Thursday, October 31, 2013

How to get Volatility working with OS X Mavericks?

Update: The Volatility Team has included my code changes so just grab the latest code to work on a Mavericks or 10.8.5 sample. You will still need the profiles below.

Until Volatility officially supports OS X Mavericks and Mountain Lion 10.8.5, here are the steps to get it going:

  1. Check out the latest Volatility code from the repository (v2.3):
  2. svn checkout volatility-read-only
  3. Download the following files and place them in their respective folders:
  4. Mavericks_10.9_AMD.zipvolatility-read-only/volatility/plugins/overlays/mac/
  5. And you should be done! It looks like only the check_trap_table plugin has issues, but that should be taken care of soon. Have fun!

Saturday, July 27, 2013

Hooking IDT in OS X and Detection


Continuing on the hooking all stuff OS X theme, in this post I'll discuss hooking the Interrupt Descriptor Table (IDT) and detecting these hooks with my check_idt plugin, which can be found in github. The hooking techniques that I'll use are modifying the IDT entry to point to a shellcode instead of its handler, and modifying the handler itself by inlining it.

Saturday, July 13, 2013

Back to Defense: Finding Hooks in OS X with Volatility


In my previous post I discussed how to mess with the OS X syscall table through direct syscall table modification, syscall function inlining, and patching the syscall handler. As I promised, I'll be providing a plugin to find the mess! The code for the check_hooks plugin can be found at github and it incorporates existing detections for the sake of completeness. So let's go through the scenarios discussed earlier.

Tuesday, July 2, 2013

Offensive Volatility: Messing with the OS X Syscall Table


After taking a brief detour into reviewing JAVA source code I'm back to OS X and Volatility. In this post I'll be using the Volatility Framework to alter the OS X syscall table from an offensive perspective rather than using it for detection. To accomplish this, I'll be mimicking techniques used by malware, such as direct syscall table modification, syscall function inlining, patching the syscall handler, and hiding the payload in a binary's segment.

Wednesday, June 26, 2013

Automated Secure Code Review Anyone?


Imagine you are given the source code for a JAVA web application with about a million lines and were asked to review the code for any vulnerabilities and report back in a week. This can turn into an interesting exercise if you are a team of one. What are your options: crowdsource, ask for mercy, do your best? Thankfully there are other options, such as automated code review software. In this post I'll talk about Checkmarx's cloud based solution that does security code analysis and use OWASP's WebGoat (v5.4) project to see how it measures up.

Monday, May 13, 2013

check_dtrace - A Volatility Plugin Arises


After reading through fG!'s presentation on OS X rootkits I decided to look into some other D-Trace providers, such as fbt and mach_trap to close the loop on the D-Trace topic. While this endeavor didn't start with the intention of building a plugin, I decided to do so to save time for myself and possibly others (and of course have some fun!).

Tuesday, April 23, 2013

Hunting D-Trace Rootkits with The Volatility Framework


I recently attended InfiltrateCon 2013 and got to see the latest and greatest offensive security issues. There was a presentation by Nemo titled 'Destructive D-Trace - With Great Power Comes Great Responsibility' that caught my attention. In his talk Nemo showed examples on how to use D-Trace on OS X to hide an attacker's presence and claimed that forensics techniques would have a hard time detecting these. That claim made me think about the Volatility Framework's latest support for Mac OS X memory analysis and its capability to detect the presence of D-Trace cloaking.

Friday, February 8, 2013

The Analysis of Process Token Privileges

My presentation at the 2012 Open Source Memory Forensics Workshop:


Reverse engineering windows systems nowadays involves looking at static data, such as executables, symbols, pdbs, and/or dynamic data when debugging with a tool like windbg. Determining data structures and the meaning of their content has proven to be time consuming, especially when dealing with undocumented objects. This presentation tackles the problem by describing a novel approach, which utilizes the Volatility Framework and F-response to monitor changes taking place on a live system’s RAM that appear as a result of manipulating the targeted structures’ content. The technique is used in the discovery of the process privileges on Windows operating systems and the development of a new plugin. The presentation also provides examples of how the new plugin is used to discover malicious activity.

The privileges plugin can be found in the latest version of the Volatility Framework.

Thursday, February 7, 2013

Sneaking into networks with the Demyo Power Strip


Let's see if this silicon blade is sharp enough to cut through the security cheese! 

Some intros: The Demyo Power Strip (DPS) is a covert penetration testing device built by Demyo Sec made to be used for penetration tests. While not being the first of its kind out there, is a strong competitor to other existing tools, such as Power Pwn, and the PlugBot etc. The DPS gives you the ability to launch attacks over ethernet, WiFi and Bluetooth.


  • Based on Raspberry Pi
  • CPU 700Mhz, boostable to 1Ghz, 512MB RAM, 32GB SD
  • Ethernet (10/100), WiFi b/g/n and Bluetooth connectivity
  • Runs Debian Linux
  • CLI (via SSH) and GUI (via VNC)
  • Physical dimensions 14″ x 2.25″ x 8.25″ or 35.56cm x 5.72cm x 20.96cm 
  • Actually functions as a real power strip