Professional Documents
Culture Documents
About Us
Taiwan
Nanika Pan
Trend Micro
Staff Research Engineer Core Tech Department
Speech
Black Hat USA 2011 / 2012 Syscan Singapore/Taipei/Hong Kong 08/10 Hacks in Taiwan Conference 05/06/07/09/10/12
Research
Vulnerability discovery and analysis Exploit techniques Malware detection Mobile security
Speech
Black Hat USA 2011 / 2012 Codegate 2012 Syscan 10 / 12 HITCon 08
Research
New security technology Malicious document Malware auto-analyzing system (sandbox technologies) Malware detection System vulnerability and protection Mobile security
warm-up
plist file
/etc/rc.* /etc/profile /etc/bashrc ~/.bashrc ~/.profile ~/.login /etc/inetd.conf /etc/xinetd.d/ /etc/crontab /etc/ mach_init_per_use r.d/ /etc/mach_init.d
XPCServices
http://blog.mktime.com/archive/ 365.html sudo defaults write com.apple.loginwindow LoginHook / path/to/login.sh sudo defaults write com.apple.loginwindow LogoutHook / path/to/logout.sh
get root
sudo AuthorizationExecuteWithPrivileges http://www.michaelvobrien.com/blog/ 2009/07/ authorizationexecutewithprivileges-asimple-example/
Debug Argv
AuthorizationExecuteWithPrivileges
Mac le format Lion vs Mountain Lion usermode aslr DKOM nd process hide kernel aslr DKOM Advance user rootkit process hide user mode hook Anti Dtrace kernel rootkit syscall hook machtrap hook
macho
otool macho_view http://sourceforge.net/
projects/machoview/
Header
Entry Point
LINKEDIT
LC_DYLD_INFO
_la_symbol_ptr
ex:string table-
ASLR
mach-o ASLR MH_PIE http://www.0xcafebabe.it/2011/10/15/onmacos-10-7-dyld-randomization/
GDB attach
GDB open
NO ASLR http://reverse.put.as/2011/08/11/how-gdbdisables-aslr-in-mac-os-x-lion/
ASLR usermode
10.7.x X64 mode main thread stack leak
dyld image base
10.8.x random
osx10.7.x
Kernel ASLR
mach_kernel 10.7.x no aslr File Function Addr = Mem Function Addr mach_kernel 10.8.x aslr
DYLD_INSERT_LIBRARIES
dynamic inject
FILE * (*original_fopen) (const char *, const char *) =NULL; FILE * fopen(const char * filename, const char * mode) { if (!original_fopen) original_fopen = dlsym(RTLD_NEXT, "fopen"); printf("== fopen: {%s,%s} ==\n", filename, mode); FILE* f = original_fopen(filename, mode); return f; }
int main(int argc, char const *argv[]) { char hello[] = "hello world"; FILE *fp = fopen("hello.txt", "w"); if (fp) { fwrite(hello, 1, strlen(hello), fp); fclose(fp); } return 0; }
http://tlrobinson.net/blog/category/gcc/
Dynamic inject
mach_port_t! remoteTask = 0; pid_t! targetProcess; task_for_pid( mach_task_self(), targetProcess, &remoteTask );
kern_return_t
vm_read target_task, address, size, data_out, data_count); target_task, address, data, data_count); vm_write
kern_return_t
kern_return_t
kern_return_t thread_create_running
( " task_t parent_task, " thread_state_flavor_t flavor, " thread_state_t new_state, " mach_msg_type_number_t new_stateCnt, " thread_act_t *child_act ); http://cansecwest.com/csw09/csw09daizovi-miller.pdf
why vmmap pid use task_for_pid to attach another task (no root) ? Because it needs Apple Code Signature
syscall
"_nsysent" 10.7.x no aslr 10.8.x _nsysent + offset 0x1c028
mach trap
_mach_trap_table 10.7.x = 10.8.x 10.8 add some new functions
Dtrace
base on dtrace execsnoop iosnoop opensnoop rwsnoop
https://www.blackhat.com/presentations/
bh-usa-08/Beauchamp_Weston/ BH_US_08_BeauchampWeston_DTrace.pdf
Modify
change one byte code 55 push rbp 48 89 e5 mov rbp,rsp 55 push rbp 0f 89 e5 lock mov rbp,rsp
Handle Exception
if (FBT_EXCEPTION_CODE == trapno
&& !IS_USER_TRAP(saved_state)) {
Process Hiding
rubilyn rootkit http://www.nullsecurity.net/tools/backdoor/
rubilyn-0.0.1.tar.gz
xnu/xnu-1456.1.26/bsd/sys/proc_internal.h
sysctl -w debug.truehide.pid=?
Demo
Defense
check if any kext is loaded check if any task is attaching to another
task
http://www.opensource.apple.com/source/
xnu/xnu-1456.1.26/libkern/kxld/kxld.c
http://opensource.apple.com/source/xnu/
xnu-1504.7.4/libkern/c++/OSKext.cpp
OSKext::loadExecutable() kxld_link_le(KXLDContext *context,u_char *le,u_long size,const char *name,void *callback_data,u_char **deps,u_int ndeps,u_char **_linked_object,kxld_addr_t *kmod_info_kern,u_char **_link_state,u_long *_link_state_size,u_char **_symbol_le __unused,u_long *_symbol_le_size __unused)
monitor task_for_pid
Summary
mach-o le format 10.7.x vs 10.8.x ASLR static inject | dynamic inject Dtrace and AntiDtrace detecting rootkit with proc struct unlink
and advanced task unlink
Q&A