Defiling Mac OS X

Presented at Kiwicon V: It Goes b00m (2011), Nov. 5, 2011, 4:45 p.m. (30 minutes).

I thought it would be fun and educational to write a kernel rootkit for Mac OS X. Having never messed around in kernel memory before, it was quite an enlightening experience. OS X is similar enough to FreeBSD that a lot of the same techniques apply, but different enough that there are a few surprises in store. I'll show you how some common kernel rootkit techniques are implemented on OS X, which techniques Apple have broken, and hand-wave a bit about the possibilities for rootkit persistence that are presented by the EFI firmware used in current Macs.

Presenters:

• snare   as Snare
  Once upon a time, snare was a code-monkey, cranking out everything from pre-press automation apps to firmware for Big F***ing Laser Machines. Then he got bored and decided to try his hand at the high-flying buzzword-ridden world of Information Security. A couple of thousand "weak SSL ciphers" write ups and a triple-bypass later, here he is.

Links:

• https://2011.kiwicon.org/the-con/talks/#e29

Similar Presentations:

• Black Hat USA 2012 / DE MYSTERIIS DOM JOBSIVS: Mac EFI Rootkits
• DEF CON 17 (2009) / Runtime Kernel Patching on Mac OS X
• Black Hat Asia 2014 / You Can't See Me: A Mac OS X Rootkit Uses the Tricks You Haven't Known Yet