Thursday, October 31, 2013

How to get Volatility working with OS X Mavericks?

Update: The Volatility Team has included my code changes so just grab the latest code to work on a Mavericks or 10.8.5 sample. You will still need the profiles below.

Until Volatility officially supports OS X Mavericks and Mountain Lion 10.8.5, here are the steps to get it going:

  1. Check out the latest Volatility code from the repository (v2.3):
  2. svn checkout http://volatility.googlecode.com/svn/trunk/ volatility-read-only
  3. Download the following files and place them in their respective folders:
  4. Mavericks_10.9_AMD.zipvolatility-read-only/volatility/plugins/overlays/mac/Mavericks_10.9_AMD.zip
    MountainLion_10.8.5_AMD.zipvolatility-read-only/volatility/plugins/overlays/mac/MountainLion_10.8.5_AMD.zip
    common.pyvolatility-read-only/volatility/plugins/mac/common.py
    lsof.pyvolatility-read-only/volatility/plugins/mac/lsof.py
    netstat.pyvolatility-read-only/volatility/plugins/mac/netstat.py
  5. And you should be done! It looks like only the check_trap_table plugin has issues, but that should be taken care of soon. Have fun!

Saturday, July 27, 2013

Hooking IDT in OS X and Detection

Summary

Continuing on the hooking all stuff OS X theme, in this post I'll discuss hooking the Interrupt Descriptor Table (IDT) and detecting these hooks with my check_idt plugin, which can be found in github. The hooking techniques that I'll use are modifying the IDT entry to point to a shellcode instead of its handler, and modifying the handler itself by inlining it.

Saturday, July 13, 2013

Back to Defense: Finding Hooks in OS X with Volatility

Summary

In my previous post I discussed how to mess with the OS X syscall table through direct syscall table modification, syscall function inlining, and patching the syscall handler. As I promised, I'll be providing a plugin to find the mess! The code for the check_hooks plugin can be found at github and it incorporates existing detections for the sake of completeness. So let's go through the scenarios discussed earlier.

Tuesday, July 2, 2013

Offensive Volatility: Messing with the OS X Syscall Table

Summary

After taking a brief detour into reviewing JAVA source code I'm back to OS X and Volatility. In this post I'll be using the Volatility Framework to alter the OS X syscall table from an offensive perspective rather than using it for detection. To accomplish this, I'll be mimicking techniques used by malware, such as direct syscall table modification, syscall function inlining, patching the syscall handler, and hiding the payload in a binary's segment.

Wednesday, June 26, 2013

Automated Secure Code Review Anyone?

Summary

Imagine you are given the source code for a JAVA web application with about a million lines and were asked to review the code for any vulnerabilities and report back in a week. This can turn into an interesting exercise if you are a team of one. What are your options: crowdsource, ask for mercy, do your best? Thankfully there are other options, such as automated code review software. In this post I'll talk about Checkmarx's cloud based solution that does security code analysis and use OWASP's WebGoat (v5.4) project to see how it measures up.

Monday, May 13, 2013

check_dtrace - A Volatility Plugin Arises

Summary

After reading through fG!'s presentation on OS X rootkits I decided to look into some other D-Trace providers, such as fbt and mach_trap to close the loop on the D-Trace topic. While this endeavor didn't start with the intention of building a plugin, I decided to do so to save time for myself and possibly others (and of course have some fun!).

Tuesday, April 23, 2013

Hunting D-Trace Rootkits with The Volatility Framework

Summary

I recently attended InfiltrateCon 2013 and got to see the latest and greatest offensive security issues. There was a presentation by Nemo titled 'Destructive D-Trace - With Great Power Comes Great Responsibility' that caught my attention. In his talk Nemo showed examples on how to use D-Trace on OS X to hide an attacker's presence and claimed that forensics techniques would have a hard time detecting these. That claim made me think about the Volatility Framework's latest support for Mac OS X memory analysis and its capability to detect the presence of D-Trace cloaking.