Category Archives: Papers

BSides Lisbon and SECUINSIDE 2015 presentations

I guess my goal for the remaining 2015 of not doing any presentations will not happen.
Two weeks ago I presented at BSides Lisbon 2015 and last week at SECUINSIDE 2015.

I’m very happy to see BSides Lisbon returning after the first edition in 2013. Congrats to Bruno, Tiago, and the rest of the team for making it happen. It’s still a small conference but I’m glad they are making it happen, and I will always do my best to help the Portuguese scene going forward. Everything went pretty well and met some new cool guys. I hope the conference returns in 2016 and keeps growing. Maybe someday it can mutate into something independent of BSides and on its own. Portugal is a great country for conferences, I’m just not the right person to start one, but I’ll definitely help my best anyone who wants to give it a shot.
The presentation is the same as CodeBlue and SyScan since the CFP happened a few months ago. Nothing new in the slides, a fix here and there.

The next was SECUINSIDE in Seoul. This is a very special conference to me because it was the first ever conference I presented at, back in 2012. I never had any plans to ever present at security conferences. I liked my low profile and this blog was good enough to spread the knowledge I wanted to. But I try to be flexible and always open to new adventures, so at the time I accepted HiTCON invitation (they were the first ones) and then SECUINSIDE’s invitation. SECUINSIDE was happening first so at the time I created a different presentation. It was a crazy trip because I did a Porto – Seoul roundtrip, and four days later I went to Taiwan. That was some crazy jetlag!
So this year I went back to SECUINSIDE. Thanks to beist, Ryan, trimo, and everyone else for the great time in Seoul.
The presentation is a new one, made in just a week. It’s essentially an introduction to EFI reverse engineering and hunting for EFI rootkits.

I received yesterday the good news that I was accepted to do the same presentation at 44Con. This is great and I will have enough time to improve the slides. Probably add some new content and tools, since there is good stuff expected out of Thunderstrike 2 presentation.

And here they are:

BSides Lisbon 2015 – BadXNU, A rotten apple!

SECUINSIDE 2015 – Is there an EFI monster inside your apple?

As usual, enjoy and have fun.

Revisiting Mac OS X Kernel Rootkits Phrack article is finally out!

Enjoy it at Phrack!
It’s finally out. It feels a bit old and it is indeed a bit old but still a good paper (or at least I tried to make it that way). The supplied code is for an older version of that rootkit. For example it still has dependencies on importing task, proc and other kernel private structures. The updated version solves all required offsets so it supports easily new and old OS X versions. It will come out with the book together with other features that were added, and new ones I am poking around.

The book? Life has been chaotic, doesn’t help my brain is like electricity, always attraced by the least resistance path and by new things. I got new motivation and hopefully a team soon enough so I can dedicate myself to write it.
I can tell you that nemo wrote a treaty on DTrace ;-). A bit more patience on this, I think it will be worth the wait.

Meanwhile, enjoy that long article, hopefully it is interesting enough :-).

Have fun,

SyScan360 Beijing slides

Eight days and 10 flights later I am back from SyScan360 in Beijing. It was my first visit to China and I had lots of fun observing many things that I only “knew” from reading. The scale and dimension of everything in Beijing is quite a surprise. No wonder why every Western company wants to be there. We had great food and an awesome visit to the Great Wall. A big thank you to the guys and girls from the organization for all their hard work and dedication.

The conference was very cool, even if it was full of “security guards” and metal detectors at entry (!?!?!?!). Stefan’s presentation was pretty epic (as usual) and I particurarly liked Jonathan’s presentation (maybe because he attacked some assumptions in the malware industry). As usual there was almost no exchange of ideas between the atendees and speakers. This is something that really bothers me in conferences. It seems like a lost opportunity for both sides to learn new things. Don’t be shy people, speakers are like you with the extra work of having to speak in public ;-).

My slides are available here. They contain a quick review of previous presentations made this year, and some new stuff attacking Volatility and signed kernel extensions to be introduced in Mavericks. Once again, simple stuff that is effective and easy to implement. What else do we need?


HiTCON 2013 slides

Taipei is definitely one of my favourite cities in the world!
I love its “infinite” amount of small shops, in particular at night when lights are on. Streets look so beautiful and busy. Everyone is very friendly and respectful, and most important, I feel very safe. And the food is awesome (thank you Thomas!). I really love it! If you like Asia, Taiwan is a must visit.
The only problem is language – English is not widely spoken. It seems I will need to join my daughther when she starts learning Mandarin :-).

My presentation didn’t went very well because I suffered from a terrible jetlag attack the night before. Slept one hour and couldn’t remember all the slides. Didn’t help using a PDF – no next slide info! You learn with your own mistakes :-). And as usual I exceeded my time slot. I talk too much!

The slides are slightly changed from previous presentations, fixing/reordering some things and minor additions (small details related to OS X Mavericks).

Thank you to everyone at HiTCON for their great work.


HiTCON 2013 Presentation

OS X Malware at Confraria de Segurança da Informação presentation slides

I did yesterday a presentation about OS X Malware at Confraria SI in Lisbon, a monthly meeting between IT sec professionals and enthusiasts.

The presentation was an update to the HiTCON version, removing some things about old malware and Flashback tricks, adding Crisis slides and small fixes to stuff here and there.

Enjoy it 🙂


Confraria 2012 Presentation.pdf


HITCON 2012 Review and slides

After more than 30h inside planes and airports, I’m finally back home! Asia 2012 tour is over 🙂

HITCON was really great and well organized. It was bigger than I expected, with lots of curious and cool people. Went in the mood and took many pictures with everyone – there goes my anonymity!

My speaking slot was after lunch, which is a tough one. I could only spot half a dozen sleeping so I might have done a good job. Presentation could have been better but I had no time to practice it – sorry :-(.

Taipei is a nice city and I enjoyed trying all kinds of food and travelling around (I especially loved the Shilin Night Market!).

Had great discussions with Andrey from Elcomsoft, Ryan from Microsoft, Fyodor, William from Nexusguard, Brad and his brother from Verisign and so many others. I wasn’t a great fan of conferences but they are really a good place to meet new people and have interesting discussions (no ego trips, no rockstars).

I definitely recommend HITCON and I hope my contribution helped it to get even better and keep growing. Their hard work deserves it. Thank you to everyone that made the conference possible.

As most probably know now, my presentation was about Mac OS malware, introducing a new PoC infector using an easy to implement code injection technique. I’m still not sure if I will release the code for the infector and library. What I’m releasing is the code for the utility I used to calculate the available free space for potential code injection. It’s available at Github here. I named it calcspace.

The presentation slides are available here.

Btw, you should definitely do a chown -R root:root /Applications, especially if you have any helper binaries installed with your normal user permissions. That 1/2 dayz is really stupid and must be fixed 🙂

Have fun,