Infecting the Mach-o Object Format презентация
Содержание
- 2. Introduction Who am I? Neil Archibald, Senior Security Researcher @ Suresec
- 3. Myth! Mac OSX is NOT immune to viruses or worms.
- 4. Infection Virus != Worm Infection is the process of injecting parasite
- 5. What is an Object Format? An object format is a file
- 6. Introduction to Mach-o Object format used on operating systems which are
- 7. Mach-o Layout 3 main regions, header, load commands and sections. Each
- 8. Mach-o Header Header structure found in /usr/include/mach-o/loader.h Magic number as mentioned
- 9. Load Commands Each of the various load commands begin with the
- 10. LG_SEGMENT Specifies a portion of the file which is to be
- 11. LC_THREAD Thread commands hold the initial state of the registers when
- 12. Sections Sections have corresponding parent Segment commands. Multiple sections for one
- 13. Common Segment/Section Pairs __TEXT,__text: Generally stores executable machine code. __DATA,__data: Initialized
- 14. Common S/S Pairs continued… __DATA,__const: Used to store relocatable constant variables.
- 15. Tools otool: Kind of like objdump and ldd. Useful for dumping
- 16. HTE Free tool for manipulating object files. Makes changing object
- 17. Concatenation method The first time I saw this was in b4b0
- 18. Concatenation method continued…. To use this situation in order to an
- 19. Concatenation method continued…. Trivial to implement on Mac OS X. Process
- 20. Resource fork infection Mac OS X file system is called HFS+.
- 21. Resource fork infection continued To use this in order to infect
- 22. Resource fork infection continued My implementation of this technique is available
- 23. Thread entry point. The entry point for the initial thread can
- 24. Alternate ways to hook entry-point Changing the entry point can easily
- 25. A.W.T.H.E.P Continued… Firstly we change the flags of the constructor to
- 26. Storing code … Now that we have room for a pointer,
- 27. Storing code… Now that our headers have been set up, we
- 28. Finished Infection
- 29. Kernel Infection Kernel extensions consist of an *.ext/ directory which contains
- 30. Objective-C Runtime Architecture Many of the larger applications on Mac OS
- 31. Method Swizzling Method swizzling was pointed out to me by Braden
- 32. Method Swizzling continued… The website: http://www.cocoadev.com/index.pl?MethodSwizzling shows an implementation of this
- 33. Class Posing Class posing is a “feature” of the objective-c runtime
- 34. Infecting libobjc.A.dylib As mentioned earlier the libobjc.A.dylib library is linked with
- 35. Universal Binaries (FAT) Mac OS X moving to x86 from ppc.
- 36. Infecting Universal Binaries Best method is to infect each of the
- 37. fat_header All FAT universal binaries begin with the fat_header struct. This
- 38. fat_arch Each fat_arch struct contains information about each of the files
- 39. fm-unipack Trivial tool I wrote for manipulating universal binaries. Demonstrates
- 40. Kernel Panics Many of my ideas for binary infection were cut
- 41. Anti-Debugging Techniques OS X implements a ptrace() command called “PTRACE_DENY_ATTACH”. When
- 42. Anti-debugging techniques.. cont An example of one of these bugs is
- 43. Conclusion Hopefully now you can see that Mac OS X, like
- 44. Quotes "I am not and never was sold on "webtv" for
- 45. References http://en.wikipedia.org/wiki/Object_code http://en.wikipedia.org/wiki/Computer_virus http://en.wikipedia.org/wiki/Mach-O http://developer.apple.com/documentation/DeveloperTools/Conceptual/MachORuntime/MachORuntime.pdf http://developer.apple.com/documentation/MacOSX/Conceptual/universal_binary/ http://www.l0t3k.org/biblio/magazine/english/b4b0/0009/b4b0-09.txt http://braden.machacking.net/bundle.html
- 46. References http://developer.apple.com/documentation/Cocoa/Conceptual/ObjectiveC/RuntimeOverview/chapter_4_section_1.html http://www.cocoadev.com/index.pl?ClassPosing
- 47. Скачать презентацию
Слайды и текст этой презентации
Скачать презентацию на тему Infecting the Mach-o Object Format можно ниже: