This a short post to talk about my mac_threads plugin. The plugin can be used to analyze process/task threads in an OS X system. The information provided by the plugin includes each thread’s registers, argument (exec string), stack information, start address, user id, debugging information, priority, and more. Threads can be viewed filtered by process id or can display threads for all processes.
Saturday, November 15, 2014
Finding Call Reference Hooks in Mac Memory
In this blog post the call reference to the function _vnode_pagein in the function _ps_read_file will be modified to show a call reference modification and and a Volatility Framework plugin to detect this type of hooking will be presented.
Detecting Shadow TrustedBSD Policy Tables In Mac Memory
In this blog post the reference of the _mac_policy_list in _mac_proc_check_get_task will be modified to reference the 'shadow' TrustedBSD policy table and a Volatility Framework plugin to detect this type of hooking will be presented.
Subscribe to:
Posts (Atom)