Showing posts with label D-Trace. Show all posts
Showing posts with label D-Trace. Show all posts

Monday, May 13, 2013

check_dtrace - A Volatility Plugin Arises

Summary

After reading through fG!'s presentation on OS X rootkits I decided to look into some other D-Trace providers, such as fbt and mach_trap to close the loop on the D-Trace topic. While this endeavor didn't start with the intention of building a plugin, I decided to do so to save time for myself and possibly others (and of course have some fun!).

Read more »
Posted by at No comments:
Labels: , , , , , , ,

Tuesday, April 23, 2013

Hunting D-Trace Rootkits with The Volatility Framework

Summary

I recently attended InfiltrateCon 2013 and got to see the latest and greatest offensive security issues. There was a presentation by Nemo titled 'Destructive D-Trace - With Great Power Comes Great Responsibility' that caught my attention. In his talk Nemo showed examples on how to use D-Trace on OS X to hide an attacker's presence and claimed that forensics techniques would have a hard time detecting these. That claim made me think about the Volatility Framework's latest support for Mac OS X memory analysis and its capability to detect the presence of D-Trace cloaking.

Read more »
Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)