The “all” new Onyx The Black Cat!

May 24, 2013 in Tools | No comments

Suffering from post-conference boredom I decided to redo Onyx The Black Cat kernel extension to kickstart again my brain and get back to serious work. There were also some people asking for an updated version so here it is!

This reworked version uses kernel control interface to enable/disable its features. It is much better than sysctl used before. It is also compatible with Snow Leopard, Lion, and Mountain Lion, and, hopefully, it should run without any problems in future versions. It uses the disassembler to locate the locations that need to be patched. That part of the code is not pretty but it works :-) . The symbols are read from the /mach_kernel at disk to maintain compatibility with Snow Leopard and below.

It contains measures to bypass the PT_DENY_ATTACH, sysctl, and kauth anti-debug tricks. Also contains an option to reenable the possiblity of task_for_pid() the kernel task (useful for testing stuff and maybe forensics), and another to patch the CPU resume flag. For some (weird?) reason Apple clears up the resume flag from EFLAGS (if I am not mistaken, similar situation happens with Windows 98), making it impossible to use that single step feature when building your custom debuggers (very useful for quick single-stepping hacks).

Tested with Snow Leopard 10.6.8 (32/64 bits), Lion 10.7.5 (64 bits), and Mountain Lion 10.8.3 (64 bits).

Code is available at github.

Enjoy,
fG!

NoSuchCon #1 debrief and slides

May 21, 2013 in Tools | No comments

NoSuchCon is over and I am finally back home. It was a really great conference with great talks and a full room all the time (let me say I am very surprised about this). The only negative thing was the projection “wall” which was really bad and “killed” almost everyone’s slides. While I understand it is an historical building, that thing must be improved, either with a temporary solution or something else. Good architecture must also be functional else it is not fulfilling its goal. Anyway, awesome conference, congrats to the organizers for all their hard work, and attendees for their enthusiastic interest.

All the conference slides are available here.

My presentation was a reworked SyScan version about OS X rootkits. The DTrace fbt was replaced by the syscall provider and an attack to Volatility, and Little Snitch was removed. Even if it was a trimmed version I still took more time than allocated. I forgot to apologize at the time for that – I just like to give too much information. Sorry for that :-) .

The DTrace syscall provider slides contain an old attack – sysent shadowing – against Volatility. I sort of presented it because I have some issues with the conclusion paragraph at this blog post. It is always easy to find what you know about but what you do not know is not always true, even when simple tricks are being used. Memory forensics is a good progress but we must be very careful with its assumptions. That is my goal with those slides, always question the assumptions – your own and tools. As a side note, Volafox is (was?) also vulnerable to the same trick.

Greetings to everyone I met and special greetings to Arnaud and David for the excellent company and wine, even if Benfica lost the UEFA final :-) .

Now it is time to get back to work and writing. There is at least one book to write :-) .

Have fun,
fG!

 

Hydra, the sample util I am unable to describe!

May 13, 2013 in Tools | 1 comment

Let me give you a small gift before moving my ass to Paris to attend and present at NoSuchCon.

Hydra is sample code of a kernel extension that will intercept process creation, suspend, and  communicate it to a userland daemon that will be in charge of patching the application.

It uses the process hijacking technique I described at SyScan presentation. Instead of injecting a library it leaves the process in a suspended state and makes its PID available for the userland daemon. This daemon will be responsible for patching and resuming the process after.

Using this technique there is no need to resign a codesign protected application because it acts after those checks are done. This is true assuming that the application does not have any additional (internal) code checksum routines. Most don’t, barely any even check codesigning result (I wanted to patch Dash, which does check the signing certificate or something and I was too lazy to find where).

As most of my code, it aims to demonstrate “technology” and different ways to do things. It is not feature complete and if I’m not mistaken all the patching could be done from the kernel (right now I’m not sure if codesigning will be verified after the interception point or not, and it is boring to verify it now).

It is available here at github. The kernel extension is fully working, the userland daemon is just a crude example of how to implement it.

See you in Paris if are attending NoSuchCon. Feel free to meet me there!

Have fun,
fG!

There is an error in my SyScan slides!

May 8, 2013 in Tools | 4 comments

Today I discovered that my slides contain a (stupid) error!
The story begins with Alex Ionescu telling me the symbols are still available in kernel memory in Mountain Lion. I quickly verified this by doing memory dumps and it was really true. Today I finally got some time to sort it out and verify where they were. To my great surprise I fucked up bigtime on my manual calculations and was dumping the wrong memory area (DUH!). I got even more annoyed when I verified that my sample source code has the right formulas! Unfortunately I deleted the computations file I had used for slides #9 and #10, which show memory dumps of the kernel symbol strings, so I could not replicate my original error. After a while I think I found some clues why I messed up…

Snare’s original post about solving kernel symbols uses the following formula: $string_table=$linkedit_address + ($symtab->stroff – $symtab->symoff). This works in Lion because the symbols offset starts at the beginning of __LINKEDIT. This changed in Mountain Lion so that formula is not true. Rubilyn uses the same formula. One assumption that propagated into my computations and led to this mistake. Ah, assumptions, they are so dangerous :-) . I should know better because those slides were created a while after the sample rootkit code. More duh!

The correct formula where symbol strings are located is  __LINKEDIT address + Kernel ASLR + (LC_SYMTAB->stroffset – __LINKEDIT->fileoffset). These are the values from the kernel image at disk, except for kernel aslr slide.

What is the real impact of this mistake? Kernel symbols can be solved from a kernel extensions in Lion and Mountain Lion without using the disk image, but keep in mind that __LINKEDIT is marked as pageable. It still holds true that it is not possible for Snow Leopard and below. The number of Snow Leopard installations is still reasonable so the solution I presented is not totally useless (besides, it can be used for other fun stuff ;-) ).

Oh well, failure is part of life and the design of our brains is not perfect. You can study and read tons of books about our design flaws and still fall “victim” at unexpected times. One good reason why I love the Human brain :-) .

fG!

 

SyScan13: Revisiting Mac OS X Rootkits presentation

May 7, 2013 in Security | 6 comments

SyScan 2013, 10th anniversary edition is over! It is a great conference and I hope it does not end here. I had lots of fun and met new interesting people. Thomas is an awesome host! It helps that I really like Singapore and Asia in general :-) .

My presentation was about Mac OS X kernel rootkits based on the article I submitted to Phrack. Because Phrack is late, I was trying to postpone public availability of my slides. I will also do the “same” presentation at NoSuchCon on the 17th May. The slides were made available at SyScan site so there is no point in holding out anymore. The version available here is the most recent version with some additional changes I did before presentation, and some others after presentation feedback to clarify some points. Thanks to Igor from Hex-Rays, A. Ionescu, and Shane (my assigned drone controller).

The main goal is to show how easy it is to improve OS X rootkits quality, and that we need to invest time (& money) to research and develop detection and protection tools. Nemo also presented about DTrace rootkits at Infiltrate’13, and we (nemo, snare, and I) are starting to write a book about OS X rootkits. Hopefully this should bring some fresh blood to the OS X rootkit scene.

Phrack should be out one of these days – then you can enjoy the long article and sample rootkit source code!

Enjoy,
fG!

SysScan 13 Presentation

How to compile gdb in Mountain Lion (updated)

March 20, 2013 in Tools | 11 comments

This is an up-to-date version of the old original post about recompiling gdb and other open source packages provided by opensource.apple.com. I’m doing it mostly because code signing is now mandatory for gdb and there’s a stupid old bug that Apple still didn’t fixed since Snow Leopard. I forgot about it on my latest reinstall and lost an afternoon :-) . This way you and me will not make the same mistake.

You should have XCode installed. Follow these steps:

1) Download darwinbuild from their SVN repository.
1.1) Since Snow Leopard there is a svn client by default so no need to download.
1.2) Follow the instructions on how to download,compile and install darwinbuild here. Use the guide for Snow Leopard/Lion version, it’s compatible with Mountain Lion.

2) Compile and install darwinbuild:

$ make ; sudo make install

3) Create the DMG file and initialize darwinbuild environment (you should use at least 2 gigabytes):

The plists and build numbers are available at http://svn.macosforge.org/repository/darwinbuild/trunk/plists/. Use build number 12A269 (it’s for 10.8.0 but works ok for all others).

$ hdiutil create -size 2G -type UDIF -fs HFSX -volname Builds -uid 0 -gid 0 -attach Builds.dmg
$ sudo sh
# vsdbutil -a /Volumes/Builds
# cd /Volumes/Builds
# mkdir Build12A269
# cd Build12A269
# darwinbuild -init 12A269 (you need Internet connection)
# darwinxref edit

In darwinxref edit you need to add the gdb package to the configuration. Go to the projects section and add the following:

gdb = {
version = 1822;
};

Default editor is VI. Save and quit. If you have a problem with an invalid property list, use the same tab alignment as the other entries. That should fix it.

4) Clone the gdb-ng repo from github if you want my patches included (you probably do!). Else skip to step 5) (darwinbuild will download the package from Apple opensource repo).

# cd /Volumes/Builds/Build12A269/Sources
# git clone git://github.com/gdbinit/gdb-ng.git
# cd gdb-ng
# bash pack.sh
# mv gdb-1822.tar.gz .. (check version in case it changes)
# cd /Volumes/Builds/Build12A269

5) Compile gdb.

# darwinbuild -nochroot gdb

The -nosource option has been added to recent darwinbuild versions. This option will allow you to patch directly into BuildRoot/SourceCache/.
The first time you shouldn’t use this option so darwinbuild will download gdb package. After that you can use it if you want to patch directly gdb source files (that’s what I do with my gdb patches). It’s much easier and faster than having to patch and compress the whole gdb source. After you patch, you just issue “darwinbuild -nochroot -nosource gdb” and this will not unpack the original source but instead use whatever is at SourceCache.

Wait for the compilation to finish…

Go to Roots/gdb/gdb-1822.root*/usr/libexec/gdb. You should have a gdb-i386-apple-darwin. Backup the original and copy this one over.

# cp /usr/libexec/gdb/gdb-i386-apple-darwin /usr/libexec/gdb/gdb-i386-apple-darwin.orig
# cp gdb-i386-apple-darwin /usr/libexec/gdb/

The latest step is to codesign the binary. This is because taskgated default configuration has changed and it’s not anymore sufficient to have the binary suid to procmod group. It must have entitlements and be codesigned. The process is not just creating a self-signed certificate and codesign the binary with it. There is an old bug since Snow Leopard that complicates it a little bit. Follow this guide from LLDB code signing document. You can either code sign the binary you copied above to /usr/libexec/gdb or sign it at the Roots folder and copy the signed version.

Launch gdb and see if it works. It should ask you for your password the first time (after each reboot). If everything is ok you should be able to attach to or run the target process.

Now you can enjoy your next afternoon in case you want/have to compile gdb. You might also want to download and install gdbinit to improve gdb’s output and available commands.

fG!

« Older entries