The “all” new Onyx The Black Cat!

Suffering from post-conference boredom I decided to redo Onyx The Black Cat kernel extension to kickstart again my brain and get back to serious work. There were also some people asking for an updated version so here it is!

This reworked version uses kernel control interface to enable/disable its features. It is much better than sysctl used before. It is also compatible with Snow Leopard, Lion, and Mountain Lion, and, hopefully, it should run without any problems in future versions. It uses the disassembler to locate the locations that need to be patched. That part of the code is not pretty but it works :-). The symbols are read from the /mach_kernel at disk to maintain compatibility with Snow Leopard and below.

It contains measures to bypass the PT_DENY_ATTACH, sysctl, and kauth anti-debug tricks. Also contains an option to reenable the possiblity of task_for_pid() the kernel task (useful for testing stuff and maybe forensics), and another to patch the CPU resume flag. For some (weird?) reason Apple clears up the resume flag from EFLAGS (if I am not mistaken, similar situation happens with Windows 98), making it impossible to use that single step feature when building your custom debuggers (very useful for quick single-stepping hacks).

Tested with Snow Leopard 10.6.8 (32/64 bits), Lion 10.7.5 (64 bits), and Mountain Lion 10.8.3 (64 bits).

Code is available at github.


5 thoughts on “The “all” new Onyx The Black Cat!

  1. It compiled and kextload w/o any problem.

    But when I tried to use the control tool, I got this error:

    [ERROR] ioctl CTLIOCGINFO failed!

    Haven’t looked into the code yet, but hopefully it’s just me.

Leave a Reply

Your email address will not be published. Required fields are marked *