Defiling Mac OS X - Ruxcon - Reverse Engineering Mac OS X - PUT ...

More documents

Recommendations

Info

Mach VM API ‣ ‣ ‣ ‣ TECHNIQUES GETTING CODE INTO THE KERNEL Used by Dino Dai Zovi in “Machiavelli” And Bosse Erikson in “Mirage” Works like this Call task_for_pid() to get Mach task for kernel ‣ vm_allocate() ‣ vm_write() ‣ ‣ Apple seems to pay attention to these talks From current task_for_pid(): ! /* Always check if pid == 0 */ ! if (pid == 0) { ! ! (void ) copyout((char *)&t1, task_addr, sizeof(mach_port_name_t)); ! ! AUDIT_MACH_SYSCALL_EXIT(KERN_FAILURE); ! ! return(KERN_FAILURE); ! } FAILZ Defiling Mac OS X - Ruxcon November, 2011
TECHNIQUES GETTING CODE INTO THE KERNEL Kernel Extensions (KEXTs) ‣ Supported and well documented ‣ Mach-O “bundle” with binary blob + other data ‣ _start() ‣ _stop() ‣ Defined “KPIs” (Kernel Programming Interfaces, smartarse) ‣ One small problem ‣ KXLD hates us ‣ Only resolves within supported KPIs ‣ We’ll resolve our own damn symbols Defiling Mac OS X - Ruxcon November, 2011
Page 1 and 2: DEFILING MAC OS X: KERNEL ROOTKITS
Page 3 and 4: STUFF Things I will talk about ‣
Page 5 and 6: Defiling Mac OS X - Ruxcon November
Page 7 and 8: GETTING CODE INTO THE KERNEL Defili
Page 9: TECHNIQUES GETTING CODE INTO THE KE
Page 13 and 14: TECHNIQUES DODGY KERNEL SYMBOL RESO
Page 15 and 16: TECHNIQUES DODGY KERNEL SYMBOL RESO
Page 17 and 18: TECHNIQUES SYSCALL HOOKS Old faithf
Page 19 and 20: TECHNIQUES SYSCALL HOOKS static str
Page 21 and 22: TECHNIQUES TRUSTEDBSD HOOKS Trusted
Page 23 and 24: TECHNIQUES TRUSTEDBSD HOOKS kern_re
Page 25 and 26: TECHNIQUES NETWORKING HOOKS Registe
Page 27 and 28: ROOTKITTERY Defiling Mac OS X - Rux
Page 29 and 30: TECHNIQUES PROCESS PRIVESC void pro
Page 31 and 32: TECHNIQUES HIDING PROCESSES Might l
Page 33 and 34: TECHNIQUES HIDING FILES Hiding file
Page 35 and 36: ONE MORE THING... *cue turtleneck*
Page 37 and 38: EFI THE EXPLOSIVE FARMVILLE INVARIA
Page 39 and 40: EFI THE EXPANSIVE FURNITURE INTERFE
Page 41 and 42: REFERENCES Mac OS X Kernel Programm

Defiling Mac OS X - Ruxcon - Reverse Engineering Mac OS X - PUT ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?