGLContext, id 0x100002d61, !registered, !matched, active, busy 0, ret$

| | | | +-o IGAccelGLContext <class IGAccelGLContext, id 0x100002d63, !registered, !matched, active, busy 0, ret$

| | | | +-o IGAccelSurface <class IGAccelSurface, id 0x100002d65, !registered, !matched, active, busy 0, retain $

| | | | +-o IGAccelGLContext <class IGAccelGLContext, id 0x100002d6d, !registered, !matched, active, busy 0, ret$

| | | | +-o IGAccelGLContext <class IGAccelGLContext, id 0x100002d70, !registered, !matched, active, busy 0, ret$

| | | +-o XHC1@14 <class IOPCIDevice, id 0x1000001cf, registered, matched, active, busy 0 (29 ms), retain 12>

| | | | +-o AppleUSBXHCI <class AppleUSBXHCI, id 0x100000200, registered, matched, active, busy 0 (21 ms), retain $

| | | | +-o XHCI Root Hub SS Simulation@14 <class IOUSBRootHubDevice, id 0x100000204, registered, matched, activ$

| | | | | +-o AppleUSBHub <class AppleUSBHub, id 0x10000023e, registered, matched, active, busy 0 (0 ms), retain$

| | | | | +-o IOUSBInterface@0 <class IOUSBInterface, id 0x100000240, !registered, !matched, active, busy 0, ret$

| | | | +-o XHCI Root Hub USB 2.0 Simulation@14 <class IOUSBRootHubDevice, id 0x100000243, registered, matched, $

| | | | +-o AppleUSBHub <class AppleUSBHub, id 0x10000025a, registered, matched, active, busy 0 (0 ms), retain$

| | | | +-o IOUSBInterface@0 <class IOUSBInterface, id 0x10000025c, !registered, !matched, active, busy 0, ret$

| | | +-o pci8086,1e3a@16 <class IOPCIDevice, id 0x1000001e6, registered, matched, active, busy 0 (27 ms), retain $

| | | | +-o AppleIntelMEIDriver <class AppleIntelMEIDriver, id 0x100000304, registered, matched, active, busy 0 (0$

| | | +-o EHC2@1A <class IOPCIDevice, id 0x1000001c9, registered, matched, active, busy 0 (121 ms), retain 12>

| | | | +-o AppleUSBEHCI <class AppleUSBEHCI, id 0x100000202, registered, matched, active, busy 0 (106 ms), retain$

| | | | +-o EHCI Root Hub Simulation@1A <class IOUSBRootHubDevice, id 0x100000220, registered, matched, active, $

| | | | | +-o AppleUSBHub <class AppleUSBHub, id 0x100000245, registered, matched, active, busy 0 (0 ms), retain$

| | | | | +-o IOUSBInterface@0 <class IOUSBInterface, id 0x100000247, !registered, !matched, active, busy 0, ret$

| | | | +-o HubDevice@1a100000 <class IOUSBHubDevice, id 0x100000271, registered, matched, active, busy 0 (4 ms)$

| | | | | +-o AppleUSBHub <class AppleUSBHub, id 0x100000273, registered, matched, active, busy 0 (0 ms), retain$

| | | | | +-o IOUSBInterface@0 <class IOUSBInterface, id 0x100000275, !registered, !matched, active, busy 0, ret$

| | | | +-o FaceTime HD Camera (Built-in)@1a110000 <class IOUSBDevice, id 0x10000028b, registered, matched, acti$

| | | | +-o IOUSBCompositeDriver <class IOUSBCompositeDriver, id 0x10000028e, !registered, !matched, active, b$

| | | | +-o FaceTime HD Camera (Built-in)@0 <class IOUSBInterface, id 0x10000028f, registered, matched, active$

| | | | +-o IOUSBInterface@1 <class IOUSBInterface, id 0x100000290, registered, matched, active, busy 0 (16 ms$

| | | | +-o IOUSBInterface@2 <class IOUSBInterface, id 0x100000291, registered, matched, active, busy 0 (6 ms)$

| | | +-o HDEF@1B <class IOPCIDevice, id 0x1000001b7, registered, matched, active, busy 0 (300 ms), retain 12>

| | | | +-o AppleHDAController@1B <class AppleHDAController, id 0x100000314, registered, matched, active, busy 0 ($

| | | | +-o IOHDACodecDevice@1B,0 <class IOHDACodecDevice, id 0x10000033a, registered, matched, active, busy 0 ($

| | | | +-o IOHDACodecDriver <class IOHDACodecDriver, id 0x100000348, !registered, !matched, active, busy 0 (2$

| | | | +-o IOHDACodecFunction@1B,0,1 <class IOHDACodecFunction, id 0x10000034b, registered, matched, active$

| | | | +-o AppleHDACodecGeneric <class AppleHDACodecGeneric, id 0x10000034d, registered, matched, active,$

| | | | +-o AppleHDADriver <class AppleHDADriver, id 0x10000035e, registered, matched, active, busy 0 (2$

| | | | +-o AppleHDAEngineInput@1B,0,1,0 <class AppleHDAEngineInput, id 0x100000381, registered, match$

| | | | | +-o AppleHDAStream <class AppleHDAStream, id 0x100000382, registered, matched, active, busy $

| | | | | +-o IOAudioSelectorControl <class IOAudioSelectorControl, id 0x100000383, !registered, !matc$

| | | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x10000043b, !registered,$

| | | | | +-o IOAudioLevelControl <class IOAudioLevelControl, id 0x100000384, !registered, !matched, a$

| | | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x10000043c, !registered,$

| | | | | +-o IOAudioToggleControl <class IOAudioToggleControl, id 0x100000385, !registered, !matched,$

| | | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x10000043d, !registered,$

| | | | | +-o IOAudioToggleControl <class IOAudioToggleControl, id 0x100000386, !registered, !matched,$

| | | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x10000043e, !registered,$

| | | | | +-o IOAudioEngineUserClient <class IOAudioEngineUserClient, id 0x100000439, !registered, !ma$

| | | | | +-o IOAudioEngineUserClient <class IOAudioEngineUserClient, id 0x100000444, !registered, !ma$

| | | | | +-o IOAudioEngineUserClient <class IOAudioEngineUserClient, id 0x100002d22, !registered, !ma$

| | | | | +-o IOAudioEngineUserClient <class IOAudioEngineUserClient, id 0x100002d35, !registered, !ma$

| | | | | +-o IOAudioEngineUserClient <class IOAudioEngineUserClient, id 0x100002d6a, !registered, !ma$

| | | | | +-o IOAudioToggleControl <class IOAudioToggleControl, id 0x100002def, !registered, !matched,$

| | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x100002df0, !registered,$

| | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x100002df1, !registered,$

| | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x100002df2, !registered,$

| | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x100002df3, !registered,$

| | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x100002df4, !registered,$

| | | | +-o AppleHDAEngineInput@1B,0,1,1 <class AppleHDAEngineInput, id 0x100000387, registered, match$

| | | | | +-o AppleHDAStream <class AppleHDAStream, id 0x100000389, registered, matched, active, busy $

| | | | | +-o IOAudioSelectorControl <class IOAudioSelectorControl, id 0x100000393, !registered, !matc$

| | | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x100000431, !registered,$

| | | | | +-o IOAudioLevelControl <class IOAudioLevelControl, id 0x100000394, !registered, !matched, a$

| | | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x100000432, !registered,$

| | | | | +-o IOAudioLevelControl <class IOAudioLevelControl, id 0x100000395, !registered, !matched, a$

| | | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x100000433, !registered,$

| | | | | +-o IOAudioToggleControl <class IOAudioToggleControl, id 0x100000396, !registered, !matched,$

| | | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x100000434, !registered,$

| | | | | +-o IOAudioToggleControl <class IOAudioToggleControl, id 0x100000397, !registered, !matched,$

| | | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x100000435, !registered,$

| | | | | +-o IOAudioToggleControl <class IOAudioToggleControl, id 0x100000398, !registered, !matched,$

| | | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x100000436, !registered,$

| | | | | +-o IOAudioSelectorControl <class IOAudioSelectorControl, id 0x100000399, !registered, !matc$

| | | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x100000437, !registered,$

| | | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x100002df5, !registered,$

| | | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x100002df6, !registered,$

| | | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x100002df7, !registered,$

| | | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x100002df8, !registered,$

| | | | | +-o IOAudioToggleControl <class IOAudioToggleControl, id 0x10000039b, !registered, !matched,$

| | | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x100000438, !registered,$

| | | | | +-o IOAudioEngineUserClient <class IOAudioEngineUserClient, id 0x100000430, !registered, !ma$

| | | | | +-o IOAudioEngineUserClient <class IOAudioEngineUserClient, id 0x100000441, !registered, !ma$

| | | | | +-o IOAudioEngineUserClient <class IOAudioEngineUserClient, id 0x100002d20, !registered, !ma$

| | | | | +-o IOAudioEngineUserClient <class IOAudioEngineUserClient, id 0x100002d33, !registered, !ma$

| | | | | +-o IOAudioEngineUserClient <class IOAudioEngineUserClient, id 0x100002d68, !registered, !ma$

