Advanced Mac OS X Rootkits.pdf - Reverse Engineering Mac OS X

More documents

Recommendations

Info

Deserializing <strong>Mac</strong>h Messages• Port names in the mach message must bereplaced with local port names• On Agent, this is done to receive the reply• On Proxy, this is done to replace transferredport names with proxy port names–Ensures that only the initial port must be manuallyobtained from the proxy, the rest are handledautomatically• OOL memory is mapped+copied into addressspace38
<strong>Mac</strong>hiavelli exampleint main(int argc, char* argv[]){kern_return_t kr;mach_port_t port;vm_size_t page_size;machiavelli_t m = machiavelli_init();machiavelli_connect_tcp(m, "192.168.13.37", "31337");port = machiavelli_host_self(m);if ((kr = _host_page_size(port, &page_size)) != KERN_SUCCESS) {errx(EXIT_FAILURE, "_host_page_size: %s", mach_error_string(kr));}printf("Remote host page size: %d\n", page_size);}return 0;39
Page 1 and 2: AdvancedMac OS X RootkitsDino Dai Z
Page 3 and 4: WHAT IS MACH?3
Page 5 and 6: Mac OS X System ArchitectureSUP DAW
Page 7 and 8: Mach Microkernel Abstractions• Ta
Page 9 and 10: Example: Bootstrap server• Tasks
Page 11 and 12: Mach Tasks vs. BSD Processes• Mac
Page 13 and 14: Mach Task/Thread System Calls•Mac
Page 15 and 16: Why Mach-based Rootkits?• Traditi
Page 17 and 18: Injecting Mach Threads• Get acces
Page 19 and 20: Injecting Mach Bundles• Inject th
Page 21 and 22: Hooking and Swizzling• Hooking C
Page 23 and 24: INJECTED BUNDLE DEMO23
Page 25 and 26: NetMessage and NetName servers• N
Page 27 and 28: Machiavelli Architecture• Machiav
Page 29 and 30: Machiavelli Message FlowMachiavelli
Page 35 and 36: Complex Mach Messages• “Complex
Page 37: Serializing Mach Messages• Serial
Page 41 and 42: Miscellaneous Agent services• Age
Page 43 and 44: MACH IN THE KERNEL43
Page 45 and 46: Uncloaking Kernel Rootkits• Acces
Page 47 and 48: Evasive Maneuvers• Unix system ca
Page 49 and 50: Example: inject_subsystemint inject
Page 51: Conclusion• Mach is a whole lot o

Advanced Mac OS X Rootkits.pdf - Reverse Engineering Mac OS X

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?