dtrace-infiltrate

Recommendations

Info

Apache Javascript Injector Inject Javascript code into every HTML page served. Javascript payload inserted from memory, no touching disk.
Apache Javascript Injector Hook open, looking for .htm in the filename. Store the fd in htmlfd[] array for other probes. Close removes fd obviously… syscall::open*:return /execname == "httpd" && (strstr(fds[arg1].fi_pathname+2,".htm") != 0) / { /* store pid for read */ htmlfd[arg1] = 1; printf("[+] Adding open for: %s returned fd: %i\n",fds[arg1].fi_pathname +2,arg1); }
Page 1 and 2:
Destructive D-Trace With Great Powe
Page 3 and 4:
What is Dtrace? Dynamic Instrument
Page 5 and 6:
What is Dtrace? Dtrace executable
Page 7 and 8:
Data Types C style types. (int/lon
Page 9 and 10:
copyin()/copyinstr() Dtrace code i
Page 11 and 12:
Chill void chill(int nanoseconds)
Page 13 and 14:
Pros Anti-forensics properties: Pa
Page 15 and 16: copyout/copyoutstr Write a block o
Page 17 and 18: Limitations on Constructs Cannot m
Page 19 and 20: Example: spassrm.d pid$target::strn
Page 21 and 22: Local Backdoor
Page 23 and 24: `ls` Uses getdirentries64() syscal
Page 25 and 26: Dirent Modification - DIRENT 1 Befo
Page 27 and 28: Hooking `ls` - Return syscall::getd
Page 29 and 30: Hooking Finder Apple implemented a
Page 31 and 32: Hooking Finder - Method Read in wh
Page 33 and 34: Finder Demo
Page 35 and 36: Hiding from `lsof` for (ef = 0; !ef
Page 37 and 38: Hiding from `lsof` - 2 nd Entrypoin
Page 39 and 40: Hiding from `lsof` syscall::proc_in
Page 41 and 42: Hiding Processes Processes need hi
Page 43 and 44: Hiding from `ps` ps on OSX uses sy
Page 45 and 46: Hiding from `ps` - tasks.c int get_
Page 47 and 48: Hiding from `ps`
Page 49 and 50: libtop libtop_p_task_update(task_t
Page 51 and 52: libtop mach_trap::pid_for_task:retu
Page 53 and 54: activitymonitord Turns out libtop
Page 55 and 56: OpenSSHd Backdoor Almost no system
Page 57 and 58: dshdbd.d - (Client) Modify the nex
Page 59 and 60: OpenSSHd Backdoor - read passwd hoo
Page 61 and 62: OpenSSHd Backdoor Next the fstat64
Page 63 and 64: SSHd Backdoor - Output -[dcbz@squee
Page 65: utmpx Disable Next, a write() hook
Page 69 and 70: Writev() syscall writev(int fildes,
Page 71 and 72: Apache Javascript Injector /* copy
Page 73 and 74: Designing OSX Rootkits nemo/fracta
show all

dtrace-infiltrate

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?