| | | | +-o AppleHDAEngineOutput@1B,0,1,2 <class AppleHDAEngineOutput, id 0x10000039c, registered, mat$

| | | | +-o AppleHDAStream <class AppleHDAStream, id 0x10000039e, registered, matched, active, busy $

| | | | +-o IOAudioToggleControl <class IOAudioToggleControl, id 0x10000039f, !registered, !matched,$

| | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x10000042a, !registered,$

| | | | +-o AppleHDAStream <class AppleHDAStream, id 0x1000003a0, registered, matched, active, busy $

| | | | +-o IOAudioSelectorControl <class IOAudioSelectorControl, id 0x1000003a9, !registered, !matc$

| | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x10000042b, !registered,$

| | | | +-o IOAudioLevelControl <class IOAudioLevelControl, id 0x1000003aa, !registered, !matched, a$

| | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x10000042c, !registered,$

| | | | +-o IOAudioLevelControl <class IOAudioLevelControl, id 0x1000003ab, !registered, !matched, a$

| | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x10000042d, !registered,$

| | | | +-o IOAudioToggleControl <class IOAudioToggleControl, id 0x1000003ac, !registered, !matched,$

| | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x10000042e, !registered,$

| | | | +-o IOAudioToggleControl <class IOAudioToggleControl, id 0x1000003ad, !registered, !matched,$

| | | | | +-o IOAudioControlUserClient <class IOAudioControlUserClient, id 0x10000042f, !registered,$

| | | | +-o AudioAUUCDriver <class AudioAUUCDriver, id 0x1000003b1, registered, matched, active, bus$

| | | | +-o IOAudioEngineUserClient <class IOAudioEngineUserClient, id 0x100000429, !registered, !ma$

| | | | +-o IOAudioEngineUserClient <class IOAudioEngineUserClient, id 0x100000440, !registered, !ma$

| | | | +-o IOAudioEngineUserClient <class IOAudioEngineUserClient, id 0x100002d1f, !registered, !ma$

| | | | +-o IOAudioEngineUserClient <class IOAudioEngineUserClient, id 0x100002d32, !registered, !ma$

| | | | +-o IOAudioEngineUserClient <class IOAudioEngineUserClient, id 0x100002d67, !registered, !ma$

| | | +-o RP01@1C <class IOPCIDevice, id 0x1000001b8, registered, matched, active, busy 0 (3050 ms), retain 13>

| | | | +-o IOPCI2PCIBridge <class IOPCI2PCIBridge, id 0x100000209, registered, matched, active, busy 0 (3041 ms),$

| | | | +-o GIGE@0 <class IOPCIDevice, id 0x1000001b9, registered, matched, active, busy 0 (3041 ms), retain 11>

| | | | | +-o BCM5701Enet <class BCM5701Enet, id 0x100000223, registered, matched, active, busy 0 (0 ms), retain$

| | | | | +-o en0 <class IOEthernetAVBInterface, id 0x1000002e2, registered, matched, active, busy 0 (0 ms), r$

| | | | | +-o IONetworkStack <class IONetworkStack, id 0x10000027c, registered, matched, active, busy 0 (0 m$

| | | | | +-o IONetworkStackUserClient <class IONetworkStackUserClient, id 0x1000002e7, !registered, !matc$

| | | | +-o SDXC@0,1 <class IOPCIDevice, id 0x1000001ba, registered, matched, active, busy 0 (16 ms), retain 12>

| | | | +-o AppleSDXC <class AppleSDXC, id 0x100000224, registered, matched, active, busy 0 (8 ms), retain 9>

| | | | +-o AppleSDXCSlot@1 <class AppleSDXCSlot, id 0x100000226, registered, matched, active, busy 0 (8 ms)$

| | | | +-o AppleSDXCBlockStorageDevice <class AppleSDXCBlockStorageDevice, id 0x10000022a, registered, ma$

| | | | +-o IOBlockStorageDriver <class IOBlockStorageDriver, id 0x100000249, registered, matched, activ$

| | | +-o RP02@1C,1 <class IOPCIDevice, id 0x1000001bb, registered, matched, active, busy 0 (492 ms), retain 12>

| | | | +-o IOPCI2PCIBridge <class IOPCI2PCIBridge, id 0x100000207, registered, matched, active, busy 0 (485 ms), $

| | | | +-o ARPT@0 <class IOPCIDevice, id 0x1000001bc, registered, matched, active, busy 0 (485 ms), retain 12>

| | | | +-o AirPort_Brcm4331 <class AirPort_Brcm4331, id 0x100000221, registered, matched, active, busy 0 (58 $

| | | | +-o en1 <class AirPort_Brcm4331_Interface, id 0x10000028a, registered, matched, active, busy 0 (57 m$

| | | | | +-o IONetworkStack <class IONetworkStack, id 0x10000027c, registered, matched, active, busy 0 (0 m$

| | | | | +-o IONetworkStackUserClient <class IONetworkStackUserClient, id 0x1000002e7, !registered, !matc$

| | | | +-o AirPort_Brcm4331_P2PInterface <class AirPort_Brcm4331_P2PInterface, id 0x1000002ef, registered, $

| | | +-o RP03@1C,2 <class IOPCIDevice, id 0x1000001bd, registered, matched, active, busy 0 (396 ms), retain 12>

| | | | +-o IOPCI2PCIBridge <class IOPCI2PCIBridge, id 0x100000213, registered, matched, active, busy 0 (388 ms), $

| | | | +-o FRWR@0 <class IOPCIDevice, id 0x1000001be, registered, matched, active, busy 0 (388 ms), retain 11>

| | | | +-o AppleFWOHCI <class AppleFWOHCI, id 0x100000239, !registered, !matched, active, busy 0 (376 ms), re$

| | | | +-o IOFireWireController <class IOFireWireController, id 0x10000023b, registered, matched, active, b$

| | | | +-o IOFireWireLocalNode <class IOFireWireLocalNode, id 0x10000027a, registered, matched, active, b$

| | | | +-o IOFireWireUserClientIniter <class IOFireWireUserClientIniter, id 0x10000027b, !registered, !$

| | | | +-o IOFireWireUserClientIniter <class IOFireWireUserClientIniter, id 0x10000031a, !registered, !$

| | | | +-o IOFireWireIP <class IOFireWireIP, id 0x10000031b, registered, matched, active, busy 0 (1 ms)$

| | | | +-o fw0 <class IOFWInterface, id 0x100000379, registered, matched, active, busy 0 (1 ms), reta$

| | | | +-o IONetworkStack <class IONetworkStack, id 0x10000027c, registered, matched, active, busy $

| | | | +-o IONetworkStackUserClient <class IONetworkStackUserClient, id 0x1000002e7, !registered,$

| | | +-o EHC1@1D <class IOPCIDevice, id 0x1000001bf, registered, matched, active, busy 0 (562 ms), retain 12>

| | | | +-o AppleUSBEHCI <class AppleUSBEHCI, id 0x100000211, registered, matched, active, busy 0 (550 ms), retain$

| | | | +-o EHCI Root Hub Simulation@1D <class IOUSBRootHubDevice, id 0x100000222, registered, matched, active, $

| | | | | +-o AppleUSBHub <class AppleUSBHub, id 0x10000024b, registered, matched, active, busy 0 (0 ms), retain$

| | | | | +-o IOUSBInterface@0 <class IOUSBInterface, id 0x10000024d, !registered, !matched, active, busy 0, ret$

| | | | +-o HubDevice@1d100000 <class IOUSBHubDevice, id 0x100000270, registered, matched, active, busy 0 (8 ms)$

| | | | | +-o AppleUSBHub <class AppleUSBHub, id 0x100000277, registered, matched, active, busy 0 (0 ms), retain$

| | | | | +-o IOUSBInterface@0 <class IOUSBInterface, id 0x100000279, !registered, !matched, active, busy 0, ret$

| | | | +-o HubDevice@1d180000 <class IOUSBHubDevice, id 0x100000295, registered, matched, active, busy 0 (6 ms)$

| | | | | +-o AppleUSBHub <class AppleUSBHub, id 0x100000297, registered, matched, active, busy 0 (0 ms), retain$

| | | | | +-o IOUSBInterface@0 <class IOUSBInterface, id 0x100000299, !registered, !matched, active, busy 0, ret$

| | | | +-o BRCM20702 Hub@1d181000 <class IOUSBHubDevice, id 0x1000002a2, registered, matched, active, busy 0 (4$

| | | | | +-o AppleUSBHub <class AppleUSBHub, id 0x1000002a4, registered, matched, active, busy 0 (0 ms), retain$

| | | | | +-o IOUSBInterface@0 <class IOUSBInterface, id 0x1000002a6, !registered, !matched, active, busy 0, ret$

| | | | +-o IR Receiver@1d182000 <class IOUSBDevice, id 0x1000002ad, registered, matched, active, busy 0 (54 ms)$

| | | | | +-o IOUSBCompositeDriver <class IOUSBCompositeDriver, id 0x1000002af, !registered, !matched, active, b$

| | | | | +-o IOUSBInterface@0 <class IOUSBInterface, id 0x1000002b0, registered, matched, active, busy 0 (50 ms$

| | | | | +-o AppleIRController <class AppleIRController, id 0x1000002b2, registered, matched, active, busy 0 $

