Today I discovered that my slides contain a (stupid) error!
The story begins with Alex Ionescu telling me the symbols are still available in kernel memory in Mountain Lion. I quickly verified this by doing memory dumps and it was really true. Today I finally got some time to sort it out and verify where they were. To my great surprise I fucked up bigtime on my manual calculations and was dumping the wrong memory area (DUH!). I got even more annoyed when I verified that my sample source code has the right formulas! Unfortunately I deleted the computations file I had used for slides #9 and #10, which show memory dumps of the kernel symbol strings, so I could not replicate my original error. After a while I think I found some clues why I messed up…
Snare’s original post about solving kernel symbols uses the following formula: $string_table=$linkedit_address + ($symtab->stroff – $symtab->symoff). This works in Lion because the symbols offset starts at the beginning of __LINKEDIT. This changed in Mountain Lion so that formula is not true. Rubilyn uses the same formula. One assumption that propagated into my computations and led to this mistake. Ah, assumptions, they are so dangerous :-). I should know better because those slides were created a while after the sample rootkit code. More duh!
The correct formula where symbol strings are located is __LINKEDIT address + Kernel ASLR + (LC_SYMTAB->stroffset – __LINKEDIT->fileoffset). These are the values from the kernel image at disk, except for kernel aslr slide.
What is the real impact of this mistake? Kernel symbols can be solved from a kernel extensions in Lion and Mountain Lion without using the disk image, but keep in mind that __LINKEDIT is marked as pageable. It still holds true that it is not possible for Snow Leopard and below. The number of Snow Leopard installations is still reasonable so the solution I presented is not totally useless (besides, it can be used for other fun stuff ;-)).
Oh well, failure is part of life and the design of our brains is not perfect. You can study and read tons of books about our design flaws and still fall “victim” at unexpected times. One good reason why I love the Human brain :-).