Tools

This is a OS X port of kad’s checkidt utility featured at Phrack #59. It requires /dev/kmem to be active since task_for_pid on kernel task is prohibited since Snow Leopard.
I have added an option to calculate the sysent address via the IDT. The code is not very fail proof because it uses the opcode hex values. Disassembly is probably a better option. This is just a PoC written some time ago so there are some ugly things inside.
The concept to retrieve sysent is the following:

get idt -> get location of interrupt 0×80 -> get address of LO_UNIX_SCALL -> get address of unix_syscall -> get location of sysent

Some of the information that the original code retrieves in Linux is meaningless in OS X. Maybe one of these days I will do a major cleanup. If you do it first feel free to send it. The 64bits code state is unknown and untested – my machines do not run 64bits kernels :-/.

Enjoy,
fG!

checkidtv1.2.c.gz
SHA256(checkidtv1.2.c.gz)= fe663c83c81c0db11e661f3bf2596a323dcc1df342941067c804eda94a5086c3

A small update to gdbinit. Many thanks to snare and Plouj for their reports

Here is the changelog:

Version 7.4.3 (04/11/2011)
- Modified “hexdump” command to support a variable number of lines (optional parameter).
- Removed restrictions on type of addresses used in the “dd” command.
- Modified the assemble command to support 64bits – You will need to recompile nasm since the version shipped with OS X doesn’t supports 64bits (www.nasm.us).
Assumes that the new binary is installed at /usr/local/bin – modify the variable at the top if you need so.
It will assemble based on the target arch being debugged. If you want to use gdb for a quick asm just use the 32bits or 64bits commands to set your target.
- Added “asm” command – it’s a shortcut to the “assemble” command.
- Added configuration variable for colorized prompt. Plouj reported some issues with Ubuntu’s gdb 7.2 if prompt is colorized.

Enjoy!
fG!

gdbinit743.gz
SHA256(gdbinit743.gz)= 18931eac613917b4ef63be7708dfa052e7a0edb629c7d829705e231cf2154451

The latest version can always be found here.

This is a simple plugin to display mach-o headers inside IDA, something I miss from time to time. It was a good excuse to mess a little with IDA SDK.
It’s not quite what I had initially in mind but it does the job. I was thinking about something more sophisticated such as allow to display only the segment you wanted and so on. Now I am not sure if it’s worth the effort

Tested with IDA 6.x in OS X and Windows, 32 and 64 bits. Included are Makefile and XCode project for OS X, and Windows DevC++ projects for 32 and 64 bits.

Give a look to the README file for extra information. Too tired and too late to write a long post

Yeah, the code isn’t beautiful! Anyway I hope it’s useful for you.

Have fun,
fG!

MachOPlugin_v0.2.zip
SHA256(MachOPlugin_v0.2.zip)= aea01470a92a94a67ae29e6eba659b195829e599165265f8dd0fdc80333bc5a7

MachOPlugin_v0.3.zip
SHA256(MachOPlugin_v0.3.zip)= 73ea3471856027d7882b3b89986209f633bd19bc8b2159da7346a3e89c34fa4d

Also available at github.

Update:
v0.3 fixes some bugs/missing stuff and implements a workaround to IDA crashing.

IDA BUGS:
I seem to have found a few bugs in IDA QT GUI implementation.
The most annoying one is that the plugin will crash IDA if called more than once in the same session. What happens is that IDA happilly keeps opening new custom views even if there is code trying to prevent it.
The create_tform() function from the SDK should return a new handle if there is already a form with the same caption. Well this works with the old GUI but fails with the new one (QT). The same happens with find_tform. In this case, it never returns NULL if there’s no form (which is the expected behavior).
I implemented a small workaround, which is to add a number to the form caption. This way each call to the plugin will generate a new custom view and not crash IDA. Not pretty but the other workarounds I tried failed since I can’t find if form exists or not.

The other bugs are described in the README file. If you know a better workaround for this one please tell me

And here we are with a few spare minutes! My baby girl is a little cute devil who, like me, isn’t very found of sleeping all the time. She’s taking a lot of my attention so mom can rest. Well, it’s time well spent while I still have lots of it

Let’s get back to business… There was some fuss around with the latest version of the so called Flashback.C OS X Trojan. This version attempts to remove Apple’s XProtect out of its way. A big public thanks to those who sent me samples of this new version
This new “feature” gave me the idea to use TrustedBSD framework in our benefit. A module can be written to protect those (and other) files. We can do this system-wide instead of using the sandbox module. As I referred in the sandbox guide, Apple didn’t implemented all the available hooks and even if it did, it would be useless in this case – sandbox must be configured per process/application.

Ice, The Guardian is a PoC that implements a hook on open() (Ice was my fantastic and huge Doberman). If access to “com.apple.xprotectupdater.plist” is attempted by any process not named “XProtectUpdater”, then access is denied and an alert is issued about this.
The code is very simple and the level of protection isn’t high (spoof the process name for example?). I have some ideas to improve the level of protection and make it harder to bypass/spoof. Other syscalls also need to be hooked (unlink for example). Well, you can develop your own custom module and increase the protection level of your system.

I still have to measure the real performance impact of having such module. Some tests inside a Vmware instance with SpeedTools didn’t revealed a big penalty in disk access. Need to execute tests in my physical machine to have better results about this. Worst case scenario it should be on-par with anti-virus performance.

Feel free to send suggestions/improvements, bitching about my code, patches, or just hello

Enjoy,
fG!

icetheguardian_v0.1.zip
SHA256(icetheguardian_v0.1.zip)= 0a614d66e208e422a9e82f6228f56398bd1585495676f09c3485c24429ba33a7