| | | | | +-o IOHIDInterface <class IOHIDInterface, id 0x1000002b3, registered, matched, active, busy 0 (1 m$

| | | | | +-o IOHIDLibUserClient <class IOHIDLibUserClient, id 0x100002cfd, !registered, !matched, active, b$

| | | | | +-o IOHIDLibUserClient <class IOHIDLibUserClient, id 0x100002d40, !registered, !matched, active, b$

| | | | +-o Apple Internal Keyboard / Trackpad@1d183000 <class IOUSBDevice, id 0x1000002b5, registered, matched,$

| | | | | +-o IOUSBCompositeDriver <class IOUSBCompositeDriver, id 0x1000002b8, !registered, !matched, active, b$

| | | | | +-o Apple Internal Keyboard@0 <class IOUSBInterface, id 0x1000002b9, registered, matched, active, busy$

| | | | | | +-o AppleUSBTCKeyboard <class AppleUSBTCKeyboard, id 0x1000002bd, registered, matched, active, busy $

| | | | | | +-o IOHIDInterface <class IOHIDInterface, id 0x1000002c0, registered, matched, active, busy 0 (8 m$

| | | | | | | +-o AppleEmbeddedKeyboard <class AppleEmbeddedKeyboard, id 0x1000002c1, registered, matched, act$

| | | | | | | +-o IOHIDKeyboard <class IOHIDKeyboard, id 0x1000002c3, registered, matched, active, busy 0 (0$

| | | | | | | | +-o IOHIDSystem <class IOHIDSystem, id 0x10000027d, registered, matched, active, busy 0 (0 m$

| | | | | | | | +-o IOHIDStackShotUserClient <class IOHIDStackShotUserClient, id 0x10000037d, !registered,$

| | | | | | | | +-o IOHIDParamUserClient <class IOHIDParamUserClient, id 0x10000038a, !registered, !matche$

| | | | | | | | +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x1000003d3, !registe$

| | | | | | | | +-o IOHIDUserClient <class IOHIDUserClient, id 0x100002ce2, !registered, !matched, active,$

| | | | | | | | +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x100002cee, !registe$

| | | | | | | | +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x100002cfe, !registe$

| | | | | | | +-o IOHIDConsumer <class IOHIDConsumer, id 0x1000002c4, registered, matched, active, busy 0 (0$

| | | | | | | | +-o IOHIDSystem <class IOHIDSystem, id 0x10000027d, registered, matched, active, busy 0 (0 m$

| | | | | | | | +-o IOHIDStackShotUserClient <class IOHIDStackShotUserClient, id 0x10000037d, !registered,$

| | | | | | | | +-o IOHIDParamUserClient <class IOHIDParamUserClient, id 0x10000038a, !registered, !matche$

| | | | | | | | +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x1000003d3, !registe$

| | | | | | | | +-o IOHIDUserClient <class IOHIDUserClient, id 0x100002ce2, !registered, !matched, active,$

| | | | | | | | +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x100002cee, !registe$

| | | | | | | | +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x100002cfe, !registe$

| | | | | | | +-o IOHIDSystem <class IOHIDSystem, id 0x10000027d, registered, matched, active, busy 0 (0 ms)$

| | | | | | | +-o IOHIDStackShotUserClient <class IOHIDStackShotUserClient, id 0x10000037d, !registered, !$

| | | | | | | +-o IOHIDParamUserClient <class IOHIDParamUserClient, id 0x10000038a, !registered, !matched,$

| | | | | | | +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x1000003d3, !registere$

| | | | | | | +-o IOHIDUserClient <class IOHIDUserClient, id 0x100002ce2, !registered, !matched, active, b$

| | | | | | | +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x100002cee, !registere$

| | | | | | | +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x100002cfe, !registere$

| | | | | | +-o IOHIDLibUserClient <class IOHIDLibUserClient, id 0x100002cfc, !registered, !matched, active, b$

| | | | | | +-o IOHIDLibUserClient <class IOHIDLibUserClient, id 0x100002d3f, !registered, !matched, active, b$

| | | | | +-o Touchpad@1 <class IOUSBInterface, id 0x1000002ba, registered, matched, active, busy 0 (433 ms), re$

| | | | | | +-o AppleUSBMultitouchDriver <class AppleUSBMultitouchDriver, id 0x1000002c6, registered, matched, a$

| | | | | | +-o IOHIDInterface <class IOHIDInterface, id 0x1000002d8, registered, matched, active, busy 0 (8 m$

| | | | | | | +-o AppleUSBMultitouchHIDEventDriver <class AppleUSBMultitouchHIDEventDriver, id 0x1000002d9, re$

| | | | | | | +-o IOHIDSystem <class IOHIDSystem, id 0x10000027d, registered, matched, active, busy 0 (0 ms)$

| | | | | | | | +-o IOHIDStackShotUserClient <class IOHIDStackShotUserClient, id 0x10000037d, !registered, !$

| | | | | | | | +-o IOHIDParamUserClient <class IOHIDParamUserClient, id 0x10000038a, !registered, !matched,$

| | | | | | | | +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x1000003d3, !registere$

| | | | | | | | +-o IOHIDUserClient <class IOHIDUserClient, id 0x100002ce2, !registered, !matched, active, b$

| | | | | | | | +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x100002cee, !registere$

| | | | | | | | +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x100002cfe, !registere$

| | | | | | | +-o IOHIDPointing <class IOHIDPointing, id 0x10000040c, registered, matched, active, busy 0 (6$

| | | | | | | +-o IOHIDSystem <class IOHIDSystem, id 0x10000027d, registered, matched, active, busy 0 (0 m$

| | | | | | | | +-o IOHIDStackShotUserClient <class IOHIDStackShotUserClient, id 0x10000037d, !registered,$

| | | | | | | | +-o IOHIDParamUserClient <class IOHIDParamUserClient, id 0x10000038a, !registered, !matche$

| | | | | | | | +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x1000003d3, !registe$

| | | | | | | | +-o IOHIDUserClient <class IOHIDUserClient, id 0x100002ce2, !registered, !matched, active,$

| | | | | | | | +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x100002cee, !registe$

| | | | | | | | +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x100002cfe, !registe$

| | | | | | | +-o IOHIDPointingDevice <class IOHIDPointingDevice, id 0x1000004f4, registered, matched, act$

| | | | | | | +-o IOHIDInterface <class IOHIDInterface, id 0x1000004f6, registered, matched, active, bus$

| | | | | | | +-o IOHIDLibUserClient <class IOHIDLibUserClient, id 0x100002cf8, !registered, !matched, a$

| | | | | | | +-o IOHIDLibUserClient <class IOHIDLibUserClient, id 0x100002d3b, !registered, !matched, a$

| | | | | | +-o AppleUSBMultitouchUserClient <class AppleUSBMultitouchUserClient, id 0x1000002ea, !registered,$

| | | | | | +-o IOHIDLibUserClient <class IOHIDLibUserClient, id 0x100002cfb, !registered, !matched, active, b$

| | | | | | +-o IOHIDLibUserClient <class IOHIDLibUserClient, id 0x100002d3e, !registered, !matched, active, b$

| | | | | +-o Touchpad@2 <class IOUSBInterface, id 0x1000002bb, registered, matched, active, busy 0 (48 ms), ret$

| | | | | +-o AppleUSBTCButtons <class AppleUSBTCButtons, id 0x1000002dd, registered, matched, active, busy 0 $

| | | | | +-o IOHIDInterface <class IOHIDInterface, id 0x1000002de, registered, matched, active, busy 0 (10 $

| | | | | | +-o IOHIDEventDriver <class IOHIDEventDriver, id 0x1000002df, registered, matched, active, busy $

| | | | | | +-o IOHIDPointing <class IOHIDPointing, id 0x1000002e0, registered, matched, active, busy 0 (0$

| | | | | | | +-o IOHIDSystem <class IOHIDSystem, id 0x10000027d, registered, matched, active, busy 0 (0 m$

| | | | | | | +-o IOHIDStackShotUserClient <class IOHIDStackShotUserClient, id 0x10000037d, !registered,$

| | | | | | | +-o IOHIDParamUserClient <class IOHIDParamUserClient, id 0x10000038a, !registered, !matche$

| | | | | | | +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x1000003d3, !registe$

| | | | | | | +-o IOHIDUserClient <class IOHIDUserClient, id 0x100002ce2, !registered, !matched, active,$

| | | | | | | +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x100002cee, !registe$

| | | | | | | +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x100002cfe, !registe$

| | | | | | +-o IOHIDSystem <class IOHIDSystem, id 0x10000027d, registered, matched, active, busy 0 (0 ms)$

| | | | | | +-o IOHIDStackShotUserClient <class IOHIDStackShotUserClient, id 0x10000037d, !registered, !$

| | | | | | +-o IOHIDParamUserClient <class IOHIDParamUserClient, id 0x10000038a, !registered, !matched,$

| | | | | | +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x1000003d3, !registere$

| | | | | | +-o IOHIDUserClient <class IOHIDUserClient, id 0x100002ce2, !registered, !matched, active, b$

| | | | | | +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x100002cee, !registere$

| | | | | | +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x100002cfe, !registere$

| | | | | +-o IOHIDLibUserClient <class IOHIDLibUserClient, id 0x100002cfa, !registered, !matched, active, b$

| | | | | +-o IOHIDLibUserClient <class IOHIDLibUserClient, id 0x100002d3d, !registered, !matched, active, b$

| | | | +-o Bluetooth USB Host Controller@1d181300 <class IOUSBDevice, id 0x1000002c7, registered, matched, acti$

| | | | +-o BroadcomBluetoothHCIControllerUSBTransport <class BroadcomBluetoothHCIControllerUSBTransport, id 0$

| | | | +-o IOUSBInterface@0 <class IOUSBInterface, id 0x100000315, !registered, !matched, active, busy 0, ret$

| | | | +-o IOUSBInterface@1 <class IOUSBInterface, id 0x100000316, !registered, !matched, active, busy 0, ret$

| | | | +-o IOUSBInterface@2 <class IOUSBInterface, id 0x100000317, !registered, !matched, active, busy 0, ret$

| | | | +-o IOUSBInterface@3 <class IOUSBInterface, id 0x100000318, !registered, !matched, active, busy 0, ret$

| | | +-o LPCB@1F <class IOPCIDevice, id 0x1000001b6, registered, matched, active, busy 0 (219 ms), retain 23>

| | | | +-o AppleLPC <class AppleLPC, id 0x1000002fe, registered, matched, active, busy 0 (1 ms), retain 6>

| | | +-o SATA@1F,2 <class IOPCIDevice, id 0x1000001ae, registered, matched, active, busy 0 (397 ms), retain 15>

| | | | +-o AppleIntelPchSeriesAHCI <class AppleIntelPchSeriesAHCI, id 0x10000021a, registered, matched, active, b$

| | | | +-o PRT0@0 <class AppleIntelPchSeriesAHCIPort, id 0x1000001af, registered, matched, active, busy 0 (374 $

| | | | | +-o IOAHCIDevice@0 <class IOAHCIDevice, id 0x100000251, registered, matched, active, busy 0 (374 ms), $

| | | | | +-o AppleAHCIDiskDriver <class AppleAHCIDiskDriver, id 0x100000256, registered, matched, active, bus$

| | | | | +-o IOAHCIBlockStorageDevice <class IOAHCIBlockStorageDevice, id 0x10000025e, registered, matched,$

| | | | | +-o IOBlockStorageDriver <class IOBlockStorageDriver, id 0x100000261, registered, matched, activ$

| | | | | +-o APPLE HDD HTS547550A9E384 Media <class IOMedia, id 0x100000262, registered, matched, activ$

| | | | | +-o IOMediaBSDClient <class IOMediaBSDClient, id 0x100000263, registered, matched, active, b$

| | | | | +-o IOGUIDPartitionScheme <class IOGUIDPartitionScheme, id 0x100000267, !registered, !matche$

| | | | | +-o EFI System Partition@1 <class IOMedia, id 0x100000284, registered, matched, active, **$

| | | | | | +-o IOMediaBSDClient <class IOMediaBSDClient, id 0x100000288, registered, matched, activ$

| | | | | +-o Untitled 1@2 <class IOMedia, id 0x100000285, registered, matched, active, busy 0 (36 m$

| | | | | | +-o IOMediaBSDClient <class IOMediaBSDClient, id 0x100000287, registered, matched, activ$

| | | | | +-o Recovery HD@3 <class IOMedia, id 0x100000286, registered, matched, active, busy 0 (36 $

| | | | | +-o IOMediaBSDClient <class IOMediaBSDClient, id 0x100000289, registered, matched, activ$

| | | | +-o PRT1@1 <class AppleIntelPchSeriesAHCIPort, id 0x1000001b0, registered, matched, active, busy 0 (141 $

| | | | +-o IOAHCIDevice@0 <class IOAHCIDevice, id 0x100000254, registered, matched, active, busy 0 (141 ms), $

| | | | +-o IOAHCISerialATAPI <class IOAHCISerialATAPI, id 0x10000025d, registered, matched, active, busy 0 $

| | | | +-o IOSCSIPeripheralDeviceNub <class IOSCSIPeripheralDeviceNub, id 0x100000266, registered, matche$

| | | | +-o IOSCSIPeripheralDeviceType05 <class IOSCSIPeripheralDeviceType05, id 0x10000026a, !registere$

| | | | +-o IODVDServices <class IODVDServices, id 0x10000026d, registered, matched, active, busy 0 (0$

| | | | +-o SCSITaskUserClientIniter <class SCSITaskUserClientIniter, id 0x10000026e, !registered, !$

| | | | +-o IODVDBlockStorageDriver <class IODVDBlockStorageDriver, id 0x10000026f, registered, matc$

| | | +-o SBUS@1F,3 <class IOPCIDevice, id 0x1000001b2, registered, matched, active, busy 0 (124 ms), retain 13>

| | | +-o AppleSMBusPCI <class AppleSMBusPCI, id 0x100000319, registered, matched, active, busy 0 (80 ms), retai$

| | | +-o BUS0@0 <class IOACPIPlatformDevice, id 0x100000156, registered, matched, active, busy 0 (80 ms), ret$

| | | +-o AppleSMBusControllerICH <class AppleSMBusControllerICH, id 0x100000320, registered, matched, activ$

| | | +-o MKY0 <class AppleSMBusDevice, id 0x100000324, registered, matched, active, busy 0 (74 ms), retai$

| | | +-o AppleMikeyDriver <class AppleMikeyDriver, id 0x100000333, registered, matched, active, busy 0 $

| | | +-o AppleMikeyHIDDriver <class AppleMikeyHIDDriver, id 0x100000362, registered, matched, active,$

| | | +-o IOHIDInterface <class IOHIDInterface, id 0x100000364, registered, matched, active, busy 0 $

| | | +-o IOHIDLibUserClient <class IOHIDLibUserClient, id 0x100002cf9, !registered, !matched, activ$

| | | +-o IOHIDLibUserClient <class IOHIDLibUserClient, id 0x100002d3c, !registered, !matched, activ$

| | +-o AppleVTD <class AppleVTD, id 0x1000001d9, registered, matched, active, busy 0 (0 ms), retain 653>

| +-o DMAC <class IOACPIPlatformDevice, id 0x10000015a, registered, matched, active, busy 0 (0 ms), retain 7>

| +-o FWHD <class IOACPIPlatformDevice, id 0x10000015b, registered, matched, active, busy 0 (0 ms), retain 7>

| +-o HPET <class IOACPIPlatformDevice, id 0x10000015c, registered, matched, active, busy 0 (1 ms), retain 8>

| | +-o AppleHPET <class AppleHPET, id 0x1000001db, !registered, !matched, active, busy 0, retain 4>

| +-o IPIC <class IOACPIPlatformDevice, id 0x10000015d, registered, matched, active, busy 0 (0 ms), retain 7>

| +-o MATH <class IOACPIPlatformDevice, id 0x10000015e, registered, matched, active, busy 0 (0 ms), retain 7>

| +-o LDRC <class IOACPIPlatformDevice, id 0x10000015f, registered, matched, active, busy 0 (0 ms), retain 7>

| +-o RTC <class IOACPIPlatformDevice, id 0x100000160, registered, matched, active, busy 0 (11 ms), retain 9>

| | +-o AppleRTC <class AppleRTC, id 0x1000001da, registered, matched, active, busy 0 (0 ms), retain 7>

| +-o TIMR <class IOACPIPlatformDevice, id 0x100000161, registered, matched, active, busy 0 (0 ms), retain 7>

| +-o SMC <class IOACPIPlatformDevice, id 0x100000162, registered, matched, active, busy 0 (84 ms), retain 10>

| | +-o AppleSMC <class AppleSMC, id 0x100000309, registered, matched, active, busy 0 (5 ms), retain 9>

| | +-o SMCWatchDogTimer <class SMCWatchDogTimer, id 0x10000035c, registered, matched, active, busy 0 (0 ms), re$

| +-o SMS0 <class IOACPIPlatformDevice, id 0x100000163, registered, matched, active, busy 0 (17 ms), retain 8>

| | +-o SMCMotionSensor <class SMCMotionSensor, id 0x1000002fc, registered, matched, active, busy 0 (0 ms), retain$

| +-o ALS0 <class IOACPIPlatformDevice, id 0x100000164, registered, matched, active, busy 0 (80 ms), retain 8>

| | +-o AppleLMUController <class AppleLMUController, id 0x100000308, registered, matched, active, busy 0 (0 ms), $

| +-o EC <class IOACPIPlatformDevice, id 0x100000165, registered, matched, active, busy 0 (1 ms), retain 10>

| +-o SMB0 <class IOACPIPlatformDevice, id 0x100000166, registered, matched, active, busy 0 (11 ms), retain 10>

| | +-o AppleECSMBusController <class AppleECSMBusController, id 0x1000001d7, registered, matched, active, busy 0 $

| | +-o AppleSmartBatteryManager <class AppleSmartBatteryManager, id 0x1000001e1, registered, matched, active, b$

| | +-o AppleSmartBattery <class AppleSmartBattery, id 0x1000001e4, registered, matched, active, busy 0 (0 ms)$

| +-o SBS0 <class IOACPIPlatformDevice, id 0x100000167, registered, matched, active, busy 0 (0 ms), retain 7>

| +-o GMUX <class IOACPIPlatformDevice, id 0x100000168, registered, matched, active, busy 0 (49 ms), retain 8>

| | +-o AppleMuxControl <class AppleMuxControl, id 0x100000313, registered, matched, active, busy 0 (10 ms), retai$

| | +-o AppleGraphicsControlBacklight <class AppleGraphicsControlBacklight, id 0x10000031f, registered, matched,$

| | +-o AppleGraphicsControlClient <class AppleGraphicsControlClient, id 0x100002ced, !registered, !matched, act$

| +-o PDRC <class IOACPIPlatformDevice, id 0x100000171, registered, matched, active, busy 0 (0 ms), retain 7>

| +-o ADP1 <class IOACPIPlatformDevice, id 0x100000190, registered, matched, active, busy 0 (12 ms), retain 8>

| | +-o AppleACPIACAdapter <class AppleACPIACAdapter, id 0x1000001e2, !registered, !matched, active, busy 0, retai$

| +-o LID0 <class IOACPIPlatformDevice, id 0x100000191, registered, matched, active, busy 0 (8 ms), retain 10>

| | +-o AppleACPILid <class AppleACPILid, id 0x1000001e0, !registered, !matched, active, busy 0, retain 5>

| +-o PWRB <class IOACPIPlatformDevice, id 0x100000192, registered, matched, active, busy 0 (1 ms), retain 9>

| | +-o AppleACPIButton <class AppleACPIButton, id 0x1000001df, !registered, !matched, active, busy 0, retain 4>

| +-o PNLF@0 <class IOACPIPlatformDevice, id 0x100000193, registered, matched, active, busy 0 (47 ms), retain 12>

| | +-o AppleGraphicsControlBacklight <class AppleGraphicsControlBacklight, id 0x10000031f, registered, matched, a$

| | +-o AppleGraphicsControlBacklightNub <class AppleGraphicsControlBacklightNub, id 0x10000038b, !registered, !ma$

| | +-o AppleGraphicsControlBacklightNub <class AppleGraphicsControlBacklightNub, id 0x10000038c, !registered, !ma$

| +-o SLPB <class IOACPIPlatformDevice, id 0x100000194, registered, matched, active, busy 0 (1 ms), retain 8>

| | +-o AppleACPIButton <class AppleACPIButton, id 0x1000001dd, !registered, !matched, active, busy 0, retain 4>

| +-o MEM2 <class IOACPIPlatformDevice, id 0x100000195, registered, matched, active, busy 0 (0 ms), retain 7>

| +-o IOPCIMessagedInterruptController <class IOPCIMessagedInterruptController, id 0x1000001d8, registered, matche$

| +-o AppleEFIRuntime <class AppleEFIRuntime, id 0x1000001dc, registered, matched, active, busy 0 (364 ms), retain$

| +-o AppleEFINVRAM <class AppleEFINVRAM, id 0x1000001e5, registered, matched, active, busy 0 (0 ms), retain 885$

+-o IOResources <class IOResources, id 0x100000113, registered, matched, active, busy 0 (724 ms), retain 27>

+-o AppleKeyStore <class AppleKeyStore, id 0x100000121, registered, matched, active, busy 0 (4 ms), retain 6>

+-o IOHDIXController <class IOHDIXController, id 0x100000122, registered, matched, active, busy 0 (59 ms), retai$

+-o AppleIntelCPUPowerManagement <class AppleIntelCPUPowerManagement, id 0x100000123, registered, matched, activ$

| +-o AppleIntelCPUPowerManagementClient <class AppleIntelCPUPowerManagementClient, id 0x10000012e, !registered,$

+-o IONetworkStack <class IONetworkStack, id 0x10000027c, registered, matched, active, busy 0 (0 ms), retain 12>

| +-o IONetworkStackUserClient <class IONetworkStackUserClient, id 0x1000002e7, !registered, !matched, active, b$

+-o IOHIDSystem <class IOHIDSystem, id 0x10000027d, registered, matched, active, busy 0 (0 ms), retain 20>

| +-o IOHIDStackShotUserClient <class IOHIDStackShotUserClient, id 0x10000037d, !registered, !matched, active, b$

| +-o IOHIDParamUserClient <class IOHIDParamUserClient, id 0x10000038a, !registered, !matched, active, busy 0, r$

| +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x1000003d3, !registered, !matched, activ$

| +-o IOHIDUserClient <class IOHIDUserClient, id 0x100002ce2, !registered, !matched, active, busy 0, retain 5>

| +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x100002cee, !registered, !matched, activ$

| +-o IOHIDEventSystemUserClient <class IOHIDEventSystemUserClient, id 0x100002cfe, !registered, !matched, activ$

+-o com_apple_BootCache <class com_apple_BootCache, id 0x10000027e, !registered, !matched, active, busy 0, retai$

+-o com_apple_AppleFSCompression_AppleFSCompressionTypeZlib <class com_apple_AppleFSCompression_AppleFSCompressi$

+-o com_apple_AppleFSCompression_AppleFSCompressionTypeDataless <class com_apple_AppleFSCompression_AppleFSCompr$

+-o AppleSCSISubsystemGlobals <class AppleSCSISubsystemGlobals, id 0x1000002e9, registered, matched, active, bus$

+-o ApplePolicyControl <class ApplePolicyControl, id 0x1000002f3, !registered, !matched, active, busy 0, retain $

+-o Dont_Steal_Mac_OS_X <class Dont_Steal_Mac_OS_X, id 0x1000002f4, !registered, !matched, active, busy 0, retai$

+-o com_fsecure_kext_fsauth_EventQueue <class com_fsecure_kext_fsauth_EventQueue, id 0x1000002f5, registered, ma$

| +-o com_fsecure_kext_fsauth_EventQueueUserClient <class com_fsecure_kext_fsauth_EventQueueUserClient, id 0x100$

+-o IOBluetoothHCIController <class IOBluetoothHCIController, id 0x1000002f6, registered, matched, active, busy $

| +-o IOBluetoothHCIUserClient <class IOBluetoothHCIUserClient, id 0x100002d30, !registered, !matched, active, b$

| +-o IOBluetoothHCIUserClient <class IOBluetoothHCIUserClient, id 0x100002d31, !registered, !matched, active, b$

+-o IODisplayWrangler <class IODisplayWrangler, id 0x1000002f7, registered, matched, active, busy 0 (3 ms), reta$

| +-o IOAccelerationUserClient <class IOAccelerationUserClient, id 0x100002d02, !registered, !matched, active, b$

+-o IOHIDResource <class IOHIDResource, id 0x1000002f8, registered, matched, active, busy 0 (0 ms), retain 5>

+-o IOSurfaceRoot <class IOSurfaceRoot, id 0x1000002f9, registered, matched, active, busy 0 (0 ms), retain 8>

| +-o IOSurfaceRootUserClient <class IOSurfaceRootUserClient, id 0x100002d71, !registered, !matched, active, bus$

+-o IOUserEthernetResource <class IOUserEthernetResource, id 0x1000002fa, registered, matched, active, busy 0 (0$

+-o IOBluetoothSerialManager <class IOBluetoothSerialManager, id 0x1000003a2, registered, matched, active, busy $

+-o IOBluetoothSerialClient <class IOBluetoothSerialClient, id 0x1000003a3, !registered, !matched, active, bus$

| +-o IOBluetoothSerialClientModemStreamSync <class IOBluetoothSerialClientModemStreamSync, id 0x1000003a4, re$

| +-o IOSerialBSDClient <class IOSerialBSDClient, id 0x1000003a5, registered, matched, active, busy 0 (0 ms)$

+-o IOBluetoothSerialClient <class IOBluetoothSerialClient, id 0x1000003a6, !registered, !matched, active, bus$

+-o IOBluetoothSerialClientSerialStreamSync <class IOBluetoothSerialClientSerialStreamSync, id 0x1000003a7, $

+-o IOSerialBSDClient <class IOSerialBSDClient, id 0x1000003a8, registered, matched, active, busy 0 (0 ms)$

MFPs-MacBook-Pro:/ MP$


I can go on and on.. There are also about 20 virtual mounts when I open my disk image all linking back via aliases

Reply
User profile for user: g_wolfman
g_wolfman
User level: Level 4
3,472 points

May 7, 2013 11:04 AM in response to Samurai184

On and on with what? Everything you've described there is normal...


/Volume/MobileBackups is the local Time Machine snapshots kept on your system to preserve changes to data between real TM backups.


/System/Library/CoreServices/boot.efi is the system bootloader, the otehrs are used for special chained booting scenarios (for example, when you have Windows installed via BootCamp and need to choose an OS during startup)


Your /dev listing looks totally normal (and you didn't say what you think is wrong with it in the first place).


And so on.

Reply
User profile for user: Samurai184
Samurai184 Author
User level: Level 1
8 points

May 7, 2013 11:08 AM in response to g_wolfman

I'm not claiming that OSX ships with a pre installed rootkit by no means. What I was saying was that they have compromised my machine to the point that even when I boot into recovery, and do a fresh install, that since the hack or whatever it is is at the root level I can't seem to recover no matter what I do.. I always end up with the same issues...


Sypmtomatically, cross site scripting to a static facebook page.


Here is my netstat with a million open sockets:

Active Internet connections

Proto Recv-Q Send-Q Local Address Foreign Address (state)

tcp4 0 0 10.119.75.6.56006 a96-16-161-54.de.https ESTABLISHED

tcp4 0 0 localhost.55946 localhost.55947 ESTABLISHED

tcp4 0 0 localhost.55947 localhost.55946 ESTABLISHED

tcp4 0 0 localhost.49153 localhost.1023 ESTABLISHED

tcp4 0 0 localhost.1023 localhost.49153 ESTABLISHED

udp6 0 0 *.61418 *.*

udp4 0 0 *.61418 *.*

udp6 0 0 *.60433 *.*

udp4 0 0 *.60433 *.*

udp6 0 0 *.52331 *.*

udp4 0 0 *.52331 *.*

udp6 0 0 *.64430 *.*

udp4 0 0 *.64430 *.*

udp6 0 0 *.49160 *.*

udp4 0 0 *.49160 *.*

udp6 0 0 *.57551 *.*

udp4 0 0 *.57551 *.*

udp6 0 0 *.50079 *.*

udp4 0 0 *.50079 *.*

udp4 0 0 10.119.75.6.ntp *.*

udp4 0 0 *.50075 *.*

udp4 0 0 192.168.1.100.ntp *.*

udp6 0 0 *.52025 *.*

udp4 0 0 *.52025 *.*

udp6 0 0 *.63660 *.*

udp4 0 0 *.63660 *.*

udp6 0 0 *.58049 *.*

udp4 0 0 *.58049 *.*

udp6 0 0 *.49558 *.*

udp4 0 0 *.49558 *.*

udp6 0 0 *.64059 *.*

udp4 0 0 *.64059 *.*

udp6 0 0 *.60312 *.*

udp4 0 0 *.60312 *.*

udp4 0 0 *.* *.*

udp4 0 0 *.* *.*

udp6 0 0 localhost.ntp *.*

udp4 0 0 localhost.ntp *.*

udp6 0 0 localhost.ntp *.*

udp6 0 0 *.ntp *.*

udp4 0 0 *.ntp *.*

udp4 0 0 *.* *.*

udp4 0 0 *.kerberos *.*

udp6 0 0 *.kerberos *.*

udp4 0 0 *.* *.*

udp4 0 0 *.* *.*

udp4 0 0 *.* *.*

udp4 0 0 *.* *.*

udp6 0 0 *.mdns *.*

udp4 0 0 *.mdns *.*

udp46 0 0 *.* *.*

Active LOCAL (UNIX) domain sockets

Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr

5920fa4af1e65fd1 stream 0 0 0 5920fa4aef5e31c1 0 0 /var/run/mDNSResponder

5920fa4aef5e31c1 stream 0 0 0 5920fa4af1e65fd1 0 0

5920fa4af13329f1 stream 0 0 0 5920fa4aef5e3419 0 0

5920fa4aef5e3419 stream 0 0 0 5920fa4af13329f1 0 0

5920fa4aef66d2f1 stream 0 0 0 5920fa4aeeebbb81 0 0

5920fa4aeeebbb81 stream 0 0 0 5920fa4aef66d2f1 0 0

5920fa4aef66d161 stream 0 0 0 5920fa4aef5e30f9 0 0 /var/run/mDNSResponder

5920fa4aef5e30f9 stream 0 0 0 5920fa4aef66d161 0 0

5920fa4af1e65be9 stream 0 0 0 5920fa4af1e65cb1 0 0

5920fa4af1e65cb1 stream 0 0 0 5920fa4af1e65be9 0 0

5920fa4af1332479 stream 0 0 0 5920fa4aef66df71 0 0 /var/run/mDNSResponder

5920fa4aef66df71 stream 0 0 0 5920fa4af1332479 0 0

5920fa4aef66b799 stream 0 0 0 5920fa4aeeebb861 0 0 /var/run/mDNSResponder

5920fa4aeeebb861 stream 0 0 0 5920fa4aef66b799 0 0

5920fa4af1e67101 stream 0 0 0 5920fa4af1333f09 0 0

5920fa4af1333f09 stream 0 0 0 5920fa4af1e67101 0 0

5920fa4af1e66de1 stream 0 0 0 5920fa4aef5e22e9 0 0 /var/tmp/launchd/sock

5920fa4aef5e22e9 stream 0 0 0 5920fa4af1e66de1 0 0

5920fa4af1333be9 stream 0 0 0 5920fa4af1e667a1 0 0

5920fa4af1e667a1 stream 0 0 0 5920fa4af1333be9 0 0

5920fa4aef66cfd1 stream 0 0 0 5920fa4aef5e3351 0 0 /var/run/mDNSResponder

5920fa4aef5e3351 stream 0 0 0 5920fa4aef66cfd1 0 0

5920fa4aeeebb6d1 stream 0 0 0 5920fa4aeeebb609 0 0

5920fa4aeeebb609 stream 0 0 0 5920fa4aeeebb6d1 0 0

5920fa4aef66cbe9 stream 0 0 0 5920fa4aef66d869 0 0 /usr/local/f-secure/fsaua/var//run/api_socket_simplified

5920fa4aef66d869 stream 0 0 0 5920fa4aef66cbe9 0 0

5920fa4af1332dd9 stream 0 0 5920fa4af7cc97c1 0 0 0 /var/folders/jr/lgg7m6x16cz_rjzh5fwys4t80000gp/T/icssuis502

5920fa4af1333031 stream 0 0 0 5920fa4af1332f69 0 0 /var/run/mDNSResponder

5920fa4af1332f69 stream 0 0 0 5920fa4af1333031 0 0

5920fa4aef5e51c9 stream 0 0 0 5920fa4af1333671 0 0 /tmp/launchd-223.y1TN3l/sock

5920fa4af1333671 stream 0 0 0 5920fa4aef5e51c9 0 0

5920fa4af1e669f9 stream 0 0 0 5920fa4af1e66d19 0 0

5920fa4af1e66d19 stream 0 0 0 5920fa4af1e669f9 0 0

5920fa4af1332b81 stream 0 0 0 5920fa4af1e66f71 0 0 /var/run/mDNSResponder

5920fa4af1e66f71 stream 0 0 0 5920fa4af1332b81 0 0

5920fa4aef66b929 stream 0 0 0 5920fa4af1e66ea9 0 0 /var/run/mDNSResponder

5920fa4af1e66ea9 stream 0 0 0 5920fa4aef66b929 0 0

5920fa4af13346d9 stream 0 0 0 5920fa4aef66cf09 0 0 /var/run/mDNSResponder

5920fa4aef66cf09 stream 0 0 0 5920fa4af13346d9 0 0

5920fa4af1e65f09 stream 0 0 0 5920fa4aef66b541 0 0 /var/run/mDNSResponder

5920fa4aef66b541 stream 0 0 0 5920fa4af1e65f09 0 0

5920fa4af1334161 stream 0 0 0 5920fa4aef5e42f1 0 0

5920fa4aef5e42f1 stream 0 0 0 5920fa4af1334161 0 0

5920fa4af13335a9 stream 0 0 0 5920fa4af1334869 0 0

5920fa4af1334869 stream 0 0 0 5920fa4af13335a9 0 0

5920fa4aef66bab9 stream 0 0 0 5920fa4aef5e3031 0 0

5920fa4aef5e3031 stream 0 0 0 5920fa4aef66bab9 0 0

5920fa4aef5e3d79 stream 0 0 0 5920fa4aeeebb2e9 0 0

5920fa4aeeebb2e9 stream 0 0 0 5920fa4aef5e3d79 0 0

5920fa4aef66d9f9 stream 0 0 0 5920fa4af1333991 0 0

5920fa4af1333991 stream 0 0 0 5920fa4aef66d9f9 0 0

5920fa4aef5e5101 stream 0 0 0 5920fa4af1333351 0 0

5920fa4af1333351 stream 0 0 0 5920fa4aef5e5101 0 0

5920fa4aef5e49f9 stream 0 0 0 5920fa4af13334e1 0 0

5920fa4af13334e1 stream 0 0 0 5920fa4aef5e49f9 0 0

5920fa4af1333739 stream 0 0 0 5920fa4af1334931 0 0

5920fa4af1334931 stream 0 0 0 5920fa4af1333739 0 0

5920fa4aeeebd229 stream 0 0 0 5920fa4af1e66ac1 0 0

5920fa4af1e66ac1 stream 0 0 0 5920fa4aeeebd229 0 0

5920fa4aef66c1c1 stream 0 0 0 5920fa4af1e66931 0 0

5920fa4af1e66931 stream 0 0 0 5920fa4aef66c1c1 0 0

5920fa4aef66c739 stream 0 0 0 5920fa4af13351c9 0 0

5920fa4af13351c9 stream 0 0 0 5920fa4aef66c739 0 0

5920fa4af1e66099 stream 0 0 0 5920fa4aef5e2f69 0 0

5920fa4aef5e2f69 stream 0 0 0 5920fa4af1e66099 0 0

5920fa4aef66dea9 stream 0 0 5920fa4af4ee5171 0 0 0 /tmp/launch-koBOma/Listeners

5920fa4aef66b3b1 stream 0 0 5920fa4af8cf6e89 0 0 0 /tmp/launch-ioUCTX/Apple_Ubiquity_Message

