Viewing Thread Information in Mac Memory

This a short post to talk about my mac_threads plugin. The plugin can be used to analyze process/task threads in an OS X system. The information provided by the plugin includes each thread’s registers, argument (exec string), stack information, start address, user id, debugging information, priority, and more. Threads can be viewed filtered by process id or can display threads for all processes.

Finding Call Reference Hooks in Mac Memory

In this blog post the call reference to the function _vnode_pagein in the function _ps_read_file will be modified to show a call reference modification and  and a Volatility Framework plugin to detect this type of hooking will be presented.

Tracing Bits of Coins in Mac Memory

Detecting Shadow TrustedBSD Policy Tables In Mac Memory

In this blog post the reference of the _mac_policy_list in _mac_proc_check_get_task will be modified to reference the 'shadow' TrustedBSD policy table and a Volatility Framework plugin to detect this type of hooking will be presented.

Hooking IDT in OS X and Detection

Summary

Continuing on the hooking all stuff OS X theme, in this post I'll discuss hooking the Interrupt Descriptor Table (IDT) and detecting these hooks with my check_idt plugin, which can be found in github. The hooking techniques that I'll use are modifying the IDT entry to point to a shellcode instead of its handler, and modifying the handler itself by inlining it.

Offensive Volatility: Messing with the OS X Syscall Table

Summary

After taking a brief detour into reviewing JAVA source code I'm back to OS X and Volatility. In this post I'll be using the Volatility Framework to alter the OS X syscall table from an offensive perspective rather than using it for detection. To accomplish this, I'll be mimicking techniques used by malware, such as direct syscall table modification, syscall function inlining, patching the syscall handler, and hiding the payload in a binary's segment.