This a short post to talk about my mac_threads plugin. The plugin can be used to analyze process/task threads in an OS X system. The information provided by the plugin includes each thread’s registers, argument (exec string), stack information, start address, user id, debugging information, priority, and more. Threads can be viewed filtered by process id or can display threads for all processes.
Saturday, November 15, 2014
In this blog post the call reference to the function _vnode_pagein in the function _ps_read_file will be modified to show a call reference modification and and a Volatility Framework plugin to detect this type of hooking will be presented.
In this blog post the reference of the _mac_policy_list in _mac_proc_check_get_task will be modified to reference the 'shadow' TrustedBSD policy table and a Volatility Framework plugin to detect this type of hooking will be presented.
Thursday, October 31, 2013
Update: The Volatility Team has included my code changes so just grab the latest code to work on a Mavericks or 10.8.5 sample. You will still need the profiles below.
Until Volatility officially supports OS X Mavericks and Mountain Lion 10.8.5, here are the steps to get it going:
- Check out the latest Volatility code from the repository (v2.3):
- Download the following files and place them in their respective folders:
- And you should be done! It looks like only the check_trap_table plugin has issues, but that should be taken care of soon. Have fun!
svn checkout http://volatility.googlecode.com/svn/trunk/ volatility-read-only
Saturday, July 27, 2013
Continuing on the hooking all stuff OS X theme, in this post I'll discuss hooking the Interrupt Descriptor Table (IDT) and detecting these hooks with my check_idt plugin, which can be found in github. The hooking techniques that I'll use are modifying the IDT entry to point to a shellcode instead of its handler, and modifying the handler itself by inlining it.
Saturday, July 13, 2013
In my previous post I discussed how to mess with the OS X syscall table through direct syscall table modification, syscall function inlining, and patching the syscall handler. As I promised, I'll be providing a plugin to find the mess! The code for the check_hooks plugin can be found at github and it incorporates existing detections for the sake of completeness. So let's go through the scenarios discussed earlier.