Runtime Kernel Patching on Mac OS X

Presented at DEF CON 17 (2009), Aug. 1, 2009, 6:30 p.m. (20 minutes)

Runtime kernel patching has been around for almost ten years and is a technique frequently used by various rootkits to subvert the kernel's used in many modern operating systems. This technique does not require any types of kernel modules or extensions and will allow you to hide various things like processes, files, folders and network connections by modifying the kernel's memory directly. It will also allow you to place various backdoors in the kernel for privilege escalation. This talk will discuss runtime kernel patching on Apple's operating system Mac OS X and the XNU kernel. We will cover some rootkit basics as well as some Mac OS X specific 'features' which will facilitate our journey into the deepest parts of the darwin operating system and the XNU kernel. As a bonus we will also show some basic methods for rootkit detection on Mac OS X that will aid you in the process of detecting rootkits that utilize runtime kernel patching to stay hidden.


  • Bosse Eriksson - Security Researcher, Bitsec
    Bosse Eriksson has been involved in various security related projects over the past years and has recently been published in Phrack Magazine. He enjoys finding vulnerabilities in various software as well as writing exploits for them, recently focusing on Mac OS X and it's related vulnerabilities. Bosse is currently employed as a security researcher at the Swedish based security company Bitsec where he performs penetration tests, exploit development and vulnerability research.


Similar Presentations: