Posts

Hydra, the sample util I am unable to describe!

Let me give you a small gift before moving my ass to Paris to attend and present at NoSuchCon. Hydra is sample code of a kernel extension that will intercept process creation, suspend, and communicate it to a userland daemon that will be in charge of patching the application. It uses the process hijacking technique I described at SyScan presentation. Instead of injecting a library it leaves the process in a suspended state and makes its PID available for the userland daemon....

May 13, 2013 · 2 min · 261 words · fG!

There is an error in my SyScan slides!

Today I discovered that my slides contain a (stupid) error! The story begins with Alex Ionescu telling me the symbols are still available in kernel memory in Mountain Lion. I quickly verified this by doing memory dumps and it was really true. Today I finally got some time to sort it out and verify where they were. To my great surprise I fucked up bigtime on my manual calculations and was dumping the wrong memory area (DUH!...

May 8, 2013 · 2 min · 377 words · fG!

SyScan13: Revisiting Mac OS X Rootkits presentation

SyScan 2013, 10th anniversary edition is over! It is a great conference and I hope it does not end here. I had lots of fun and met new interesting people. Thomas is an awesome host! It helps that I really like Singapore and Asia in general. My presentation was about Mac OS X kernel rootkits based on the article I submitted to Phrack. Because Phrack is late, I was trying to postpone public availability of my slides....

May 7, 2013 · 2 min · 244 words · fG!

How to compile GDB in Mountain Lion (updated)

This is an up-to-date version of the old original post about recompiling GDB and other open source packages available at opensource.apple.com. I’m doing it mostly because code signing is now mandatory for GDB and there’s a stupid old bug that Apple still didn’t fixed since Snow Leopard. I forgot about it on my latest reinstall and lost an afternoon. This way you and me will not make the same mistake....

March 20, 2013 · 3 min · 625 words · fG!

OS.X/Boubou – Mach-O infector PoC source code

More than half a year as passed since HITCON'12 and as far as I know no one cared much about implementing some sort of detection/protection against this type of attack (correct me if I’m wrong). As explained in HITCON slides, this trick can be very useful to install backdoors and avoid the usual lame LaunchDaemons type of thing. I did some massive cleanup to the original PoC that I had glued for HITCON but it’s still a bit messy and definitely not “production” ready....

March 5, 2013 · 2 min · 236 words · fG!