One of the changes introduced by Mountain Lion was the removal of the old procmod convention for applications that want to access the task port of a process (aka for reversers, debuggers). Before this change, any binary that was procmod suid group set could access the task port of other processes (running as the same user). Taskgated configuration in Mountain Lion was changed and removed this possibility. Only signed binaries that contain an embedded Info. [Read More]
The "all" new Onyx The Black Cat!
Suffering from post-conference boredom I decided to redo Onyx The Black Cat kernel extension to kickstart again my brain and get back to serious work. There were also some people asking for an updated version so here it is! This reworked version uses kernel control interface to enable/disable its features. It is much better than sysctl used before. It is also compatible with Snow Leopard, Lion, and Mountain Lion, and, hopefully, it should run without any problems in future versions. [Read More]
NoSuchCon #1 debrief and slides
NoSuchCon is over and I am finally back home. It was a really great conference with great talks and a full room all the time (let me say I am very surprised about this). The only negative thing was the projection “wall” which was really bad and “killed” almost everyone’s slides. While I understand it is an historical building, that thing must be improved, either with a temporary solution or something else. [Read More]
Hydra, the sample util I am unable to describe!
Let me give you a small gift before moving my ass to Paris to attend and present at NoSuchCon. Hydra is sample code of a kernel extension that will intercept process creation, suspend, and communicate it to a userland daemon that will be in charge of patching the application. It uses the process hijacking technique I described at SyScan presentation. Instead of injecting a library it leaves the process in a suspended state and makes its PID available for the userland daemon. [Read More]
There is an error in my SyScan slides!
Today I discovered that my slides contain a (stupid) error! The story begins with Alex Ionescu telling me the symbols are still available in kernel memory in Mountain Lion. I quickly verified this by doing memory dumps and it was really true. Today I finally got some time to sort it out and verify where they were. To my great surprise I fucked up bigtime on my manual calculations and was dumping the wrong memory area (DUH! [Read More]
How to compile GDB in Mountain Lion (updated)
This is an up-to-date version of the old original post about recompiling GDB and other open source packages available at opensource.apple.com. I’m doing it mostly because code signing is now mandatory for GDB and there’s a stupid old bug that Apple still didn’t fixed since Snow Leopard. I forgot about it on my latest reinstall and lost an afternoon. This way you and me will not make the same mistake. [Read More]
OS.X/Boubou – Mach-O infector PoC source code
More than half a year as passed since HITCON’12 and as far as I know no one cared much about implementing some sort of detection/protection against this type of attack (correct me if I’m wrong). As explained in HITCON slides, this trick can be very useful to install backdoors and avoid the usual lame LaunchDaemons type of thing. I did some massive cleanup to the original PoC that I had glued for HITCON but it’s still a bit messy and definitely not “production” ready. [Read More]
Ice the Guardian v2, the OS X anti-lamware
Another day, another lame malware attacking and spying on OS X users, and still using the same old lame Daemons and Agents approach to gain persistence at victims machine. Hey, it works, so why change, right? Ice the Guardian v2 is a quick hack using TrustedBSD to monitor the system LaunchDaemons and LaunchAgents folders. There’s a lot of room for improvement so I’m waiting for your commits 😉. Apple has the technology in place so they could probably implement something like this default oin OS X. [Read More]
Otool-ng – a set of small patches to Apple’s otool
It’s the lazy post season so I present you otool-ng. It’s a fork of Apple’s otool with small modifications for things that I use often or dislike in current otool. The segment command LC_MAIN was introduced to replace LC_UNIXTHREAD and one information that is lost is the entrypoint address. While ASLR kind of makes it less useful, I still debug a lot of programs and do other stuff, where ASLR is disabled. [Read More]
Kextstat_ASLR util or how to start hiding your kernel rootkit in Mountain Lion
Welcome back! This is a small post about a quick util that I created yesterday’s night while working on a side project. Mountain Lion introduced kernel ASLR and the kextstat util output doesn’t support (yet?) this feature. The addresses are not the real ones and this is quite annoying (kgmacros from kernel debugging kit also seem to fail at this!). What this util does is to read the kernel extensions information via the /dev/kmem device (hence this util is probably not useful for a large audience) and display it like kextstat does with the correct address for each kext (just the most important information, the linked against info might be added in the future). [Read More]