Regarding instrumentation, I map all KPIs exported from kernel to user-defined methods. Finally, I can go into the entry of the driver. Then I run emulation for preprocessing such as ::attach, ::probe, or kmod_info. I also create some vnode and credential objects. The same thing I will do for allproc symbol on kernel space. I setup mac_policy_list by allocating a new object in the emulator engine and fill the address in target on kernel space. Before emulating the driver, some objects/context under kernel space should be initialized.
#Rootkit scanner for mac driver#
Next, a driver will run from its initial function, and this entry address can be extracted from the binary symbol, for IOKit driver is ::start method, and for the generic driver is the address stored in _realmain symbol. Note that kernel releases its KPIs through some dependencies, so It is necessary to create junk code as a kind of indirection calling. Besides, like a normal application, I also have to resolve local symbols and some other dynamic symbols of KEXT. Now I can access all implemented code of KPIs from the kernel. Because the kernel is also a MachO executable binary, as well as the main component of KEXT, so I can load all of their Segment64 to emulator engine.
In order to emulate the driver, I decided to load both kernel and kernel extensions together.
#Rootkit scanner for mac full#
In general, rootkit plays a role as a driver then it gets full power features from KPI. Some interesting information can be gathered from ist inside the bundle. The kernel extension is a bundle of files, and the kernel loads it from external space.
#Rootkit scanner for mac drivers#
Like other operating systems, macOS needs drivers to control devices, they are called Kernel Extensions or Kexts. The kernel usually exposes its interface, a.k.a KPI, to let users use its functionality, and all of them are implemented inside the kernel code. The kernel format also belongs to the MachO executable file. The macOS kernel is officially known as XNU, which is a hybrid kernel combined from Mach kernel and BSD kernel. The presentation is now available here.įirst, let see how a rootkit is loaded into the kernel. This research is a part of our publication at BlackHat USA 2020.
In this research, I use Qiling Framework as the main emulator ( give him stars on Github ? ). This limitation forces security researchers to turn to static analysis, which however proved to be very tricky & time consuming. Unfortunately, dynamic analysis solutions for kernel rootkits are severely lacking indeed, most existing dynamic tools are just built for userspace code (ring 3), but not for Operating System (OS) level. Operating at ring 0, the highest privilege level in the system, this super malware has unrestricted power to control the whole machine, thus can defeat all the defensive and monitoring mechanisms. Kernel rootkit is considered the most dangerous malware that may infect computers.
0 kommentar(er)
