Tools

NoSuchCon #1 debrief and slides

NoSuchCon is over and I am finally back home. It was a really great conference with great talks and a full room all the time (let me say I am very surprised about this). The only negative thing was the projection “wall” which was really bad and “killed” almost everyone’s slides. While I understand it is an historical building, that thing must be improved, either with a temporary solution or something else....

May 21, 2013 · 2 min · 324 words

Hydra, the sample util I am unable to describe!

Let me give you a small gift before moving my ass to Paris to attend and present at NoSuchCon. Hydra is sample code of a kernel extension that will intercept process creation, suspend, and communicate it to a userland daemon that will be in charge of patching the application. It uses the process hijacking technique I described at SyScan presentation. Instead of injecting a library it leaves the process in a suspended state and makes its PID available for the userland daemon....

May 13, 2013 · 2 min · 261 words

There is an error in my SyScan slides!

Today I discovered that my slides contain a (stupid) error! The story begins with Alex Ionescu telling me the symbols are still available in kernel memory in Mountain Lion. I quickly verified this by doing memory dumps and it was really true. Today I finally got some time to sort it out and verify where they were. To my great surprise I fucked up bigtime on my manual calculations and was dumping the wrong memory area (DUH!...

May 8, 2013 · 2 min · 377 words

How to compile GDB in Mountain Lion (updated)

This is an up-to-date version of the old original post about recompiling GDB and other open source packages available at opensource.apple.com. I’m doing it mostly because code signing is now mandatory for GDB and there’s a stupid old bug that Apple still didn’t fixed since Snow Leopard. I forgot about it on my latest reinstall and lost an afternoon. This way you and me will not make the same mistake....

March 20, 2013 · 3 min · 625 words

OS.X/Boubou – Mach-O infector PoC source code

More than half a year as passed since HITCON'12 and as far as I know no one cared much about implementing some sort of detection/protection against this type of attack (correct me if I’m wrong). As explained in HITCON slides, this trick can be very useful to install backdoors and avoid the usual lame LaunchDaemons type of thing. I did some massive cleanup to the original PoC that I had glued for HITCON but it’s still a bit messy and definitely not “production” ready....

March 5, 2013 · 2 min · 236 words