At BlackHat USA 2009, I presented “Advanced Mac OS X Rootkits” covering a number of Mach-based rootkit techniques and some tools that I have developed to demonstrate them. While the majority of Mac OS X rootkits employ known and traditional Unix-based rootkit techniques, these Mach-based techniques show what else is possible using the powerful Mach abstractions in Mac OS X. My presentation covered a number of Mach-based rootkit tools and techniques including user-mode Mach-O bundle injection, Mach RPC proxying, in-kernel RPC server injection/modification, and kernel rootkit detection.
User-mode DLL injection is quite common on Windows-based operating systems and is facilitated by the CreateRemoteThread API function. The Mach thread and task calls support creating threads in other tasks, however, they are much more low-level. The inject-bundle tool demonstrates the steps necessary to use injected memory and threads to load a Mach-O bundle into another task. A number of injectable bundles are included to demonstrate the API (test), capture an image using the iSight camera (iSight), log instant messages from within iChat (iChatSpy), and log SSL traffic sent through the Apple Secure Transport API (SSLSpy).
The majority of Mach kernel services (task and thread system calls, for example) are implemented as RPC services. The Mach message format was designed to be host-independent, which facilitates transferring them across the network. Machiavelli demonstrates using Mach RPC proxying in order to transparently perform Mach RPC to a remote host. Machiavellian versions of ps and inject-bundle are included in order to demonstrate how this technique may be used for remote host control by rootkits.
Most of the public kernel rootkits for Mac OS X load as kernel extensions and remove their entries from the kernel’s kmod list in order to hide themselves from kextstat and prevent themselves from being unloaded. The uncloak tool examines the kernel memory regions looking for loaded Mach-O objects. If any of these objects do not correspond to a known kernel extension, they may be dumped to disk using kernel-macho-dump.
Mach IPC messages to the in-kernel Mach RPC servers are dispatched through the mig_buckets table. This table stores function pointers to the kernel RPC server routines and is analogous to the Unix systent system call table. A kernel rootkit may directly modify this table in order to inject new kernel RPC servers or interpose on in-kernel RPC server routines. The KRPC kernel extension shows how a kernel rootkit may directly modify this table in order to dynamically inject a new in-kernel RPC subsystem.
These tools are deliberately released as ‘non-hostile’ proof-of-concept tools that meant to demonstrate techniques and are not suitable for use in actual rootkits or attack tools. The IM and SSL logging bundles log to the local system’s disk in an obvious fashion and Machiavelli opens up the controlling host to some obvious attacks. The non-Machiavelli version of inject-bundle, however, is fully functional and useful for a variety of system-level tasks. Using the other tools outside of a closed network or test virtual machine is not recommended.
Here are the goods: