Advanced Mac OS X Rootkits.pdf - Reverse Engineering Mac OS X

More documents

Recommendations

Info

Mach Security Model• Tasks, ports, and port rights formMach’s capability-based security model• Mach has no notion of users or groups• Obtaining SEND rights on a port may bea privilege escalation–SEND rights on another task’s task port givesfull control over that task10
Mach Tasks vs. BSD Processes• Mach Tasks own Threads, Ports, and Virtual Memory• BSD Processes own file descriptors, etc.• BSD Processes Mach Task– task_for_pid(), pid_for_task()• POSIX Thread != Mach Thread– Library functions use TLS BSD ProcessMachThreadMachThreadMach TaskMach Portnamespace...MachThreadVirtual Memory(mapping, permissions,memory regions)11
Page 1 and 2: AdvancedMac OS X RootkitsDino Dai Z
Page 3 and 4: WHAT IS MACH?3
Page 5 and 6: Mac OS X System ArchitectureSUP DAW
Page 7 and 8: Mach Microkernel Abstractions• Ta
Page 9: Example: Bootstrap server• Tasks
Page 13 and 14: Mach Task/Thread System Calls•Mac
Page 15 and 16: Why Mach-based Rootkits?• Traditi
Page 17 and 18: Injecting Mach Threads• Get acces
Page 19 and 20: Injecting Mach Bundles• Inject th
Page 21 and 22: Hooking and Swizzling• Hooking C
Page 23 and 24: INJECTED BUNDLE DEMO23
Page 25 and 26: NetMessage and NetName servers• N
Page 27 and 28: Machiavelli Architecture• Machiav
Page 29 and 30: Machiavelli Message FlowMachiavelli
Page 35 and 36: Complex Mach Messages• “Complex
Page 37 and 38: Serializing Mach Messages• Serial
Page 39 and 40: Machiavelli exampleint main(int arg
Page 41 and 42: Miscellaneous Agent services• Age
Page 43 and 44: MACH IN THE KERNEL43
Page 45 and 46: Uncloaking Kernel Rootkits• Acces
Page 47 and 48: Evasive Maneuvers• Unix system ca
Page 49 and 50: Example: inject_subsystemint inject
Page 51: Conclusion• Mach is a whole lot o

Advanced Mac OS X Rootkits.pdf - Reverse Engineering Mac OS X

Create successful ePaper yourself

Delete template?

Save as template?