Macuscope Intro

Mac-A-Mal:An Automated Framework for Mac Malware HuntingPham Duy Phuc*************************SfyLabsFabio Massacci*********************** University of TrentoAbstractAs Mac systems grow in popularity,so does macOS mal-ware whilst macOS malware analysis is still lagging be-hind,even when researchers deal with malicious behav-iors in the user space.To amend this shortcoming,we have come up with macOS analyzer for malware Mac-A-Mal:A system for behavioral monitoring of components at kernel level which allows analysts to automatically in-vestigate malware on macOS,broadly extending what is available today with Cuckoo sandbox.By leveraging on kernel-level system calls hooking,the framework is able to detect and mitigate malware anti-analysis tech-niques.In particular,it combines static and dynamic analysis to extract useful information and suspicious be-haviors from malware binaries,their monitored behaviors such as network traffic,malware evasion techniques,per-sistence methods,file operations etc.,without being de-tected by common Mac malware evasion techniques.We have used the framework to evaluate thousands macOS samples to estimate how widespread Mac malware vari-ants and families are today(thanks to VirusTotal).Mac malware in2017demonstrates a drastic improvement by using evasion techniques.Overall,we used our systems to classify the dataset and found that85%of collected samples are adware,49%of classified variants belong to backdoor/trojan.By hunting Mac samples on Virus-Total,we found a so-far-undiscovered organized adware campaign which leverages several Apple legitimate de-veloper certificates,a few of other undetected keyloggers, and trojan samples participating in APT32OceanLotus targeting Chinese and Vietnamese organizations,as well as hundreds of malware samples which have otherwise low detection rates.1IntroductionContrary to popular belief,Mac is not immune from mal-ware.According to a cyber-security report from Bit9and Carbon Black Threat Research team,Mac devices have seen more malware attacks in2015than the pastfive years combined.Mac malware grew744%with around 460,000instances detected,says McAfee report in2016. The trend in Mac malware was not slowing down in2017, there were nearly300,000new instances of macOS mal-ware in thefirst3quarters of2017,lifting the year-total to over700,000.[6]The malware problem has become bigger and stronger over years,while the majority of malware targets at Mi-crosoft Windows operating system,other operating sys-tems have become relevant targets as well.By under-standing how they behave,what these threats are,and engaging in ways to detect them,we can contribute to more secure and stable solutions for Mac computing ex-perience.However,research about macOS malware and relevant solutions to automated Mac malware analysis are limited.While many types of state-of-the-art malware on Windows platform took decades to develop from the first known malicious software to happen in the wild,now they start emerging on Apple computers in a shorter time. Static malware analyses are mostly used to analyze macOS malware. E.Walkup[10]was able to extract Mach-O structure,import libraries(DyLib)and functions feature from a data set consisting of420malware samples and1000goodware over20machine learning models. Furthermore,S.Hsieh et al.[4]presented a study of clas-sifying Mac OS X malware in2016with a set of features extracted from Mach-O metadata using tools such as nm, otool,or strings on VirusTotal sample collection of 2015-2016.They also included derivative numerical fea-tures created from meta information,which are introduced in learning-based malware classification,e.g.function call distribution,structure complexity,etc.D.Dorsey[3] presented a weighted distance metric solution to generate and compare assembly mnemonics signature of Mach-O binaries using mpesm.The study successfully discovered 7over18,000samples to be UPX compressed,and3 groups signature matched at least85%of malicious sam-ples.However,no significant signature could identify the difference between malicious samples and17,000known benign samples.Regarding dynamic Mac malware studies,V. Mieghem[8,9]presented a novel generic behavioral detection method based on system calls names and prevention mechanism for malware on OS X.Sequences of system call traces are analyzed,from which certain malicious system call patterns,interactions with shells and auto-run services appear to be an accurate indication of malware on a system.Three types of user profiles are established to evaluate the detection patterns,resulting in a100%detection rate and a0%to20%false positive rate, depending on the type of user profile.M.Lindorfer et al.[5]have built an OS X honeypot based high-interaction and used it to evaluate more than6thousands blacklisted URLs to estimate how widespread malware for Mac OS X is in2013.Onlyfive websites were found to drop binaries through drive-by downloads,but none of them targeted OS X.Furthermore,they developed a dynamic analysis environment with DTrace and analyzed148 malicious samples.The result has shown that while some OS X malware families are sophisticated,several fail to perform simple but critical jobs like persistence. A. Case et al.[1,2]presented malware detection techniques with a specific focus on kernel-mode components for OS X,particularly for rootkit that targets at kernel data and user land malware written in Objective-C for Mac.They utilize V olatility to detect rookit in kernel memory.For Objective-C malicious code,they analyzed important artifacts in the memory and produced output that could easily be used by analysts to isolate and investigate more deeply these behaviors even when the Objective-C runtime maintained state out of the dynamic loader and the code section of executables.We evaluated some of popular dynamic macOS analyz-ers and we found that Cuckoo sandbox is an open source project providing most robust solution for malware analy-sis framework.Although it only supports Windows,Linux but partially Android and macOS.It adopts DTrace which is basically a binary instrumentation platform rather than a malware analysis.Apple does not allow DTrace to mon-itor official Apple binaries and requires traced software to run under root permission,its tracing techniques can be easily defeated by trivial anti-debugging tricks.Besides, Macsandbox1is a modified version of Cuckoo sandbox on Mac,using Dtrace and library injection for process tracing.However,running on user space makes it vul-nerable to trivial anti-debug and anti-hook techniques. For analysis on kernel-space region,Fireeye Monitor2 is a closed source software for manual analysis,which 1https:///sandialabs/mac-sandbox2https:///blog/threat-research/ 2017/03/introducing_monitor.html performs process execution,file and network logging.In this white paper,we study an automated solution for Mac malware analysis framework.We show that it is possible to automatically perform behavioral monitor of process execution,file activities,network traffic,with regards of virtualized environment,malware evasion de-tection and mitigation.2Mac-A-Mal:Automated macOS mal-ware analyzerMac-A-Mal is a combination of both static and dynamic ing static analysis to understand in depth sus-picious areas of code,and dynamic analysis to unpack packed binary and monitor malware behaviors.It takes actual behavioral data of malware samples executions inside virtual sandboxes simultaneously,in which it can process multiple samples at once.The sandbox is armored with network sniffer,system calls and behavior logging, as well as anti-evasion from kernel-mode to send back report to analysis machine.Researchers thereafter can review reports to spot any suspect activities such as sus-picious network activity,invoked anti debug techniques, persistent activities etc.Researchers can also perform common malware detection techniques such as Y ARA rules and behavioral signature to automatically detect a whole sample family.The overview design of Mac-A-Mal framework is illustrated in Fig.1.The analysis machine gathers samples and feed them to the monitor machine(s) running on macOS simultaneously.Data sharing features and default Apple protection mechanisms such as XPro-tect,Gatekeeper,etc.are disabled to capture malware behavior accurately.The analyzer processes2main tasks:•Static analysis:Parsing Macho executable and dis-play:Symbol table,segment,sections,load com-mands,dylib,entropy etc.Analyzing other common Macfile types such as DMG,PKG etc.as well as their certificate details.•Results collection:Output to web front-end as well as JSON format which can be easily applied with behavioral signature,machine learning or Y ARA rules.The monitor processes following tasks:•Dynamic analysis:Processing monitor behavior un-der kernel-space with Anti anti-vm,anti-debug etc.logging and mitigation.Additionally,common mal-ware analysis techniques are implemented such as network monitor,droppedfiles collection,etc.We implement an analysis agent on analysis machine un-der kernel space,which basically performs:SyscallFigure1:Mac-A-Mal framework designtable discovery technique to unslide KASLR to ob-tain kernel base image address,then walks through the kernel base image to locate load command seg-ment,andfinally performs system table lookups. These proposed techniques are compatible to latest version of macOS High Sierra.Once the sysent ta-ble is located,we patch its entries to our defined callback functions.In particular,when a malware invokes system calls,it queries the address of the call in the XNU kernel syscall table,which now is patched to our callback function address.The callback functions will perform execution logging, malware evasion detection and mitigation,as well as post-processing for the calls(forward or drop).•Anti evasion:We develop kernel system calls log-ging in which existing solutions failed,e.g.by hook-ing into posix spawn(),execve()and copying double pointers between user space and kernel space. Fig.2shows how we detect and mitigate evasion techniques by hooking into ptrace(),csrctl(), ioctl()and sysctl().•Execute samples via open default handler:By hook-ing in kernel space,we can execute samples us-ing default Mac handler-/usr/bin/open as wellas XPCProxy,in which Dtrace and MacSandbox failed to trace.It means any types offiles can be opened with capability of process forks tracing(e.g. .app;.dmg;.doc;.zip etc.)without using other app-opener.•No human interaction:During the analysis,the sand-box implements libraries for taking screenshots of the analysis screen.These screen shots are helpful for analysts to review automated analysis and recog-nize some cases that needs human interaction,for instance mouse click to confirm installation or pass-word typing for Authorization solver.We use Quartz library to detect the login window then answer pass-word using KeyboardEvents.Screenshot images are analyzed to seek for confirmation buttons.If detected,it performs mouse clicks by using Quartzs MouseEvents.If packages are stored within an Ap-ple disk image,hdiutil will be used to attach the disk,and execute all application inside its root folder.•Hardening the virtual analysis machine:We modify virtual machine footprints in machine configuration as well as manipulate its hardware information in kernel level.Besides,default Apple security featuresFigure2:Mac-a-Mal anti environment evasion module using kernel hooking and memory patching.(1)A system call is invoked in the user space,(2)Hook the system call,(3)Return the control to the original system call,(4)Returns value to the user space and manipulate system call arguments if anti-evasion attempts are detected,(5)The return value is logged for further analysis using Logger component,(6)Return values from the kernel space to the analyzer in userspace,(7)the exit()system call is not hooked and forwarded back to the user space.such as XProtect,GateKeeper,etc.are deactivated in order to execute any arbitrary malicious samples. 3Case studies of undetected Mac malware discoveryThese case studies dive deeper into the illustration drawn in Section2by explaining detailed analysis on some major malware campaigns which are found by Mac-A-Mal.•OSX/Mughthesec[7]The adware campaign wasfirst founded in the wild in August2017.It pretended to install legitimate Adobe flash and silently install Potential Unwanted Ap-plications(PUA)such as Booking,Advanced Mac Cleaner,SafeFinder Safari extension,AdBlock,etc.Reports show that the campaign dropped some ma-licious binaries related to AMCleaner adware cam-paign.It was likely an affiliation advertising cam-paign,in which adware authors spent some moneyfor buying legitimate Apple developer certificates. By using a combination of behavioral rules(antivm), static rules(suspicious legitimate Apple developer certificate),and suspect network activities based on results from Mac-A-Mal,we discovered71signed archives.Attackers had used at least10Apple legiti-mate developer certificates,and only2of them were revoked at the time of discovery.Moreover,some of dropped MachO executables were not signed,which means it could transform from adware to backdoor silently.•APT32-OceanLotusAPT32was an APT campaign targeted Chinese and Vietnamese infrastructure.It wasfirst discovered by Qihoo360,and followed up by AlienVault,Fire-Eye and Palo Alto Networks.By study thefirst generation of Mac OceanLotus samples through our framework,we generated some similar behavioral signatures amongst the family.In March2017,wefound second generation of Mac APT32which has 0detection rate over more thanfifty Anti-virus ven-dors by hunting those behaviors on VirusTotal Intelli-gence service.Ourfinding shows that the campaign was improved from thefirst variant by eliminating all Bash command executions.Unlike common Mac malware,this variant tried to execute under user privilege instead of higher privilege that may easily convey malicious behaviors.4DiscussionWe have processed more than2000malicious samples and85%of the collected samples are adware,which are dominated by OSX/Pirrit and OSX/MacKeeper.That statistic result is well confirmed according to reports from other Anti-virus vendors.Once installed,macOS adware usually persistent deep inside the victim system and starts hjacking browser.Their purpose is to make advertising revenue for attackers by installing PUA or redirecting victims to unwanted websites.They are widespread be-cause technically they are not viruses but can potentially perform malicious activities.After analyzing the samples set,results retrieved from Mac-A-Mal were later post-processed through a classi-fier based on numerous rules:code signing authority, persistence indicators,processes creation and shell exe-cution,backdoor port listening,network activities,Tor network indicator,anti-analysis techniques,file creation and modification,browsers change and super-user per-mission authentication,etc.We also compared them to VirusTotal detection results and other Anti-virus labeled variant name to verify the accuracy.We observed a total of86different Mac malware families until2017,and49% of them belongs to backdoor/trojan variant.We study the evolution of macOS malware by using heat map analysis of most Mac malware variants in Ap-pendix Fig.3and Fig. 4.We evaluate that macOS malware in2017demonstrates a drastic improvement by using anti-analysis techniques.The behaviors can be grouped into following categories:(i)persistence,file write,browser modification;(ii)root request,bash exe-cution;(iii)anti analysis;(iv)network,Tor,open port.5 variants are found applying various evasion techniques including ptrace(),sysctl(),sleep().Some vari-ants tried to discover running security tools on the system or terminate analysis software(e.g.DTrace,lldb,etc.). Besides,some samples never made any persistence at-tempt such as XAgent which is an upgraded version of Komplex in2016also known for participating in APT28 targeting individuals in the aerospace industry running macOS.It can be seen that Mac malware in2017car-ried out more frequent browser modification activities.It means that macOS malware is becoming more grey,and it has been boosted by numerous adware to redirect victims to fraud web traffic or unwanted advertising.In addition, a large number of increased super-user request behaviors shows that Mac malware is trying to increment phising user passwords in order to grant root access of the system and perform more advanced malicious activities.5Future WorkWe would like to later apply more robust and advanced techniques for better features extraction from the analysis, and machine learning for a larger scale of Mac samples. References[1]C ASE,A.,AND R ICHARD,G.G.Advancing mac os x rootkitdetection.Digital Investigation14(2015),25–33.[2]C ASE,A.,AND R ICHARD,G.G.Detecting objective-c malwarethrough memory forensics.Digital Investigation18(2016),3–10.[3]DORSEY,D.Analyzing entrypoint instruction differencesin mach-ofiles with mpesm.https://www.carbonblack.com/2016/03/01/analyzing-entrypoint-instruction-differences-in-mach-o-files-with-mpesm/,2006.Accessed:30-July-2017.[4]H SIEH,S.,W U,P.,AND L IU,H.Automatic classifying of macos x samples.Virus Bulletin,2016.Accessed:20-July-2017. [5]L INDORFER,M.,M ILLER,B.,N EUGSCHWANDTNER,M.,ANDP LATZER,C.Take a bite-finding the worm in the apple.In Infor-mation,Communications and Signal Processing(ICICS)20139th International Conference on(2013),IEEE,pp.1–5.[6]M INIHANE,N.,M ORENO,F.,P ETERSON,E.,S AMANI,R.,S CHMUGAR,C.,S OMMER,D.,AND S UN,B.Mcafee labs threats report,December2017.[7]P HUC,P.D.What is safefinder/operatormac campaign?,07/2017(accessed30-August-2017).[8]V AN M IEGHEM,V.Detecting malicious behaviour using systemcalls.TU Delft Repositories,2016.[9]V AN M IEGHEM,V.Behavioural detection and prevention ofmalware on os x.Virus Bulletin,2016(accessed20-July-2017).[10]W ALKUP,E.Mac malware detection via staticfile structureanalysis.University of Stanford,CS229:Machine Learning Final Projects,2014.A Publication of this WorkSource code of the framework is all available for down-load on Github:https:///phdphuc/mac-a-mal.The academic paper of this work has been composed in a paper”MAC-A-MAL:macOS Malware Analysis Framework Resistant to anti evasion techniques”which was submitted to the International Symposium on Engi-neering Secure Software and Systems ESSoS2018.B AppendixFakeFileOpener and MacKeeper are classified as Adware,Keranger is ransomware and the rest of variants is trojan/backdoor.Figure3:Behavior heatmap of macOS malware in2016ChromePatch and Mughthesec are classified as Adware,Macransom is ransomware and the rest of variants is trojan/backdoor.Figure4:Behavior heatmap of macOS malware in2017。

©2021 PreSonus Audio Electronics, Inc. All Rights Reserved. AudioBox USB, Capture, CoActual, EarMix, Eris, FaderPort, FireStudio, MixVerb, Notion, PreSonus, PreSonus AudioBox, QMix, RedLightDist, SampleOne, Sceptre, StudioLive, Temblor, Tricomp, WorxAudio, and the Wave Logo are registered trademarks of PreSonus Audio Electronics, Inc. Studio One is a registered trademark of PreSonus Software Ltd.Mac, macOS, iOS, and iPadOS are registered trademarks of Apple, Inc., in the U.S. and other countries. Windows is a registered trademark of Microsoft, Inc., in the U.S. and other countries. USB Type-C and USB-C are registered trademarks of USB Implementers Forum.Other product names mentioned herein may be trademarks of their respective companies. All specifications subject to change without notice... except the recipe, which is a classic.Baton Rouge • USA Revelator io242-channel audio interface for streamers and podcasters Quick Start GuideRevelator io24Interfaz de audio de 2 canales para streamers y podcasters Guía de arranque rápidoRevelator io242-Kanal-Audio-Interface für Streamer und Podcaster KurzanleitungRevelator io24Interface audio à deux canaux pour les streameurs et les podcasteurs Guide de prise en mainRevelator io24为流媒体工作者和播客设计的双通道音频接口快速启动指南Part# 70-12000164-BBasic functions • Funciones básicas • Grundlegende Funktionen • Fonctions de base • 基础功能Press channel 1 or 2 button to select channel. Press encoder to cycle through settings. Turn encoder to change chosen setting.Pulse el botón canal 1 ó 2 para seleccionar el canal. Pulse el encoder para desplazarse por los ajustes. Gire el encoder para cambiar el ajuste elegido.Channel 1 oder 2 drücken, um den Kanal auszuwählen. Endlosregler drücken, um durch die Einstellungen zu blättern. Endlosregler drehen, um die ausgewählte Einstellung zu ändern.Pressez la touche de canal 1 ou 2 pour sélectionner le canal. Pressez l’encodeur pour parcourir les réglages. Tournez l’encodeur pour modifier le réglage choisi.按下 channel 1 或 2 按钮进行轨道选择。

Audiophile 2x2, 24-Bit/192 kHzUSB Audio Interface withMIDAS Mic Preamplifi ersThe incredible U-PH ORIA UMC202H Dbridges the gap between your creativity and your fans. This blazingly fast USB 2.0 studio in a box will have you recording your next masterpiece in minutes with all the connectivity required for your microphones, guitars, keyboards and even MIDI devices.Record the perfect vocal right to your computer-based DAW thanks to the 4 astonishingly pure, world-class MIDAS-designed mic preamps, which include +48 Volt phantom power for condenser microphones, all going through studio-grade 24-Bit/192 kHz converters for the best possible sound quality. Whether you’re a singer-songwriter, producer on the go, or just need a rock-solid interface for running backing tracks at a gig, the ultra-dependable U-PHORIA UMC202HD will help you shine in the digital domain.Studio in a Little Black Box When it’s time to make recording history on your Mac or Windows computer, plug in microphones, instruments or line level sources to the UMC202H D’s 2 combination XLR/T RS inputs for the ultimate in studio fl exibility! Connect and communicate with MIDI devices to add the benefi t of control surfaces to your studio workfl ow.#2x2 USB 2.0 audio interfacefor recording microphonesand instruments#Audiophile 24-Bit/192 kHz resolutionfor professional audio quality#Compatible with popularrecording software includingAvid Pro Tools*, Ableton Live*,Steinberg Cubase*, etc.#Streams 2 inputs / 2 outputs withultra-low latency to your computer,supporting Mac* OS X* andWindows XP* or higher# 2 state-of-the-art, MIDASdesigned Mic Preamplifi ers with+48 V phantom power#Zero-latency directmonitoring while recording#Powerful Phones output with Levelcontrol and Direct Monitor select#Status, Signal and Clip indicationsfor perfect overview#USB port for connection and power#Free audio recording,editing and podcasting softwareplus 150 instrument/eff ect plug-insdownloadable at #“Built-like-a-tank”, impact-resistantmetal chassis#3-Year Warranty Program**#Conceived and designed byBEHRINGER Germany*Mac and OS X are trademarks of Apple Inc. Windows XP is aregistered trademark of Microsoft Corporation in the United Statesand other countries. All third-party trademarks are the property ofAudiophile 2x2, 24-Bit/192 kHzUSB Audio Interface withMIDAS Mic Preamplifi ers192 kHz PrecisionYou take your tracks seriously, and the UMC202HD respects that, providing up to 192 kHz resolutionfor even the most demanding applications in music as well as video post production. Work withconfi dence and accuracy in your favorite recording software for professional results every time.MIDAS - The Legend in Sound QualityEver since its formation in the 1970s, MIDAS has had a long history of innovation and leadership in the world of audio mixing consoles. Employed by the most famous touring acts and installations world-wide, legendary MIDAS consoles such as the XL4 and Heritage H3000 quickly became industry standards.MIDAS has earned their impeccable reputation due to their no-compromise approach for audio and build quality and in particular for their Award-winning Mic Preamps which are considered by industry experts as the industry’s best sounding designs. Building on this legacy, the XL8 and PRO Series of Live Mixing Systems continue this great heritage of Award-winning audio quality.BEHRINGER is proud to incorporate a MIDAS designed mic preamp for the ultimate in high-quality audio reproduction in both live and studio environments. Find out more about MIDAS’ amazing legacy by visiting their extensive website .Audiophile 2x2, 24-Bit/192 kHzUSB Audio Interface withMIDAS Mic Preamplifi ers“Zero-Latency” MonitoringThe UMC202H D mix control allows zero-latency direct monitoring, which means musicians canexperience their performance clearly – with no delay or lag in the returning signal, resulting in abetter performance and recording. A powerful phones output has its own level control and MonitorA/B source select for DJ-style cueing. To make it a done-deal, we provide free audio recording,editing and podcasting software, plus 150 instrument / eff ects plug-ins – just a download away at.Getting ConnectedOn the rear panel of the UMC202HD, you’ll fi nd the USB 2.0 port for simple and easy connectionto your computer, along with plenty of analog playback options including ¼" TRS, RCA and XLR.The UMC202HD also features 2 analog Inserts for use with external eff ects such as compressors,gates and EQs, etc. Built-in MIDI I/O allows you to connect keyboards and all your favorite outboardMIDI hardware.Tracktion - Record, Edit, Mix and ShareTracktion is one of the world’s fastest and easiest Digital Audio Workstations (DAW) for composing,recording, editing, mixing and sharing your music with the world. Featuring a single-screeninterface, and pushing the envelope in design elegance, Tracktion brings together outstanding ProDAW features, such as dynamic automation, unlimited track count, MIDI recording and support forVST and AU plug-ins. This powerful music production software gives you all the tools of an entireprofessional-grade recording studio. Learning a DAW has never been easier, thanks to their vast andreadily available library of resources.As our way of saying “Thank You”, when you register your (insert the product name) at, we’ll reward you with a complimentary download code for the full versionof Tracktion 4. Recording and editing couldn’t be easier. To learn more about Tracktion, visit/support/videos.Audiophile 2x2, 24-Bit/192 kHzUSB Audio Interface withMIDAS Mic Preamplifi ersEverything You Need to Sound AmazingThe U-PHORIA UMC202HD is a powerful 2 input, 2 output USB recording interface featuring genuineMIDAS-designed mic preamps with exceptional 24-Bit/192 kHz high-resolution converters, designedto help your recordings and mixes sound their absolute best. Visit your local dealer or online resellerand fi nd out what a great addition to any studio or mobile recording rig it can be.You Are CoveredWe always strive to provide the best possible Customer Experience. Our products are made in ourown MUSIC Group factory using state-of-the-art automation, enhanced production workfl ows andquality assurance labs with the most sophisticated test equipment available in the world. As a result,we have one of the lowest product failure rates in the industry, and we confi dently back it up with agenerous 3-Year Warranty program.Audiophile 2x2, 24-Bit/192 kHz USB Audio Interface with MIDAS Mic Preamplifi ersFor service, support or more information contact the BEHRINGER location nearest you:EuropeM USIC Group Services UK Tel: +44 156 273 2290USA/Canada M USIC Group Services NV Inc.Tel: +1 702 800 8290Japan M USIC Group Services JP K.K.Tel.: +81 3 6231 0454Audiophile 2x2, 24-Bit/192 kHzUSB Audio Interface withMIDAS Mic Preamplifi ers。

Open Apple + DownOpens the selected icon.COMMAND FIRST!!!!!Shift + ClickSelect the icon and add it to the set of those selected.TabHighlight the next icon inside the folder, in alphabetical order.Shift + TabHighlight the previous icon inside the folder, in alphabetical order.Left arrowUsed when viewing by icon to select the icon to the left of the one highlighted.Right arrowUsed when viewing by icon to select icon to the right of the one highlighted.Up arrowUsed to select the icon above the one currently highlighted. Down arrowUsed to select the icon below the one currently highlighted. Open Apple + ?Mac helpOpen Apple + EEjectOpen Apple + Shift + Up ArrowUsed to direct the input focus to the desktop level.Open Apple + MMinimize windowOpen Apple + NNew finder windowOpen Apple + Shift + NNew folderOpen Apple + WClose the current window.Open Apple + CCopy the selected item to the clipboard.Open Apple + XCut the selected item.Open Apple + VPaste item from the clipboardOpen Apple + LMake aliasOpen Apple + RShow original itemOpen Apple + TAdd to favoritesOpen Apple + OOpen the selected icon.Open Apple + FDisplay the find dialog box.Open Apple + GRepeat the last find operation.Open Apple + Shift + GTakes a snapshot of the screen and saves it to a PICT file. Command + ASelect all text and objectsCommand + BChange selected text to boldfaceCommand + FOpen the Find windowCommand + IItalicize the selected textCommand + POpen the Print dialog windowCommand + UUnderline the selected textCommand + Shift + POpen the Page Setup window, to change document parametersCommand + Shift + Control + 3Capture screenshot of current screen and save to the Clipboard。

Apple Mac OS X Snow Lepard 内核功能扩展 kernel extensions (KEXT)Kext是Mac OS 的硬件驱动,它存放位置在系统中:/System/Library/Extensions/ #系统核心级别存放位置,系统自有驱动位置…/Library/Extensions/#系统软件级别存放位置,例如安装VMware,VirtualBox这类带有内核扩展的程序,就会安装到此目录下.也会有自己的驱动加载目录,传递给Mach核心.例如Chameleon 变色龙引导程序在安装分区的根目录/Extra/Extensions中.删除精简不需要的kext.有些bundle 和ppp之类的不清楚作用与kext一致否..警告:如果您当前的系统,完美稳定运行,那就将下面的内容当作是我灌水,无无视之…..删掉后出什么问题,不要怨我哦^_^,最好非常明白你没有相关硬件,以后也不打算用才能删…注意备份...删除后不要以为能提升系统启动速度….删除驱动后重新启动前请运行命令:这条命令是自动修复驱动目录的文件权限,然后开机在Chameleon或boot think的引导界面使用"-f " 进入系统,这是刷新驱动缓存,不过自己觉得SL 改变了/System/Library/Extensions/ 下的内容,会自动更改缓存..有*符号是通配符..此符号后面的都省略了...标记为褐色的,大部分人都没有此硬件..标记为红色的,是需要注意,重要的驱动ATI*.kextATI显卡的相关驱动,不用ATI显卡的可以删除.ACard*.kextAcard Technology公司,ATA,SCSI适配器系列驱动.ALF.kext似乎是Algebraic Logic Functional程序语言相关??,不太清楚.ATTOCelerityFC.kextATTO公司的CelerityFC系列光纤控制器,适配卡驱动,一般人没有,可删除.ATTOCelerityFC8.kextATTO公司的CelerityFC 8系列光纤控制器,适配卡驱动,一般人没有,可删除.ATTOExpressPCI4.kextATTO公司的PCI Express 系列SCSI Host Bus Adapters适配器,扩展卡,一般人没有,删除ATTOExpressSASHBA.kextATTO公司的SAS-HBA 1系列适配卡驱动.ATTOExpressSASHBA2.kextATTO公司的SAS-HBA 2系列适配卡驱动.ATTOExpressSASRAID.kextATTO公司的PCI Express SAS RIAD卡驱动.Accusys6xxxx.kext应该是Accusys公司的ACS-6xxx Raid卡驱动.Apple16X50Serial.kext未知,似乎是老式苹果机才用得到,可以删除AppleACPIPlatform.kext这是Advanced Configuration and Power Interface高级配置和电源管理接口驱动,进行电源管理,睡眠,Real-Time Clock控制等,其下还包含AppleACPIButtons.kext, AppleACPIIEC.kext, AppleACPIPCI.kext.AppleAHCIPort.kextAHCI端口驱动,有些主板不打开AHCI功能会启动会卡在 Still Waiting for Root DeviceAppleAPIC.kextIntel Advanced Programmable Interrupt Controller 驱动.AppleBMC.kextApple baseboard management controller 底板管理控制器,是一个专门的服务处理机，它利用传感器来监视一台计算机、网络服务器，或者是其他硬件驱动设备的状态,AppleBacklight.kext笔记本和部分LCD显示器的背光管理控制,用于调整亮度等..AppleBluetoothMultitouch.kext苹果新Magic Mouse Multi-Touch 鼠标的蓝牙适配器驱动.AppleEFIRuntime.kext好像是EFI环境中显卡BIOS初始化的..AppleFSCompressionTypeZlib.kextHFS文件系统压缩,使用zlib 算法压缩的驱动.AppleFWAudio.kextFireWire,火线口 iEEE 1394接口的声卡驱动AppleFileSystemDriver.kextHFS文件系统驱动AppleGraphicsControl.kext显示卡GPU控制驱动,例如MBP有两个显卡,用作切换显卡AppleGraphicsPowerManagement.kext显卡电源管理驱动,例如GPU风扇转速,动态关闭不需要的显卡核心.AppleHDA.kextIntel High Definition Audio高保真声卡驱动..大部分人都是这种集成声卡,例如ALC889A声卡就可以直接用其驱动,其他声卡借助制作”仿冒驱动”也可以用其驱动,其下还包含AppleHDAController.kext .AppleMikeyDriver.kext,DspFuncLib.kext,AppleHDAHardwa reConfigDriver.kext,IOHDAFamily.kext,AppleHDAPlatformDriver.kextAppleHIDKeyboard.kextHuman Interface Device人性化输入设备驱动,这个是键盘的,例如USB键盘.AppleHIDMouse.kextHuman Interface Device人性化输入设备驱动,这个是鼠标的,例如USB鼠标.AppleHPET.kextHigh Precision Event Timer高精度事件计时器驱动.AppleHWSensor.kext环境光控制控制的,Apple的本本会根据环境光强弱,调整显示器AppleIRController.kextApple Remote红外线遥控器驱动.AppleIntelCPUPowerManagement.kextCPU的电源管理驱动,黑苹果可修改DSDT实现,用于降频,Intel EIST技术等,启用节能CPU 后温度会正常.AppleIntelCPUPowerManagementClient.kex t不清楚,估计与上面提到的相辅相成AppleIntelHD*.kextIntel HDXXX显卡驱动,似乎是10.6.4新加..AppleIntelGMA*.kextIntel GMA 显卡系列驱动,不用者删AppleIntelGMX*.kextintel GMA 系列显卡驱动,不用者删AppleIntelIntegratedFramebuffer.kext这东西似乎只有intel GMA950 显卡用.AppleKeyswitch.kext老G5服务器的安全锁驱动?,防止使用未经授权的设备…例如U盘?AppleLPC.kextLow Pin Count，是连接南桥和super I/O（该IC连接一些低速外设，如mouse，KB，Printer）的一根BUS。

Autodesk® Smoke® 2010 For Mac OS® X© 2009 Autodesk, Inc. All rights reserved. Except as otherwise permitted by Autodesk, Inc., this publication, or parts thereof, may not be reproduced in any form, by any method, for any purpose.TrademarksThe following are registered trademarks or trademarks of Autodesk, Inc., and/or its subsidiaries and/or affiliates in the USA and other countries: 3DEC (design/logo), 3December, , 3ds Max, Algor, Alias, Alias (swirl design/logo), AliasStudio, Alias|Wavefront (design/logo), ATC, AUGI, AutoCAD, AutoCAD Learning Assistance, AutoCAD LT, AutoCAD Simulator, AutoCAD SQL Extension, AutoCAD SQL Interface, Autodesk, Autodesk Envision, Autodesk Intent, Autodesk Inventor, Autodesk Map, Autodesk MapGuide, Autodesk Streamline, AutoLISP, AutoSnap, AutoSketch, AutoTrack, Backburner, Backdraft, Built with ObjectARX (logo), Burn, Buzzsaw, CAiCE, Civil 3D, Cleaner, Cleaner Central, ClearScale, Colour Warper, Combustion, Communication Specification, Constructware, Content Explorer, Dancing Baby (image), DesignCenter, Design Doctor, Designer's Toolkit, DesignKids, DesignProf, DesignServer, DesignStudio, Design Web Format, Discreet, DWF, DWG, DWG (logo), DWG Extreme, DWG TrueConvert, DWG TrueView, DXF, Ecotect, Exposure, Extending the Design Team, Face Robot, FBX, Fempro, Fire, Flame, Flare, Flint, FMDesktop, Freewheel, GDX Driver, Green Building Studio, Heads-up Design, Heidi, HumanIK, IDEA Server, i-drop, ImageModeler, iMOUT, Incinerator, Inferno, Inventor, Inventor LT, Kaydara, Kaydara (design/logo), Kynapse, Kynogon, LandXplorer, Lustre, MatchMover, Maya, Mechanical Desktop, Moldflow, Moonbox, MotionBuilder, Movimento, MPA, MPA (design/logo), Moldflow Plastics Advisers, MPI, Moldflow Plastics Insight, MPX, MPX (design/logo), Moldflow Plastics Xpert, Mudbox, Multi-Master Editing, Navisworks, ObjectARX, ObjectDBX, Open Reality, Opticore, Opticore Opus, Pipeplus, PolarSnap, PortfolioWall, Powered with Autodesk Technology, Productstream, ProjectPoint, ProMaterials, RasterDWG, RealDWG, Real-time Roto, Recognize, Render Queue, Retimer,Reveal, Revit, Showcase, ShowMotion, SketchBook, Smoke, Softimage, Softimage|XSI (design/logo), Sparks, SteeringWheels, Stitcher, Stone, StudioTools, Topobase, Toxik, TrustedDWG, ViewCube, Visual, Visual LISP, Volo, Vtour, Wire, Wiretap, WiretapCentral, XSI, and XSI (design/logo).Automatic Duck and the duck logo are trademarks of Automatic Duck, Inc.Mac OS is a trademark of Apple Inc., registered in the U.S. and other countries.Python is a registered trademark of Python Software Foundation. All other brand names, product names or trademarks belong to their respective holders.DisclaimerTHIS PUBLICATION AND THE INFORMATION CONTAINED HEREIN IS MADE AVAILABLE BY AUTODESK, INC. "AS IS." AUTODESK, INC. DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE REGARDING THESE MATERIALS.Published by: Autodesk, Inc.111 Mclnnis ParkwaySan Rafael, CA 94903, USATitle: Autodesk Smoke 2010 for Mac OS X International Keyboard Reference GuideDocument Version: 1Date: December 09, 2009Keyboard Layouts Topics in this chapter:■Introduction on page 1■US English Keyboard on page 3■International English Keyboard on page 4■European French Keyboard on page 5■European German Keyboard on page 7■European Spanish Keyboard on page 8■Japanese Keyboard on page 9IntroductionAutodesk ® Smoke ® 2010 for Mac OS ® X uses a US English keyboard layout as the default layout when assigning hotkeys (keyboard shortcuts). You can use a different keyboard such as a German keyboard with your Smoke system, but keep in mind that some hotkeys may not work, and other hotkeys may be remapped to a different location.In the Smoke Hotkey Editor you can select the keyboard you are using in the Keyboard Type box.11On your Smoke system, you have the choice of the following Mac keyboards:■109-Key (Mac - US English)■110-Key (Mac - International English)■110-Key (Mac - European French)■110-Key (Mac - European German)■110-Key (Mac - European Spanish)■112-Key (Mac - Japanese)When you select your keyboard, the onscreen keyboard is changed to reflect your choice, and entries in theHotkey Catalogue are updated accordingly.NOTE If a hotkey is set on a key not available for the keyboard selected, the Hotkey Catalogue displays the entryin black. In this case, you can remap an unavailable hotkey to another key that your keyboard supports.See the following pages for specific layout and hotkey information for your keyboard. For more informationon working with the Hotkey Editor in general, see the Managing Hotkeys chapter in your Smoke User Guide.2 | Chapter 1 Keyboard LayoutsUS English KeyboardThis is the default QWERTY keyboard.US English Keyboard | 3International English KeyboardThis is a slight variation on the QWERTY keyboard.There are no remapped keys on the International English keyboard, but be aware that the ` key is found tothe left of the z key.4 | Chapter 1 Keyboard LayoutsEuropean French KeyboardThis is the AZERTY keyboard.The following keys in the French keyboard layout are remapped to US English keys (in light blue in the Hotkey Editor layout).French KeyUS English Remap1&é2“34‘(5§6è7!8ç9à)--=qazw^[$]qam;‘ù‘\European French Keyboard | 5French KeyUS English Remap<`wz,m;,:.=/Sup>Del>., (on the numerickeypad)6 | Chapter 1 Keyboard LayoutsEuropean German KeyboardThis the QWERTZ keyboard.The following keys in the German keyboard layout are remapped to US English keys (in light blue in the Hotkey Editor layout).German KeyUS English Remapß-‘=zyü[+]ö;‘ä#\<`yz-/Entf>Del>, (on the numeric.keypad)European German Keyboard | 7European Spanish KeyboardThis is another variation of the QWERTY keyboard.The following keys in the Spanish keyboard layout are remapped to US English keys (in light blue in theHotkey Editor layout).Spanish KeyUS English Remap‘-¡=`[=]n;'‘\ç<`/-, (on the numeric.keypad)8 | Chapter 1 Keyboard LayoutsJapanese KeyboardThis variation of the QWERTY keyboard is typically used in Japan.The following keys in the Japanese keyboard layout are remapped to US English keys (in light blue in the Hotkey Editor layout).US English RemapJapanese Key¥\Japanese Keyboard | 9。

Mac 0S X苹果电脑系统启动完整过程详解启动过程：1、电源开启。

2、执行固件中的代码。

3、收集硬件信息并初始硬件。

4、选择启动项（通常是选择OS，但有时会选择硬件测试等类似情況。

）。

用户可能会被提示进行启动先择。

5、控制权交给/System/Library/CoreServices/BootX（启动引导器）。

BootX载入内核并描绘OS标识（如有）。

BootX尝试载入先前绶存的设备驱动列表（根据/usr/sbin/kextcache 进行创建或更新）。

绶存的类型为mkext且为多内核扩展包含了信息词典（info dictionaries）与二进制文件。

注意：如果mkext缓存丢失或损坏，BootX将在/System/Library/Extensions 中搜索当前方案中所需要的扩展（由该扩展包中Info.plist文件的OSBundleRequired属性值进行决定。

）6、执行内核中的init例程。

決定要启动之系统的根设备。

从此刻起，将不再使用固件中的程序。

7、由内核初始各种Mach/BSD数据结构。

8、初始I/O（输入输出）设备。

9、内核开始运行/sbin/mach_init，Mach服务命名（引导程序）后台。

Mach_init为服务名和要准备访问其它服务所用的Mach端口提供映射。

到这步时，启动开始转为用户等级。

10、mach_init开始/sbin/init，传统的BSD初始化（init）进程。

初始化将决定运行等级，并运行/etc/rc.boot（设置让机器能够运行单用户－single user模式）。

在此步中，将执行：rc.boot与其它rc脚本源程序/etc/mon，一个包含实用功能的shell脚本，如CheckForNetwork（）（检查如网络已启动），GetPID（），purgedir（）（仅删除目录内容，而非结构），等。

11、rc．boot会显示要启动的类型（多用户，安全模式，光驱，网络等等）。

在Mac OS使用globalSAN iSCSI Initiator连接至iSCSI装置本文说明如何使用Mac的globalSAN iSCSI initiator新增iSCSI装置(QNAP NAS)，扩充磁盘容量。

首先，请确定您已在NAS的管理页面[装置设定]>[iSCSI装置]建立iSCSI装置，并在您的操作系统安装好正确的iSCSI initiator。

关于globalSAN iSCSI initiatorglobalSAN initiator 是专为Mac操作系统而设的iSCSI initiator (系统需求为Mac OS X 或以后版本)，使用者可透过globalSAN initiator的友善接口连接至iSCSI target。

关于软件的详细数据，请参考：在System Preference执行iSCSI initiator。

按[+]，输入NAS IP加入portal。

在[Targets]选项下会显示所有iSCSI targets，在要连接的target名称右方勾选[Connected]。

输入登入信息。

当您第一次连接至iSCSI target时，系统会显示一个对话框提醒您磁盘尚未格式化，按[Initialize…] 格式化磁盘。

您亦可以开启[Disk Utilities]格式化磁盘。

格式化iSCSI target。

完成后，您可以开始把iSCSI target当作Mac的外接硬盘使用。

通过Mac OS X 访问iSCSI target适用于OS X 的 iSCSI initiator 有好些，在此我们以应用较普遍的 globalSAN iSCSI initiator 为例。

大致可将访问ReadyNAS 上的iSCSI target 分为简单的三个分步骤。

步骤 1：下载并安装 globalSAN iSCSI InitiatorStudio Network Solutions 已授权使用者可免费下载 globalSAN iSCSI Initiator ，点击下图即可访问他们的下载页面.安装后须将Mac重启。