Advanced Mac OS X Rootkits.pdf - Reverse Engineering Mac OS X

More documents

Recommendations

Info

UNCLOAK DEMO46
Evasive Maneuvers• Unix system call filtering can’t evadeMach kernel RPC (different interface)• There’s no reason why kernel rootkitsneed to be loaded as Mach-O objects–vm_allocate() + thread_create() on kernel task–DKOM, return-oriented rootkits, etc.• Alternatively, filter in-kernel Mach RPCservers47
Page 1 and 2: AdvancedMac OS X RootkitsDino Dai Z
Page 3 and 4: WHAT IS MACH?3
Page 5 and 6: Mac OS X System ArchitectureSUP DAW
Page 7 and 8: Mach Microkernel Abstractions• Ta
Page 9 and 10: Example: Bootstrap server• Tasks
Page 11 and 12: Mach Tasks vs. BSD Processes• Mac
Page 13 and 14: Mach Task/Thread System Calls•Mac
Page 15 and 16: Why Mach-based Rootkits?• Traditi
Page 17 and 18: Injecting Mach Threads• Get acces
Page 19 and 20: Injecting Mach Bundles• Inject th
Page 21 and 22: Hooking and Swizzling• Hooking C
Page 23 and 24: INJECTED BUNDLE DEMO23
Page 25 and 26: NetMessage and NetName servers• N
Page 27 and 28: Machiavelli Architecture• Machiav
Page 29 and 30: Machiavelli Message FlowMachiavelli
Page 35 and 36: Complex Mach Messages• “Complex
Page 37 and 38: Serializing Mach Messages• Serial
Page 39 and 40: Machiavelli exampleint main(int arg
Page 41 and 42: Miscellaneous Agent services• Age
Page 43 and 44: MACH IN THE KERNEL43
Page 45: Uncloaking Kernel Rootkits• Acces
Page 49 and 50: Example: inject_subsystemint inject
Page 51: Conclusion• Mach is a whole lot o

Advanced Mac OS X Rootkits.pdf - Reverse Engineering Mac OS X

Create successful ePaper yourself

Delete template?

Save as template?