Scribd Logo
Upload

Welcome to Scribd!

  • VXCON 2012 - Advanced Mac OS Rootkit

    Uploaded by

    sttsai
    2K views70 pages
    In this presentation, we will start from basic details, and try to provide a comprehensive view of rootkit on Mac OS, including both user and kernel mode. Not only introducing general rootkit techniques, we will also disclose new and more advanced rootkit tricks by digging into more kernel objects and data structures. Besides the advanced rootkit technique, a new way to anti-tracing (anti-dtrace) will be introduced as well.

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    In this presentation, we will start from basic details, and try to provide a comprehensive view of rootkit on Mac OS, including both user and kernel mode. Not only introducing general rootkit techniques, we will also disclose new and more advanced rootkit tricks by digging into more kernel objects and data structures. Besides the advanced rootkit technique, a new way to anti-tracing (anti-dtrace) will be introduced as well.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    2K views70 pages

    VXCON 2012 - Advanced Mac OS Rootkit

    Uploaded by

    sttsai
    In this presentation, we will start from basic details, and try to provide a comprehensive view of rootkit on Mac OS, including both user and kernel mode. Not only introducing general rootkit techniques, we will also disclose new and more advanced rootkit tricks by digging into more kernel objects and data structures. Besides the advanced rootkit technique, a new way to anti-tracing (anti-dtrace) will be introduced as well.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 70

    Mac OS Rootkits

    Nanika & TT http://exploitspace.blogspot.com

    About Us

    Taiwan

    Nanika Pan
    Trend Micro
    Staff Research Engineer Core Tech Department

    Speech
    Black Hat USA 2011 / 2012 Syscan Singapore/Taipei/Hong Kong 08/10 Hacks in Taiwan Conference 05/06/07/09/10/12

    Research
    Vulnerability discovery and analysis Exploit techniques Malware detection Mobile security

    Sung-ting Tsai (TT)


    Trend Micro
    Leader of an advanced threat research team. Core Tech Department

    Speech
    Black Hat USA 2011 / 2012 Codegate 2012 Syscan 10 / 12 HITCon 08

    Research
    New security technology Malicious document Malware auto-analyzing system (sandbox technologies) Malware detection System vulnerability and protection Mobile security

    warm-up

    defaults write com.apple.Finder AppleShowAllFiles 1 Mac OS Activity Monitor (Utilities)

    plist file

    /etc/rc.* /etc/profile /etc/bashrc ~/.bashrc ~/.profile ~/.login /etc/inetd.conf /etc/xinetd.d/ /etc/crontab /etc/ mach_init_per_use r.d/ /etc/mach_init.d

    XPCServices

    /System/Library/LaunchAgents/ ~/Library/LaunchAgents/ /System/Library/LaunchDaemons ~/Library/LaunchDaemons ~/Library/Preferences/ com.apple.loginitems.plist ~/Library/StartupItems /System/Library/StartupItems

    http://blog.mktime.com/archive/ 365.html sudo defaults write com.apple.loginwindow LoginHook / path/to/login.sh sudo defaults write com.apple.loginwindow LogoutHook / path/to/logout.sh

    http://www.malicious-streams.com/ Downloads/Downloads.html http://osxbook.com/book/bonus/ ancient/whatismacosx/ arch_startup.html http://computer-forensics.sans.org/ summit-archives/2012/when-macs-gethacked.pdf

    get root
    sudo AuthorizationExecuteWithPrivileges http://www.michaelvobrien.com/blog/ 2009/07/ authorizationexecutewithprivileges-asimple-example/

    Xcode build the file location

    Debug Argv

    gcc -framework CoreServices

    AuthorizationExecuteWithPrivileges

    let's go crazy hacking

    Mac le format Lion vs Mountain Lion usermode aslr DKOM nd process hide kernel aslr DKOM Advance user rootkit process hide user mode hook Anti Dtrace kernel rootkit syscall hook machtrap hook

    macho
    otool macho_view http://sourceforge.net/
    projects/machoview/

    hopper Disassembler http://


    www.hopperapp.com/

    Header

    Entry Point

    LINKEDIT

    LC_DYLD_INFO

    _la_symbol_ptr Section Header

    _la_symbol_ptr

    How to nd Export Function Address

    SYMTable Address=LINKEDIT imagebase+


    (SYMTable Address-LINKEDIT FILEOffest) >0x8fe5e000(0x3a344-0x35000)

    ex:string table-

    ASLR
    mach-o ASLR MH_PIE http://www.0xcafebabe.it/2011/10/15/onmacos-10-7-dyld-randomization/

    GDB attach

    GDB open
    NO ASLR http://reverse.put.as/2011/08/11/how-gdbdisables-aslr-in-mac-os-x-lion/

    ASLR usermode
    10.7.x X64 mode main thread stack leak
    dyld image base

    10.8.x random

    osx10.7.x

    Kernel ASLR
    mach_kernel 10.7.x no aslr File Function Addr = Mem Function Addr mach_kernel 10.8.x aslr

    Get ASLR Kernel base


    __asm__ volatile ("sidt %0": "=m" (idtr)); idt table function address is always in kernel
    function address

    search MACHO Magic to nd kernel base

    User mode hook

    DYLD_INSERT_LIBRARIES

    dynamic inject

    LD_PRELOAD=./gethostname.dylib FAKE_HOSTNAME=foo hostname foo DYLD_FORCE_FLAT_NAMESPACE=1 DYLD_INSERT_LIBRARIES=lib_overrides.dyli b overrides_test

    FILE * (*original_fopen) (const char *, const char *) =NULL; FILE * fopen(const char * filename, const char * mode) { if (!original_fopen) original_fopen = dlsym(RTLD_NEXT, "fopen"); printf("== fopen: {%s,%s} ==\n", filename, mode); FILE* f = original_fopen(filename, mode); return f; }

    gcc -Wall -o lib_overrides.dylib -dynamiclib lib_overrides.c

    int main(int argc, char const *argv[]) { char hello[] = "hello world"; FILE *fp = fopen("hello.txt", "w"); if (fp) { fwrite(hello, 1, strlen(hello), fp); fclose(fp); } return 0; }

    gcc -Wall -o overrides_test overrides_test.c

    if you do not see any event, dont be

    surprised. Because this hook only changed the _la_symbol_ptr.

    http://tlrobinson.net/blog/category/gcc/

    Dynamic inject

    mach_port_t! remoteTask = 0; pid_t! targetProcess; task_for_pid( mach_task_self(), targetProcess, &remoteTask );

    kern_return_t

    vm_read target_task, address, size, data_out, data_count); target_task, address, data, data_count); vm_write

    (vm_task_t vm_address_t vm_size_t size target_task

    kern_return_t

    (vm_task_t vm_address_t pointer_t mach_msg_type_number_t

    kern_return_t

    vm_protect target_task, address, size, set_maximum, new_protection);

    (vm_task_t vm_address_t vm_size_t boolean_t vm_prot_t

    kern_return_t thread_create_running

    ( " task_t parent_task, " thread_state_flavor_t flavor, " thread_state_t new_state, " mach_msg_type_number_t new_stateCnt, " thread_act_t *child_act ); http://cansecwest.com/csw09/csw09daizovi-miller.pdf

    why vmmap pid use task_for_pid to attach another task (no root) ? Because it needs Apple Code Signature

    IDT with syscall



    idt[0x80] _idt64_unix_scall:ffffff80002d7480 idt[0x81] _idt64_mach_scall:ffffff80002d74a0 idt[0x82] _idt64_mdep_scall:ffffff80002d74c0 idt[0x83] _idt64_diag_scall:ffffff80002d74e0

    syscall
    "_nsysent" 10.7.x no aslr 10.8.x _nsysent + offset 0x1c028

    mach trap
    _mach_trap_table 10.7.x = 10.8.x 10.8 add some new functions

    Dtrace
    base on dtrace execsnoop iosnoop opensnoop rwsnoop

    Dtrace User Guide


    sudo dtrace -s demo.d http://docs.oracle.com/cd/E18752_01/html/
    819-5488/gcfah.html

    https://www.blackhat.com/presentations/
    bh-usa-08/Beauchamp_Weston/ BH_US_08_BeauchampWeston_DTrace.pdf

    How Dtrace (FBT) provider work


    IDT _hndl_alltraps _kernel_trap http://opensource.apple.com/source/xnu/
    xnu-1699.22.73/osfmk/i386/trap.c

    Modify
    change one byte code 55 push rbp 48 89 e5 mov rbp,rsp 55 push rbp 0f 89 e5 lock mov rbp,rsp

    Handle Exception
    if (FBT_EXCEPTION_CODE == trapno
    && !IS_USER_TRAP(saved_state)) {

    _fbt_perfCallback _dtrace_invop http://www.opensource.apple.com/source/


    xnu/xnu-1456.1.26/bsd/dev/i386/fbt_x86.c

    Anti Dtrace (FBT)


    Load kext nd symbol _tempDTraceTrapHook tempDTraceTrapHook->fbt_perfCallback tempDTraceTrapHook->your function handle exception x any dtrace modied byte code

    Process Hiding
    rubilyn rootkit http://www.nullsecurity.net/tools/backdoor/
    rubilyn-0.0.1.tar.gz

    Current DKOM => unlink p_list http://www.opensource.apple.com/source/

    xnu/xnu-1456.1.26/bsd/sys/proc_internal.h

    How to nd hided process


    listing task can nd hided process task http://www.opensource.apple.com/source/
    xnu/xnu-1456.1.26/osfmk/kern/task.h

    Usermode list task for nding rubilyn rootkit

    DKOM unlink Task list


    this works on 10.7.x or 10.8.x demo install truehide.kext sudo kextload /System/Library/Extensions/
    truehide.kext

    sysctl -w debug.truehide.pid=?

    How to nd unlinked Task list?


    In usermode, you can still nd something
    interesting.

    Demo

    Defense
    check if any kext is loaded check if any task is attaching to another
    task

    http://www.opensource.apple.com/source/
    xnu/xnu-1456.1.26/libkern/kxld/kxld.c

    http://opensource.apple.com/source/xnu/
    xnu-1504.7.4/libkern/c++/OSKext.cpp

    OSKext::loadExecutable() kxld_link_le(KXLDContext *context,u_char *le,u_long size,const char *name,void *callback_data,u_char **deps,u_int ndeps,u_char **_linked_object,kxld_addr_t *kmod_info_kern,u_char **_link_state,u_long *_link_state_size,u_char **_symbol_le __unused,u_long *_symbol_le_size __unused)

    monitor task_for_pid

    Summary
    mach-o le format 10.7.x vs 10.8.x ASLR static inject | dynamic inject Dtrace and AntiDtrace detecting rootkit with proc struct unlink
    and advanced task unlink

    How to detect kext loading

    Q&A

    You might also like