Advanced Mac OS X Rootkits

At BlackHat USA 2009, I presented “Advanced Mac OS X Rootkits” covering a number of Mach-based rootkit techniques and some tools that I have developed to demonstrate them.  While the majority of Mac OS X rootkits employ known and traditional Unix-based rootkit techniques, these Mach-based techniques show what else is possible using the powerful Mach abstractions in Mac OS X.  My presentation covered a number of Mach-based rootkit tools and techniques including user-mode Mach-O bundle injection, Mach RPC proxying, in-kernel RPC server injection/modification, and kernel rootkit detection.

User-mode DLL injection is quite common on Windows-based operating systems and is facilitated by the CreateRemoteThread API function.  The Mach thread and task calls support creating threads in other tasks, however, they are much more low-level.  The inject-bundle tool demonstrates the steps necessary to use injected memory and threads to load a Mach-O bundle into another task.  A number of injectable bundles are included to demonstrate the API (test), capture an image using the iSight camera (iSight), log instant messages from within iChat (iChatSpy), and log SSL traffic sent through the Apple Secure Transport API (SSLSpy).

The majority of Mach kernel services (task and thread system calls, for example) are implemented as RPC services.  The Mach message format was designed to be host-independent, which facilitates transferring them across the network.  Machiavelli demonstrates using Mach RPC proxying in order to transparently perform Mach RPC to a remote host. Machiavellian versions of ps and inject-bundle are included in order to demonstrate how this technique may be used for remote host control by rootkits.

Most of the public kernel rootkits for Mac OS X load as kernel extensions and remove their entries from the kernel’s kmod list in order to hide themselves from kextstat and prevent themselves from being unloaded. The uncloak tool examines the kernel memory regions looking for loaded Mach-O objects.  If any of these objects do not correspond to a known kernel extension, they may be dumped to disk using kernel-macho-dump.

Mach IPC messages to the in-kernel Mach RPC servers are dispatched through the mig_buckets table.  This table stores function pointers to the kernel RPC server routines and is analogous to the Unix systent system call table.  A kernel rootkit may directly modify this table in order to inject new kernel RPC servers or interpose on in-kernel RPC server routines.  The KRPC kernel extension shows how a kernel rootkit may directly modify this table in order to dynamically inject a new in-kernel RPC subsystem.

These tools are deliberately released as ‘non-hostile’
proof-of-concept tools that meant to demonstrate techniques and are
not suitable for use in actual rootkits or attack tools.  The IM and
SSL logging bundles log to the local system’s disk in an obvious
fashion and Machiavelli opens up the controlling host to some obvious
attacks.  The non-Machiavelli version of inject-bundle, however, is
fully functional and useful for a variety of system-level tasks.
Using the other tools outside of a closed network or test virtual
machine is not recommended.

These tools are deliberately released as ‘non-hostile’ proof-of-concept tools that meant to demonstrate techniques and are not suitable for use in actual rootkits or attack tools.  The IM and SSL logging bundles log to the local system’s disk in an obvious fashion and Machiavelli opens up the controlling host to some obvious attacks.  The non-Machiavelli version of inject-bundle, however, is fully functional and useful for a variety of system-level tasks.  Using the other tools outside of a closed network or test virtual machine is not recommended.

Here are the goods:

Comments

  1. Hey Dino,
    Thanks for the posted info. In addition to this do you have the slide for Macsploitation with Metasploit? If so, could those be published?

    Thanks
    Jay

  2. What makes a UNIX based rootkit less likely to crash?
    –Does any sample include—a legal rootkit to use on the net–maybe one that allows more special access legally?–but one with unique Unix duties like yours..Can I have a only safe sample for my email box?
    3 yrs msoft/java tests,1 ethernet,
    can download now..
    also if can correct other rootkits from violating net rules include that..

  3. plushcube says:

    Excellent article, Dino.
    Could you tell how to implement memory injection in x86_64 arch? Your code works perfect with i386-targeted applications, but with 64-bits it’s got some issues.
    I’ve added some code to make it work on 64-bit arch (another structures, some memory protection issues and so on), but now mach_thread_trampoline won’t work: __pthread_set_self call haven’t set correct value in gs register (don’t know is there some other errors in this function’s call). So calling cthread_set_self after that throws exception EXC_BAD_ACCESS (because gs:0x66 points to wrong address).
    Please, give me a little hint so I’ll be able to continue research.

    Thanks in advance :)

    • I haven’t looked at x64 yet with this code, but there will definitely be some work into supporting it. You may have to figure out what is needed to promote a bare Mach thread into a full POSIX thread by reading through the pthread code in libSystem. The method that I found works for PowerPC and x86, but it may need some tweaks for x64. Take a look at the available calls in the commpage, there might be something useful there that can help initialize the thread correctly.

      -Dino

  4. Letha Deck says:

    Dino, I think I have rootkits on my two stand alone Mac notebooks. I am having a rough time getting to the ‘invisible’ drive to dislodge it. Can I destroy the root of the rootkit? Where I can get a cure?

    • Of course, it’s possible that you have a rootkit, but it is still quite rare (especially if the machines are stand-alone and don’t connect to the Internet). Here are some things that may possibly help (in order of increasing difficulty and time commitment):

      • Install some Mac anti-virus software
      • Do an “Archive and Install” re-install of Mac OS X
      • Do a clean reinstall of Mac OS X and restore from a Time Machine backup from the Migration Assistant after the install
      • Reinstall and restore from Time Machine backup only restoring your user account, re-install your apps individually
      • Ritualistic goat sacrifice

      Again, I doubt you have a rootkit, but you could have a Mac trojan or bot on your machine. An anti-virus program should be able to take care of that. Chances are though, that your problem is something else misbehaving. An Apple store or other Mac expert should be able to help you with that.

      -Dino

  5. ifernando says:

    Hello,

    with Snow Leopard 10.6.4 I am obtaining an unresolved symbol:

    $ sudo kextutil KRPC.kext
    (kernel) kxld[com.machackershandbook.kext.KRPC]: The following symbols are unresolved for this kext:
    (kernel) kxld[com.machackershandbook.kext.KRPC]: _mig_buckets

    I cannot find this symbol using kextfind, however this symbol is exported in the kernel:

    $ kextfind -dsym _mig_buckets
    $ nm -arch i386 /mach_kernel |grep _mig_buckets
    00844b00 S _mig_buckets
    $ nm -arch x86_64 /mach_kernel |grep _mig_buckets
    ffffff8000672e40 S _mig_buckets

    How can I find the kext library to link with using the OSBundleLibraries dict?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 3,631 other followers

%d bloggers like this: