Advanced Mac OS X Rootkits.pdf - Reverse Engineering Mac OS X

More documents

Recommendations

Info

<strong>Mac</strong>h Exceptions• Tasks and Threads generate exceptions on memory errors• Another thread (possibly in another task) may register asthe exception handler for another thread or task• Exception handling process:1. A Thread causes a runtime error, generates anexception2. Exception is delivered to thread exception handler (ifexists)3. Exception is delivered to task’s exception handler (ifexists)4. Exception converted to Unix signal and delivered to BSDProcess18
Injecting <strong>Mac</strong>h Bundles• Inject threads to call functions in the remote process– Remote thread calls injected trampoline code and thentarget function– Function returns to chosen bad address, generates anexception– Injector handles exception, retrieves function return value• Call dlopen(), dlsym(), dlclose() to load bundle from disk• Inject memory, call NSCreateObjectFileImageFromMemory(),NSLinkModule()• Injected bundle can hook library functions, Objective-Cmethods19
Page 1 and 2: AdvancedMac OS X RootkitsDino Dai Z
Page 3 and 4: WHAT IS MACH?3
Page 5 and 6: Mac OS X System ArchitectureSUP DAW
Page 7 and 8: Mach Microkernel Abstractions• Ta
Page 9 and 10: Example: Bootstrap server• Tasks
Page 11 and 12: Mach Tasks vs. BSD Processes• Mac
Page 13 and 14: Mach Task/Thread System Calls•Mac
Page 15 and 16: Why Mach-based Rootkits?• Traditi
Page 17: Injecting Mach Threads• Get acces
Page 21 and 22: Hooking and Swizzling• Hooking C
Page 23 and 24: INJECTED BUNDLE DEMO23
Page 25 and 26: NetMessage and NetName servers• N
Page 27 and 28: Machiavelli Architecture• Machiav
Page 29 and 30: Machiavelli Message FlowMachiavelli
Page 35 and 36: Complex Mach Messages• “Complex
Page 37 and 38: Serializing Mach Messages• Serial
Page 39 and 40: Machiavelli exampleint main(int arg
Page 41 and 42: Miscellaneous Agent services• Age
Page 43 and 44: MACH IN THE KERNEL43
Page 45 and 46: Uncloaking Kernel Rootkits• Acces
Page 47 and 48: Evasive Maneuvers• Unix system ca
Page 49 and 50: Example: inject_subsystemint inject
Page 51: Conclusion• Mach is a whole lot o

Advanced Mac OS X Rootkits.pdf - Reverse Engineering Mac OS X

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?