Advanced Mac OS X Rootkits.pdf - Reverse Engineering Mac OS X

More documents

Recommendations

Info

inject-bundle• inject-bundle–Inject a bundle from disk into a running process–Usage: inject_bundle path_to_bundle [ pid ]• Sample bundles–test: Print output on load/run/unload–isight: Take a picture using iSight camera–sslspy: Log SSL traffic sent throughSecureTransport–ichat: Log IMs from within iChat20
Hooking and Swizzling• Hooking C functions is basically the sameas on any other platform–see Rentzsch’s mach_override• Objective-C runtime has hooking built-in:–method_exchangeImplementations()–or just switch the method pointers manually–all due to Obj-C’s dynamic runtime–use JRSwizzle for portability21
Page 1 and 2: AdvancedMac OS X RootkitsDino Dai Z
Page 3 and 4: WHAT IS MACH?3
Page 5 and 6: Mac OS X System ArchitectureSUP DAW
Page 7 and 8: Mach Microkernel Abstractions• Ta
Page 9 and 10: Example: Bootstrap server• Tasks
Page 11 and 12: Mach Tasks vs. BSD Processes• Mac
Page 13 and 14: Mach Task/Thread System Calls•Mac
Page 15 and 16: Why Mach-based Rootkits?• Traditi
Page 17 and 18: Injecting Mach Threads• Get acces
Page 19: Injecting Mach Bundles• Inject th
Page 23 and 24: INJECTED BUNDLE DEMO23
Page 25 and 26: NetMessage and NetName servers• N
Page 27 and 28: Machiavelli Architecture• Machiav
Page 29 and 30: Machiavelli Message FlowMachiavelli
Page 35 and 36: Complex Mach Messages• “Complex
Page 37 and 38: Serializing Mach Messages• Serial
Page 39 and 40: Machiavelli exampleint main(int arg
Page 41 and 42: Miscellaneous Agent services• Age
Page 43 and 44: MACH IN THE KERNEL43
Page 45 and 46: Uncloaking Kernel Rootkits• Acces
Page 47 and 48: Evasive Maneuvers• Unix system ca
Page 49 and 50: Example: inject_subsystemint inject
Page 51: Conclusion• Mach is a whole lot o

Advanced Mac OS X Rootkits.pdf - Reverse Engineering Mac OS X

Create successful ePaper yourself

Delete template?

Save as template?