Showing posts with label Rootkits. Show all posts
Showing posts with label Rootkits. Show all posts

Saturday, November 15, 2014

Viewing Thread Information in Mac Memory

This a short post to talk about my mac_threads plugin. The plugin can be used to analyze process/task threads in an OS X system. The information provided by the plugin includes each thread’s registers, argument (exec string), stack information, start address, user id, debugging information, priority, and more. Threads can be viewed filtered by process id or can display threads for all processes.

Read more »
Posted by at No comments:
Labels: , , , , , , , , ,

Detecting Shadow TrustedBSD Policy Tables In Mac Memory

In this blog post the reference of the _mac_policy_list in _mac_proc_check_get_task will be modified to reference the 'shadow' TrustedBSD policy table and a Volatility Framework plugin to detect this type of hooking will be presented.


Read more »
Posted by at No comments:
Labels: , , , , , , , , , ,

Saturday, July 27, 2013

Hooking IDT in OS X and Detection

Summary

Continuing on the hooking all stuff OS X theme, in this post I'll discuss hooking the Interrupt Descriptor Table (IDT) and detecting these hooks with my check_idt plugin, which can be found in github. The hooking techniques that I'll use are modifying the IDT entry to point to a shellcode instead of its handler, and modifying the handler itself by inlining it.

Read more »
Posted by at No comments:
Labels: , , , , , , , , ,

Monday, May 13, 2013

check_dtrace - A Volatility Plugin Arises

Summary

After reading through fG!'s presentation on OS X rootkits I decided to look into some other D-Trace providers, such as fbt and mach_trap to close the loop on the D-Trace topic. While this endeavor didn't start with the intention of building a plugin, I decided to do so to save time for myself and possibly others (and of course have some fun!).

Read more »
Posted by at No comments:
Labels: , , , , , , ,

Tuesday, April 23, 2013

Hunting D-Trace Rootkits with The Volatility Framework

Summary

I recently attended InfiltrateCon 2013 and got to see the latest and greatest offensive security issues. There was a presentation by Nemo titled 'Destructive D-Trace - With Great Power Comes Great Responsibility' that caught my attention. In his talk Nemo showed examples on how to use D-Trace on OS X to hide an attacker's presence and claimed that forensics techniques would have a hard time detecting these. That claim made me think about the Volatility Framework's latest support for Mac OS X memory analysis and its capability to detect the presence of D-Trace cloaking.

Read more »
Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)