Mach shellcodes and OS X injectable rootkits

Presented at REcon 2011, July 10, 2011, 10 a.m. (60 minutes).

The mach subsystem on OS X has several interfaces which can be leveraged by an attacker to subvert the OS and write directly to the memory of other processes, including the kernel, allowing us to replace code, overwrite data structures, etc. I demonstrated some of these techniques and an example OS X kernel rootkit ("iRK") a couple of years ago at Black Hat. Until now, these techniques required loading a kernel extension or at least loading a mach-o executable. This talk will cover techniques for calling mach subsystem system calls natively from shellcode and will demonstrate rootkit techniques from directly within payloads (without leaving a forensic trail).


Presenters:

Links:

Similar Presentations: