{"id":51093697,"url":"https://github.com/ac0d3r/machbox","last_synced_at":"2026-06-24T04:30:35.077Z","repository":{"id":364205936,"uuid":"1232949275","full_name":"ac0d3r/machbox","owner":"ac0d3r","description":"Machbox is a native, lightweight, single-binary malware analysis sandbox for macOS.","archived":false,"fork":false,"pushed_at":"2026-06-19T03:48:59.000Z","size":8303,"stargazers_count":9,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-06-19T05:25:00.359Z","etag":null,"topics":["macos","malware-analysis","sandbox"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ac0d3r.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-08T12:42:11.000Z","updated_at":"2026-06-19T03:49:03.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ac0d3r/machbox","commit_stats":null,"previous_names":["ac0d3r/machbox"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/ac0d3r/machbox","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ac0d3r%2Fmachbox","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ac0d3r%2Fmachbox/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ac0d3r%2Fmachbox/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ac0d3r%2Fmachbox/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ac0d3r","download_url":"https://codeload.github.com/ac0d3r/machbox/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ac0d3r%2Fmachbox/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34717593,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-24T02:00:07.484Z","response_time":106,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["macos","malware-analysis","sandbox"],"created_at":"2026-06-24T04:30:30.349Z","updated_at":"2026-06-24T04:30:35.029Z","avatar_url":"https://github.com/ac0d3r.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Machbox\n\nMachbox is a native, lightweight malware analysis sandbox for macOS that combines static and dynamic analysis, built on Apple native frameworks (`Virtualization.framework`, `EndpointSecurity.framework`, `DTrace`, etc.).\n\nEnglish | [中文](./docs/README_CN.md)\n\n\u003cimg src=\"docs/imgs/machbox-reports.png\" alt=\"Analysis Reports\" width=\"680\" /\u003e\n\n## Features\n\n### Supported Formats\n\n- mach-o\n- .app bundle\n- .dmg Disk Image\n- zip archive (supports password extraction)\n\n### Analysis Capabilities\n\n- **Static Analysis**: Mach-O parsing, code signing \u0026 entitlements, strings extraction, and recursive scanning of directories, archives and app bundles.\n- **Dynamic Analysis**: Process execution, file-system activity, network connections, persistence attempts, privilege escalation, and code injection detection.\n- **Behavioral Summarization**: Risk scoring, verdict generation, and a built-in Web UI to browse full analysis reports.\n\n### Technical Highlights\n\n- **Native Apple Silicon Sandbox**: `Virtualization.framework` + `APFS Clone` snapshot \u0026 rollback.\n- **Native vsock Control Channel**: Host-guest communication uses a custom protocol (`AF_VSOCK` + TLV).\n- **Dual-source Dynamic Collection**: `EndpointSecurity` 40+ events + `DTrace` for network events; unified JSONL logs.\n- **macOS Semantic Analysis**: Deep parsing of Mach-O, code signing, and entitlements, with combined static and dynamic scoring.\n- **Lightweight Deployment**: Single binary, compatible with `VirtualBuddy(.vbvm)`; disabled network by default with optional NAT.\n\n## System Requirements\n\n- **Apple Silicon Mac**\n- **macOS 13+**\n\n## Download\n\nPrebuilt Apple Silicon binaries are available on the [GitHub Releases](https://github.com/ac0d3r/machbox/releases) page.\n\n```bash\ncurl -L -o machbox https://github.com/ac0d3r/machbox/releases/latest/download/machbox-darwin-arm64\nchmod +x machbox\n```\n\n\u003e The release binary is ad-hoc signed, macOS Gatekeeper will block it until you remove the quarantine attribute with `xattr -d com.apple.quarantine`.\n\n## Build from Source\n\n```bash\ngit clone https://github.com/ac0d3r/machbox.git\ncd machbox\nmake build\n```\n\nThe compiled binary will be at `bin/machbox`.\n\n## Environment Setup\n\nOnly needs to be done once. After setup, you can run sample analysis repeatedly.\n\n### Create a Base VM with VirtualBuddy\n- Open [VirtualBuddy](https://github.com/insidegui/VirtualBuddy) and create a new macOS VM.\n\n    - Optional (during creation, uncheck \"Enable VirtualBuddy Guest App\")\n\n      \u003cimg src=\"docs/imgs/Disabled_VirtualBuddy_Guest_App.png\" alt=\"Uncheck Guest App\" width=\"350\" /\u003e\n\n3. Complete the macOS setup inside the VM (region, account, etc.).\n\n### Disable SIP in the Guest VM\n\n1. In VirtualBuddy, enable **Boot in recovery mode** for the VM.\n\n\u003cimg src=\"docs/imgs/enable_Boot_in_recovery_mode.png\" alt=\"Disable SIP\" width=\"300\" /\u003e\n\n2. Start the VM and open **Utilities → Terminal** from the menu bar.\n\n3. Run:\n\n   ```bash\n   csrutil disable\n   ```\n\n4. Restart the VM normally.\n\n### Install the Machbox Guest Agent\n\nOn your host machine, run:\n\n```bash\nmachbox setup -m /path/to/your_Machbox.vbvm\n```\n\nInside the VM:\n\n1. Open Finder and select `MachboxGuest` from the sidebar.\n2. Install `machbox-guest.pkg`.\n3. Wait for the installation to finish (Xcode Command Line Tools will be installed silently).\n4. Shut down the VM.\n\n---\n\n## Analyze Samples\n\n```bash\nmachbox analyze -m /path/to/your_Machbox.vbvm /path/to/sample\n```\n\nCommon options:\n\n| Option | Description | Default |\n|--------|-------------|---------|\n| `-m, --vbvm` | **Required** Path to the VirtualBuddy VM bundle | — |\n| `--timeout` | Dynamic analysis timeout (seconds) | `60` |\n| `--password` | Password for encrypted archives | — |\n| `--headless` | Run without a GUI window (auto-shutdown after analysis) | `true` |\n| `--display` | Display resolution | `1920x1200` |\n| `--network-mode` | Network mode (e.g., `NAT`) | Disabled |\n\nSupports passing command-line arguments to the sample:\n\n```bash\nmachbox analyze [flags] \u003csample\u003e [--] [sample-args...]\n```\n\n## View Analysis Reports\n\nAll analysis results are automatically stored in a local database and can be viewed through the built-in Web UI:\n\n```bash\nmachbox report-view\n```\n\nOpen your browser and visit `http://127.0.0.1:8080` to browse the complete analysis reports.\n\n### Report Preview\n\n| Static Analysis | Dynamic Analysis |\n|:--|:--|\n| \u003cimg src=\"docs/imgs/demo/static_1.png\" width=\"400\" /\u003e | \u003cimg src=\"docs/imgs/demo/dynamic_1.png\" width=\"400\" /\u003e |\n| \u003cimg src=\"docs/imgs/demo/static_2.png\" width=\"400\" /\u003e | \u003cimg src=\"docs/imgs/demo/dynamic_2.png\" width=\"400\" /\u003e |\n\n## Architecture\n\n```mermaid\nflowchart TB\n    User([\"User: machbox analyze sample\"])\n\n    subgraph Host[\"Host\"]\n        Machbox[\"machbox\"]\n        Snapshot[\"Snapshot\"]\n        ShareDir[\"SharedDir\u003cbr\u003e(tools|sample)\"]\n        Report[\"Report(Web UI)\"]\n    end\n\n    subgraph Guest[\"Guest VM\"]\n        Agent[\"Guest Agent\"]\n        Analysis[\"static and dynamic\u003cbr\u003eanalysis\"]\n        Sample[\"malware sample\"]\n    end\n\n    User --\u003e Machbox\n    Machbox --\u003e |read-only|ShareDir\n    ShareDir --\u003e |APFS clone|Snapshot\n    Snapshot --\u003e Agent\n    Agent \u003c--\u003e Analysis\n    Analysis --\u003e Sample\n    Machbox \u003c--\u003e Report\n```\n\n## Acknowledgments\n\n- https://github.com/blacktop/go-macho\n- https://github.com/Code-Hex/vz\n- https://github.com/insidegui/VirtualBuddy\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fac0d3r%2Fmachbox","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fac0d3r%2Fmachbox","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fac0d3r%2Fmachbox/lists"}