In this blog post the reference of the _mac_policy_list in _mac_proc_check_get_task will be modified to reference the 'shadow' TrustedBSD policy table and a Volatility Framework plugin to detect this type of hooking will be presented.
Showing posts with label malware. Show all posts
Showing posts with label malware. Show all posts
Saturday, November 15, 2014
Saturday, July 13, 2013
Back to Defense: Finding Hooks in OS X with Volatility
Summary
In my previous post I discussed how to mess with the OS X syscall table through direct syscall table modification, syscall function inlining, and patching the syscall handler. As I promised, I'll be providing a plugin to find the mess! The code for the check_hooks plugin can be found at github and it incorporates existing detections for the sake of completeness. So let's go through the scenarios discussed earlier.
Tuesday, July 2, 2013
Offensive Volatility: Messing with the OS X Syscall Table
Summary
After taking a brief detour into reviewing JAVA source code I'm back to OS X and Volatility. In this post I'll be using the Volatility Framework to alter the OS X syscall table from an offensive perspective rather than using it for detection. To accomplish this, I'll be mimicking techniques used by malware, such as direct syscall table modification, syscall function inlining, patching the syscall handler, and hiding the payload in a binary's segment.Monday, May 13, 2013
check_dtrace - A Volatility Plugin Arises
Summary
After reading through fG!'s presentation on OS X rootkits I decided to look into some other D-Trace providers, such as fbt and mach_trap to close the loop on the D-Trace topic. While this endeavor didn't start with the intention of building a plugin, I decided to do so to save time for myself and possibly others (and of course have some fun!).Friday, February 8, 2013
The Analysis of Process Token Privileges
My presentation at the 2012 Open Source Memory Forensics Workshop:
Reverse engineering windows systems nowadays involves looking at static data, such as executables, symbols, pdbs, and/or dynamic data when debugging with a tool like windbg. Determining data structures and the meaning of their content has proven to be time consuming, especially when dealing with undocumented objects. This presentation tackles the problem by describing a novel approach, which utilizes the Volatility Framework and F-response to monitor changes taking place on a live system’s RAM that appear as a result of manipulating the targeted structures’ content. The technique is used in the discovery of the process privileges on Windows operating systems and the development of a new plugin. The presentation also provides examples of how the new plugin is used to discover malicious activity.
The privileges plugin can be found in the latest version of the Volatility Framework.
Summary
Reverse engineering windows systems nowadays involves looking at static data, such as executables, symbols, pdbs, and/or dynamic data when debugging with a tool like windbg. Determining data structures and the meaning of their content has proven to be time consuming, especially when dealing with undocumented objects. This presentation tackles the problem by describing a novel approach, which utilizes the Volatility Framework and F-response to monitor changes taking place on a live system’s RAM that appear as a result of manipulating the targeted structures’ content. The technique is used in the discovery of the process privileges on Windows operating systems and the development of a new plugin. The presentation also provides examples of how the new plugin is used to discover malicious activity.
The privileges plugin can be found in the latest version of the Volatility Framework.
Subscribe to:
Posts (Atom)