SyScan13: Revisiting Mac OS X Rootkits presentation

SyScan 2013, 10th anniversary edition is over! It is a great conference and I hope it does not end here. I had lots of fun and met new interesting people. Thomas is an awesome host! It helps that I really like Singapore and Asia in general :-).

My presentation was about Mac OS X kernel rootkits based on the article I submitted to Phrack. Because Phrack is late, I was trying to postpone public availability of my slides. I will also do the “same” presentation at NoSuchCon on the 17th May. The slides were made available at SyScan site so there is no point in holding out anymore. The version available here is the most recent version with some additional changes I did before presentation, and some others after presentation feedback to clarify some points. Thanks to Igor from Hex-Rays, A. Ionescu, and Shane (my assigned drone controller).

The main goal is to show how easy it is to improve OS X rootkits quality, and that we need to invest time (& money) to research and develop detection and protection tools. Nemo also presented about DTrace rootkits at Infiltrate’13, and we (nemo, snare, and I) are starting to write a book about OS X rootkits. Hopefully this should bring some fresh blood to the OS X rootkit scene.

Phrack should be out one of these days – then you can enjoy the long article and sample rootkit source code!


SysScan 13 Presentation

11 thoughts on “SyScan13: Revisiting Mac OS X Rootkits presentation

  1. I thoroughly enjoyed the presentation, and wondering how you were able to come up with the zombie trick. looking forward to phrack paper and code 🙂

  2. Hello, fG!
    I read you presentation and there was a couple of questions about dtrace fbt provider. Could you explain, how it works?

  3. I’m interesting about method, how it determines which functions were called.You wrote that it places an illegal instruction 0xF0 to the begining of mov rbp,rsp (necessarily in command mov rbp,rsp? How fbt looks for it and what happens, if there is not this command?). And it generates an interruption, what process by fbt provider?

    1. fbt module just patches all functions or functions you want to dtrace with an illegal instruction.
      the trap handler catches that instruction and passes control to dtrace layer, which besides other things displays results to userland layer and continues function execution by emulating the patched instruction.
      The paper describes it in more detail. Since it’s not out yet you can consult DTrace design paper: Cantrill et al, Dynamic Instrumentation of Production Systems. It explains DTrace’s design and philosophy.

  4. Hi fg! ,

    waiting for so long for the Phrack paper, is it still not out ? Seems so, since I can’t find it, would you mind sending me over a copy of your article by E-Mail. I would really enjoy and appreciate this since it’s one of the interestings idea I read about in the past time. I’m addicted to using diStorm to decompose what I need at runtime 🙂 but my DTrace knowledge needs some more investigations and this is what I need your paper for.

    Many thanks in advance.

    1. Hello,

      Phrack is almost 1 year late so I’m not even sure what’s the status on it.
      Meanwhile we are working on the rootkits book which will have a lot more stuff (nemo is writing a big chapter just for DTrace related stuff!).


  5. Since the Phrack Paper will never come out. This is what I think now, I’m directly asking if you would release the sample code to the article here to your article. I would really appreciate it, and hopefully the book will be released in the near future 😀

    1. Well, there is good news and Phrack is indeed coming out soon (this time for good!).
      It contains the first version of the sample rootkit.
      I have a newer and much improved version that will be released with the book.

  6. These are great news ! Can’t await holding a copy of your book in my hands and read it !! Any information, a vague guess maybe on a release date ? And Phrack is indeed coming out, hmm, I will believe it when it really is out 😉

Leave a Reply

Your email address will not be published. Required fields are marked *