Posts

About the processor_set_tasks() access to kernel memory vulnerability

At BlackHat Asia 2014, Ming-chieh Pan and Sung-ting Tsai presented about Mac OS X Rootkits (paper and slides). They describe some very cool techniques to access kernel memory in different ways than the usual ones. The slides and paper aren’t very descriptive about all the techniques so this weekend I decided to give it a try and replicate the described vulnerability to access kernel memory. The access to kernel task (process 0) was possible before Leopard (or was it fixed in Snow Leopard?...

May 5, 2014 · 4 min · 762 words · fG!

Revisiting Mac OS X Kernel Rootkits Phrack article is finally out!

Enjoy it at Phrack. It’s finally out. It feels a bit old and it is indeed a bit old but still a good paper (or at least I tried to make it that way). The supplied code is for an older version of that rootkit. For example it still has dependencies on importing task, proc and other kernel private structures. The updated version solves all required offsets so it supports easily new and old OS X versions....

April 18, 2014 · 1 min · 178 words · fG!

Rex vs The Romans – Anti Hacking Team Kernel Extension

After surviving the five shots at SyScan’s WhiskeyCon I am finally back home and you get a chance to see the slides and code for the TrustedBSD module I presented there. The goal of REX vs The Romans is to work as detection and prevention tool of Hacking Team’s OS X malware. The TrustedBSD hook allows to detect if the system is already infected, and the Kauth listener to warn about any future infection....

April 8, 2014 · 2 min · 324 words · fG!

Teaching Rex another TrustedBSD trick to hide from Volatility

Rex the Wonder Dog (here and here) is a proof of concept that uses TrustedBSD framework to install kernel level backdoors. Volatility is able to detect these malicious modules with a plugin created by Andrew Case. The plugin works by looking up the TrustedBSD structures and dumping information about the loaded modules. At SyScan360 I presented a “new” trick to bypass this plugin by creating a shadow structure and leaving the legit one untouched....

March 18, 2014 · 9 min · 1794 words · fG!

Don’t die GDB, we love you: kgmacros ported to Mavericks.

Our lovely GDB has been declared dead with Xcode 5 release. The new king in town is LLDB, and that also applies to kernel debugging. Change is good, even if we Humans don’t like it, but… there’s still no gdbinit for LLDB and I just love it. Even more important (for kernel debugging), LLDB still has no support (afaik) for VMware GDB stub. This means it’s not possible to do kernel debugging in Mavericks VMs other than KDP....

February 21, 2014 · 2 min · 268 words · fG!