syscall hijack - hewigovens/hewigovens.github.com GitHub Wiki

Basic idea is to locate sysent table -> allocate kernel memory from userland -> Put evil code in the allocated space -> Redirect syscall (or other function) to the evil code. (check out Runtime Kernel Patching on Mac OS X)

How to find and locate sysent table:

• In a Kext(Landon Fuller's method)

• backup and replace syscall handlers

• From Memory(Resolves symbols from the XNU kernel image)

• Using Mach API to vm_read()/vm_write()/vm_allocate() to Hooks system calls and input handlers

##Examples:

• rubilyn rootkit:

64bit Mac OS-X kernel rootkit that uses no hardcoded address to hook the BSD subsystem in all OS-X Lion & below. It uses a combination of syscall hooking and DKOM to hide activity on a host. String resolution of symbols no longer works on Mountain Lion as symtab is destroyed during load, this code is portable on all Lion & below but requires re-working for hooking under Mountain Lion.

rubilyn Features:

• works across multiple kernel versions (tested 11.0.0+)
• give root privileges to pid
• hide files / folders
• hide a process
• hide a user from 'who'/'w'
• hide a network port from netstat
• sysctl interface for userland control
• execute a binary with root privileges via magic ICMP ping

#####Back to Hook & Inject methods