5920fa4af13343b9 stream 0 0 5920fa4af4e3a6c9 0 0 0 /tmp/launch-lVO9ls/Render

5920fa4af1333e41 stream 0 0 5920fa4af0968d11 0 0 0 /tmp/launch-QLnq0f/ListeningSocket

5920fa4aef66c8c9 stream 0 0 0 5920fa4aef66ccb1 0 0

5920fa4aef66ccb1 stream 0 0 0 5920fa4aef66c8c9 0 0

5920fa4af1e663b9 stream 0 0 0 5920fa4af1e67039 0 0 /var/run/mDNSResponder

5920fa4af1e67039 stream 0 0 0 5920fa4af1e663b9 0 0

5920fa4af1e662f1 stream 0 0 0 5920fa4af1335101 0 0

5920fa4af1335101 stream 0 0 0 5920fa4af1e662f1 0 0

5920fa4aef66ce41 stream 0 0 0 5920fa4aef66dde1 0 0

5920fa4aef66dde1 stream 0 0 0 5920fa4aef66ce41 0 0

5920fa4af1332ab9 stream 0 0 0 5920fa4aef66bd11 0 0

5920fa4aef66bd11 stream 0 0 0 5920fa4af1332ab9 0 0

5920fa4af1332541 stream 0 0 0 5920fa4af1333b21 0 0

5920fa4af1333b21 stream 0 0 0 5920fa4af1332541 0 0

5920fa4af1e671c9 stream 0 0 0 5920fa4aef5e2929 0 0

5920fa4aef5e2929 stream 0 0 0 5920fa4af1e671c9 0 0

5920fa4af1333801 stream 0 0 0 5920fa4af13326d1 0 0

5920fa4af13326d1 stream 0 0 0 5920fa4af1333801 0 0

5920fa4aef66b9f1 stream 0 0 5920fa4af2f154d9 0 0 0 /tmp/launchd-10479.wCWXxv/sock

5920fa4af13347a1 stream 0 0 0 5920fa4af1e66b89 0 0

5920fa4af1e66b89 stream 0 0 0 5920fa4af13347a1 0 0

5920fa4aef66bb81 stream 0 0 0 5920fa4af1e66549 0 0

5920fa4af1e66549 stream 0 0 0 5920fa4aef66bb81 0 0

5920fa4aef66d229 stream 0 0 5920fa4af44fd5d1 0 0 0 /tmp/launchd-10181.umThrP/sock

5920fa4af1e66c51 stream 0 0 0 5920fa4af1e66869 0 0

5920fa4af1e66869 stream 0 0 0 5920fa4af1e66c51 0 0

5920fa4aef66bea1 stream 0 0 0 5920fa4aef5e2d11 0 0

5920fa4aef5e2d11 stream 0 0 0 5920fa4aef66bea1 0 0

5920fa4af1334b89 stream 0 0 0 5920fa4af1334c51 0 0

5920fa4af1334c51 stream 0 0 0 5920fa4af1334b89 0 0

5920fa4af1334d19 stream 0 0 0 5920fa4af1334f71 0 0 /var/run/mDNSResponder

5920fa4af1334de1 stream 0 0 0 5920fa4af1334ea9 0 0 /var/run/mDNSResponder

5920fa4af1334ea9 stream 0 0 0 5920fa4af1334de1 0 0

5920fa4af1334f71 stream 0 0 0 5920fa4af1334d19 0 0

5920fa4aef5e4931 stream 0 0 0 5920fa4aef5e26d1 0 0

5920fa4aef5e26d1 stream 0 0 0 5920fa4aef5e4931 0 0

5920fa4aeeebb541 stream 0 0 0 5920fa4af1335039 0 0

5920fa4af1335039 stream 0 0 0 5920fa4aeeebb541 0 0

5920fa4aef66d099 stream 0 0 0 5920fa4aef66c991 0 0

5920fa4aef66c991 stream 0 0 0 5920fa4aef66d099 0 0

5920fa4aeeebb3b1 stream 0 0 0 5920fa4aef66b479 0 0

5920fa4aef66b479 stream 0 0 0 5920fa4aeeebb3b1 0 0

5920fa4aef5e2ea1 stream 0 0 5920fa4af130d459 0 0 0 /tmp/launchd-223.y1TN3l/sock

5920fa4aef66c4e1 stream 0 0 0 5920fa4aef66c419 0 0 /var/run/mDNSResponder

5920fa4aef66c419 stream 0 0 0 5920fa4aef66c4e1 0 0

5920fa4aef5e3fd1 stream 0 0 0 5920fa4aef5e29f1 0 0 /var/run/mDNSResponder

5920fa4aef5e29f1 stream 0 0 0 5920fa4aef5e3fd1 0 0

5920fa4aef5e4161 stream 0 0 0 5920fa4aef5e2ab9 0 0 /var/run/mDNSResponder

5920fa4aef5e2ab9 stream 0 0 0 5920fa4aef5e4161 0 0

5920fa4aef5e4229 stream 0 0 0 5920fa4aef66b6d1 0 0

5920fa4aef66b6d1 stream 0 0 0 5920fa4aef5e4229 0 0

5920fa4aef5e2541 stream 0 0 0 5920fa4aef66dd19 0 0

5920fa4aef66dd19 stream 0 0 0 5920fa4aef5e2541 0 0

5920fa4aef5e3739 stream 0 0 0 5920fa4aef5e3a59 0 0 /var/run/mDNSResponder

5920fa4aef5e3a59 stream 0 0 0 5920fa4aef5e3739 0 0

5920fa4aef5e2b81 stream 0 0 0 5920fa4aeeebbab9 0 0

5920fa4aeeebbab9 stream 0 0 0 5920fa4aef5e2b81 0 0

5920fa4aef5e4f71 stream 0 0 0 5920fa4aef66c031 0 0

5920fa4aef66c031 stream 0 0 0 5920fa4aef5e4f71 0 0

5920fa4aef5e2609 stream 0 0 5920fa4af05f6459 0 0 0 /tmp/launchd-110.MjubN5/sock

5920fa4aef5e4c51 stream 0 0 5920fa4af0586839 0 0 0 /usr/local/f-secure/fsaua/var//run/api_socket_simplified

5920fa4aef66dac1 stream 0 0 5920fa4af0586931 0 0 0 /usr/local/f-secure/fsaua/var//run/fsaua_socket

5920fa4aef66dc51 stream 0 0 5920fa4af056af81 0 0 0 /tmp/.com.f-secure.fsav/fsavd-socket

