Advanced Mac OS X Rootkits.pdf - Reverse Engineering Mac OS X

More documents

Recommendations

Info

Interposing on Kernel Mach RPC• Mach system calls allow Mach RPC to in-kernelservers which perform task, thread, and VMoperations• RPC routines are stored in the mig_buckets hashtable by subsystem id + subroutine id• Analogous to sysent table for Unix system calls• Incoming Mach messages sent to a kernel-ownedport are dispatched through mig_buckets• We can interpose on these function calls or injectnew RPC servers by modifying this hash table48
Example: inject_subsystemint inject_subsystem(const struct mig_subsystem * mig){}mach_msg_id_t h, i, r;// Insert each subroutine into mig_buckets hash tablefor (i = mig->start; i < mig->end; i++) {}mig_hash_t* bucket;h = MIG_HASH(i);do { bucket = &mig_buckets[h % MAX_MIG_ENTRIES];} while (mig_buckets[h++ % MAX_MIG_ENTRIES].num != 0 &&if (bucket->num == 0) {}return -1;h < MIG_HASH(i) + MAX_MIG_ENTRIES);r = mig->start - i;// We found a free spotbucket->num = i;bucket->routine = mig->routine[r].stub_routine;if (mig->routine[r].max_reply_msg)elsereturn 0;bucket->size = mig->routine[r].max_reply_msg;bucket->size = mig->maxsize;49
Page 1 and 2: AdvancedMac OS X RootkitsDino Dai Z
Page 3 and 4: WHAT IS MACH?3
Page 5 and 6: Mac OS X System ArchitectureSUP DAW
Page 7 and 8: Mach Microkernel Abstractions• Ta
Page 9 and 10: Example: Bootstrap server• Tasks
Page 11 and 12: Mach Tasks vs. BSD Processes• Mac
Page 13 and 14: Mach Task/Thread System Calls•Mac
Page 15 and 16: Why Mach-based Rootkits?• Traditi
Page 17 and 18: Injecting Mach Threads• Get acces
Page 19 and 20: Injecting Mach Bundles• Inject th
Page 21 and 22: Hooking and Swizzling• Hooking C
Page 23 and 24: INJECTED BUNDLE DEMO23
Page 25 and 26: NetMessage and NetName servers• N
Page 27 and 28: Machiavelli Architecture• Machiav
Page 29 and 30: Machiavelli Message FlowMachiavelli
Page 35 and 36: Complex Mach Messages• “Complex
Page 37 and 38: Serializing Mach Messages• Serial
Page 39 and 40: Machiavelli exampleint main(int arg
Page 41 and 42: Miscellaneous Agent services• Age
Page 43 and 44: MACH IN THE KERNEL43
Page 45 and 46: Uncloaking Kernel Rootkits• Acces
Page 47: Evasive Maneuvers• Unix system ca
Page 51: Conclusion• Mach is a whole lot o

Advanced Mac OS X Rootkits.pdf - Reverse Engineering Mac OS X

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?