Revisiting Mac OS X Kernel Rootkits Phrack article is finally out!

Enjoy it at Phrack!
It’s finally out. It feels a bit old and it is indeed a bit old but still a good paper (or at least I tried to make it that way). The supplied code is for an older version of that rootkit. For example it still has dependencies on importing task, proc and other kernel private structures. The updated version solves all required offsets so it supports easily new and old OS X versions. It will come out with the book together with other features that were added, and new ones I am poking around.

The book? Life has been chaotic, doesn’t help my brain is like electricity, always attraced by the least resistance path and by new things. I got new motivation and hopefully a team soon enough so I can dedicate myself to write it.
I can tell you that nemo wrote a treaty on DTrace ;-). A bit more patience on this, I think it will be worth the wait.

Meanwhile, enjoy that long article, hopefully it is interesting enough :-).

Have fun,

4 thoughts on “Revisiting Mac OS X Kernel Rootkits Phrack article is finally out!

      1. I did enjoy it as expected. But best of it, I did learn something from it. I was especially interested in the zombies part since I saw your slides. You achieved it far easier as I thought, by use of a static symbol list, which is way too easy. I think to complicated most times.

        1. Don’t worry, I suffer from the same complication problem 😉
          The zombies thing is surprisingly “very” easy to implement with the disassembler assistance.
          I like a lot that trick and its implementation. There’s probably easier ways to do some of that stuff.
          Homework for the reader ahahahah

Leave a Reply

Your email address will not be published. Required fields are marked *