5920fa4aef5e4ac1 stream 0 0 0 5920fa4aef5e4b89 0 0 /var/run/mDNSResponder

5920fa4aef5e4b89 stream 0 0 0 5920fa4aef5e4ac1 0 0

5920fa4aef66e1c9 stream 0 0 0 5920fa4aef66d7a1 0 0

5920fa4aef66d7a1 stream 0 0 0 5920fa4aef66e1c9 0 0

5920fa4aef5e3991 stream 0 0 5920fa4af03d15d1 0 0 0 /tmp/launchd-85.rO1eoD/sock

5920fa4aef66d481 stream 0 0 0 5920fa4aef66cb21 0 0

5920fa4aef66cb21 stream 0 0 0 5920fa4aef66d481 0 0

5920fa4aef66bf69 stream 0 0 0 5920fa4aef66bdd9 0 0

5920fa4aef66bdd9 stream 0 0 0 5920fa4aef66bf69 0 0

5920fa4aef66d3b9 stream 0 0 5920fa4aef925741 0 0 0 /var/run/pppconfd

5920fa4aeeebb799 stream 0 0 0 5920fa4aef66ca59 0 0

5920fa4aef66ca59 stream 0 0 0 5920fa4aeeebb799 0 0

5920fa4aef66d549 stream 0 0 0 5920fa4aef66d611 0 0

5920fa4aef66d611 stream 0 0 0 5920fa4aef66d549 0 0

5920fa4aef66e039 stream 0 0 0 5920fa4aef66e101 0 0

5920fa4aef66e101 stream 0 0 0 5920fa4aef66e039 0 0

5920fa4aef5e23b1 stream 0 0 0 5920fa4aef5e2479 0 0

5920fa4aef5e2479 stream 0 0 0 5920fa4aef5e23b1 0 0

5920fa4aef5e34e1 stream 0 0 0 5920fa4aef5e35a9 0 0

5920fa4aef5e35a9 stream 0 0 0 5920fa4aef5e34e1 0 0

5920fa4aef5e3801 stream 0 0 0 5920fa4aef5e38c9 0 0

5920fa4aef5e38c9 stream 0 0 0 5920fa4aef5e3801 0 0

5920fa4aef5e3b21 stream 0 0 0 5920fa4aef5e3be9 0 0

5920fa4aef5e3be9 stream 0 0 0 5920fa4aef5e3b21 0 0

5920fa4aef5e3e41 stream 0 0 0 5920fa4aef5e3f09 0 0

5920fa4aef5e3f09 stream 0 0 0 5920fa4aef5e3e41 0 0

5920fa4aef5e47a1 stream 0 0 0 5920fa4aef5e4869 0 0

5920fa4aef5e4869 stream 0 0 0 5920fa4aef5e47a1 0 0

5920fa4aef5e4de1 stream 0 0 0 5920fa4aef5e4ea9 0 0

5920fa4aef5e4ea9 stream 0 0 0 5920fa4aef5e4de1 0 0

5920fa4aeeebb929 stream 0 0 0 5920fa4aeeebb9f1 0 0

5920fa4aeeebb9f1 stream 0 0 0 5920fa4aeeebb929 0 0

5920fa4aeeebbea1 stream 0 0 0 5920fa4aeeebbdd9 0 0 /var/tmp/launchd/sock

5920fa4aeeebbdd9 stream 0 0 0 5920fa4aeeebbea1 0 0

5920fa4aeeebc031 stream 0 0 0 5920fa4aeeebbf69 0 0

5920fa4aeeebbf69 stream 0 0 0 5920fa4aeeebc031 0 0

5920fa4aeeebc1c1 stream 0 0 0 5920fa4aeeebc0f9 0 0

5920fa4aeeebc0f9 stream 0 0 0 5920fa4aeeebc1c1 0 0

5920fa4aeeebc419 stream 0 0 0 5920fa4aeeebc289 0 0

5920fa4aeeebc289 stream 0 0 0 5920fa4aeeebc419 0 0

5920fa4aeeebc5a9 stream 0 0 0 5920fa4aeeebc351 0 0

5920fa4aeeebc351 stream 0 0 0 5920fa4aeeebc5a9 0 0

5920fa4aeeebc4e1 stream 0 0 0 5920fa4aeeebc671 0 0

5920fa4aeeebc671 stream 0 0 0 5920fa4aeeebc4e1 0 0

5920fa4aeeebc801 stream 0 0 0 5920fa4aeeebc739 0 0

5920fa4aeeebc739 stream 0 0 0 5920fa4aeeebc801 0 0

5920fa4aeeebc991 stream 0 0 0 5920fa4aeeebc8c9 0 0

5920fa4aeeebc8c9 stream 0 0 0 5920fa4aeeebc991 0 0

5920fa4aeeebca59 stream 0 0 0 5920fa4aeeebcb21 0 0

5920fa4aeeebcb21 stream 0 0 0 5920fa4aeeebca59 0 0

5920fa4aeeebd161 stream 0 0 0 5920fa4aeeebcbe9 0 0 /var/tmp/launchd/sock

5920fa4aeeebcbe9 stream 0 0 0 5920fa4aeeebd161 0 0

5920fa4aeeebcd79 stream 0 0 0 5920fa4aeeebccb1 0 0

5920fa4aeeebccb1 stream 0 0 0 5920fa4aeeebcd79 0 0

5920fa4aeeebce41 stream 0 0 0 5920fa4aeeebd099 0 0

5920fa4aeeebd099 stream 0 0 0 5920fa4aeeebce41 0 0

5920fa4aeeebcf09 stream 0 0 0 5920fa4aeeebcfd1 0 0

5920fa4aeeebcfd1 stream 0 0 0 5920fa4aeeebcf09 0 0

5920fa4aeeebd3b9 stream 0 0 5920fa4aef1af2e9 0 0 0 /var/tmp/launchd/sock

5920fa4aeeebd481 stream 0 0 5920fa4aef1af5d1 0 0 0 /private/var/run/cupsd

5920fa4aeeebd549 stream 0 0 5920fa4aef1af8b9 0 0 0 /var/run/usbmuxd

5920fa4aeeebd611 stream 0 0 5920fa4aef1af9b1 0 0 0 /var/run/systemkeychaincheck.socket

5920fa4aeeebd7a1 stream 0 0 5920fa4aef1afba1 0 0 0 /var/run/asl_input

5920fa4aeeebd869 stream 0 0 5920fa4aef1afc99 0 0 0 /var/run/portmap.socket

5920fa4aeeebd931 stream 0 0 5920fa4aef1afd91 0 0 0 /var/run/vpncontrol.sock

5920fa4aeeebd9f9 stream 0 0 5920fa4aef1afe89 0 0 0 /var/rpc/ncalrpc/wkssvc

5920fa4aeeebdac1 stream 0 0 5920fa4aef1b0079 0 0 0 /var/rpc/ncacn_np/wkssvc

5920fa4aeeebdb89 stream 0 0 5920fa4aef1b0269 0 0 0 /var/rpc/ncalrpc/srvsvc

5920fa4aeeebdc51 stream 0 0 5920fa4aef1b0459 0 0 0 /var/rpc/ncacn_np/srvsvc

5920fa4aeeebdd19 stream 0 0 5920fa4aef1b0649 0 0 0 /var/rpc/ncalrpc/NETLOGON

5920fa4aeeebdde1 stream 0 0 5920fa4aef1b0839 0 0 0 /var/rpc/ncacn_np/mdssvc

5920fa4aeeebdea9 stream 0 0 5920fa4aef1b0a29 0 0 0 /var/rpc/ncalrpc/lsarpc

5920fa4aeeebdf71 stream 0 0 5920fa4aef1b0d11 0 0 0 /var/rpc/ncacn_np/lsarpc

5920fa4aeeebe039 stream 0 0 5920fa4aef1b10f1 0 0 0 /var/run/mDNSResponder

5920fa4aeeebe1c9 stream 0 0 5920fa4aef1b11e9 0 0 0 /var/run/com.apple.ActivityMonitor.socket

5920fa4aeeebe101 stream 0 0 5920fa4aef19e2e9 0 0 0 /usr/local/f-secure/fsaua/var/run/unixnotify_socket

5920fa4af1333289 dgram 0 0 0 5920fa4af1334ac1 5920fa4af1334ac1 0

5920fa4af1334ac1 dgram 0 0 0 5920fa4af1333289 5920fa4af1333289 0

5920fa4aef5e2861 dgram 0 0 0 5920fa4aeeebb479 5920fa4aeeebb479 0

5920fa4aeeebb479 dgram 0 0 0 5920fa4aef5e2861 5920fa4aef5e2861 0

5920fa4af1332c49 dgram 0 0 0 5920fa4af1332799 5920fa4af1332799 0

5920fa4af1332799 dgram 0 0 0 5920fa4af1332c49 5920fa4af1332c49 0

5920fa4aef5e2799 dgram 0 0 0 5920fa4aef5e2c49 5920fa4aef5e2c49 0

5920fa4aef5e2c49 dgram 0 0 0 5920fa4aef5e2799 5920fa4aef5e2799 0

5920fa4aef66c289 dgram 0 0 0 5920fa4aef66d6d9 5920fa4aef66d6d9 0

5920fa4aef66d6d9 dgram 0 0 0 5920fa4aef66c289 5920fa4aef66c289 0

5920fa4aeeebbc49 dgram 0 0 0 5920fa4aeeebbd11 5920fa4aeeebbd11 0

5920fa4aeeebbd11 dgram 0 0 0 5920fa4aeeebbc49 5920fa4aeeebbc49 0

5920fa4aeeebd6d9 dgram 0 0 5920fa4aef1afaa9 0 0 0 /var/run/syslog

Reply
User profile for user: g_wolfman
g_wolfman
User level: Level 4
3,472 points

May 7, 2013 11:16 AM in response to Samurai184

Again, how is this abnormal? Unix sockets are a normal, and important, interprocess communication mechanism inside an Unix-derived OS, included OS X.


If you have XSS problems on Facebook, then the problem is most likely on Facebook - the website - not your computer.


And once again, there are no known viruses for OS X, very few trojans (which almost always require the user to authorize for installation) and no known firmware-level attacks against EFI.

Reply
User profile for user: etresoft
etresoft
User level: Level 9
56,326 points

May 7, 2013 11:57 AM in response to Samurai184

You cannot, nor can anyone, really, tell what is going on with a machine by looking at such low-level details.


Can you tell us, in plain, English words, why you feel your Mac is compromised in some way? The closest you have said is "cross site scripting to a static facebook page". What does that mean? When you run Safari, does it do something unusual? Something you didn't expect? What is that something?

Reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
32,031 points

May 7, 2013 11:57 AM in response to Samurai184

Nothing at all that you have posted indicates in any way that you have been hacked or that your EFI has been compromised. You should not be mucking around with commands like those in the Terminal if you don't know what the output means. Not only is that a great way to screw something up, but you've managed to give yourself an unwarranted case of the heebie-jeebies.


What exactly is prompting all this? The only symptom you have mentioned is "cross-site scripting to a static Facebook page," and I'm not sure exactly what you mean by that. Are you seeing redirects to a Facebook page? Where are you seeing them? Can you be more specific about the symptoms and focus less on output from Unix commands that aren't showing what you think they are?

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

My macbook pro has a virus/trojan that is resetting the EFI via apci and it is getting root access privileges. It seems to be creating multiple aliases that bundle with rogue apps and preferences so it is very difficult to control or fix. Please help..

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up