Recon 2011

Jesse D'Aguanno
Day Sunday - 2011-07-10
Room Grand Salon
Start time 10:00
Duration 01:00
ID 122
Event type Lecture
Track Main

Mach shellcodes and OS X injectable rootkits

The mach subsystem on OS X has several interfaces which can be leveraged by an attacker to subvert the OS and write directly to the memory of other processes, including the kernel, allowing us to replace code, overwrite data structures, etc. I demonstrated some of these techniques and an example OS X kernel rootkit ("iRK") a couple of years ago at Black Hat. Until now, these techniques required loading a kernel extension or at least loading a mach-o executable. This talk will cover techniques for calling mach subsystem system calls natively from shellcode and will demonstrate rootkit techniques from directly within payloads (without leaving a forensic trail).