Saturday, November 15, 2014

Viewing Thread Information in Mac Memory

This a short post to talk about my mac_threads plugin. The plugin can be used to analyze process/task threads in an OS X system. The information provided by the plugin includes each thread’s registers, argument (exec string), stack information, start address, user id, debugging information, priority, and more. Threads can be viewed filtered by process id or can display threads for all processes.

Finding Call Reference Hooks in Mac Memory


In this blog post the call reference to the function _vnode_pagein in the function _ps_read_file will be modified to show a call reference modification and  and a Volatility Framework plugin to detect this type of hooking will be presented.

Tracing Bits of Coins in Mac Memory

Detecting Shadow TrustedBSD Policy Tables In Mac Memory

In this blog post the reference of the _mac_policy_list in _mac_proc_check_get_task will be modified to reference the 'shadow' TrustedBSD policy table and a Volatility Framework plugin to detect this type of hooking will be presented.


Thursday, October 31, 2013

How to get Volatility working with OS X Mavericks?

Update: The Volatility Team has included my code changes so just grab the latest code to work on a Mavericks or 10.8.5 sample. You will still need the profiles below.

Until Volatility officially supports OS X Mavericks and Mountain Lion 10.8.5, here are the steps to get it going:

  1. Check out the latest Volatility code from the repository (v2.3):
  2. svn checkout http://volatility.googlecode.com/svn/trunk/ volatility-read-only
  3. Download the following files and place them in their respective folders:
  4. Mavericks_10.9_AMD.zipvolatility-read-only/volatility/plugins/overlays/mac/Mavericks_10.9_AMD.zip
    MountainLion_10.8.5_AMD.zipvolatility-read-only/volatility/plugins/overlays/mac/MountainLion_10.8.5_AMD.zip
    common.pyvolatility-read-only/volatility/plugins/mac/common.py
    lsof.pyvolatility-read-only/volatility/plugins/mac/lsof.py
    netstat.pyvolatility-read-only/volatility/plugins/mac/netstat.py
  5. And you should be done! It looks like only the check_trap_table plugin has issues, but that should be taken care of soon. Have fun!

Saturday, July 27, 2013

Hooking IDT in OS X and Detection

Summary

Continuing on the hooking all stuff OS X theme, in this post I'll discuss hooking the Interrupt Descriptor Table (IDT) and detecting these hooks with my check_idt plugin, which can be found in github. The hooking techniques that I'll use are modifying the IDT entry to point to a shellcode instead of its handler, and modifying the handler itself by inlining it.

Saturday, July 13, 2013

Back to Defense: Finding Hooks in OS X with Volatility

Summary

In my previous post I discussed how to mess with the OS X syscall table through direct syscall table modification, syscall function inlining, and patching the syscall handler. As I promised, I'll be providing a plugin to find the mess! The code for the check_hooks plugin can be found at github and it incorporates existing detections for the sake of completeness. So let's go through the scenarios discussed earlier.