Transcription
Mac OS X Physical MemoryAnalysisNetherlands Forensic Institutewww.forensicinstitute.nlMatthieu SuicheBlackHat DC – February 2010
Who am I?Researcher for the Netherlands Forensics Institute (NFI).Microsoft Enterprise Security MVPSpeaker at various security events, such as PacSec,BlackHat USA, Europol High Tech Crime Meeting,Shakacon, etc.Past work: SandMan Framework (Windows hibernation file) Win32/64dd (Windows memory acquisition utility).
AgendaIntroductionAnalysis
Who ?Forensics ExpertsInvestigatorsIncident Response Engineers
Why ?Pros:1. Sometimes non-volatile memory is not enough,then we need volatile memory (Physical Memory).Cons:1. Very complex.2. Lack of research.
dFile SystemMachineinformationSyscallsRootkitDetection
TargetIntel Processor (x86/x64)Mac OS X Leopard 10.5Mac OS X Snow Leopard10.6
Software-based acquisition/dev/memCons: Disabled by default.Pros: We can write our owndriver.Hibernation a.k.a. “safe sleep”Pros: Present on all modern O.S.Cons: Compressed, and can beencrypted if secure virtualmemory mechanism is used.(hibernatemode 5)
AgendaIntroductionAnalysis
AnalysisGoal: To avoid random string searching.To be precise and efficient.
Information dFile etectionpresentatie
AnalysisGet kernel symbols.Initialize kernel memorymanager.Browse kernel virtualaddress space.Collect information.
Kernel SymbolsWindows compiler stores symbols in externals files called*.PDBMac OS X compiler stores symbols inside a section whichis part of the executable.Mac OS X kernel executable (mach kernel) as symboldatabase.
Kernel SymbolsWhy?KLD, LINKEDIT, PRELINK and symtab kernelsections are destroyed as soon as the kernel (mach kernel) isloaded by removeKernelLinker() function.What?LINKEDIT section contains variable names and offsets.
Kernel SymbolsQuick Kernel Virtual To Physical Address Formula is:Operating SystemQuick translation Formulai386 LinuxKPA KVA – 0xC0000000Playstation 3 LinuxKPA KVA – 0xC000000000000000WindowsKPA KVA & 0x1FFFF000Mac OS XKPA KVANow we can read variables from the symbol section in the physicalmemory.25/01/2010presentatie
Kernel SymbolsWorks only for the mapped executable kernel ( text and datasections)Does not work for allocated buffers.data interesting exported variables:Memory manager variables
Memory ManagerSuper interesting variablesIdlePDPTIdlePDPT64IdlePML4IdlePTDPage Map Level 4 is initialized on x86 versioneven if x86 only use PAE.
PML4 ?Page Map Level 4 paging method.Supports 48-bits linear/virtual addresses.Intel 64 and IA-32 Architectures Software Developer's ManualVolume 3A: System Programming Guide4.5 IA-32E Paging
PML4Linear/Virtual AddressPML4Directory PtrDirectoryTableOffsetPhys. Addr.PTEPDE with PS 0PDPTEPML4EIdlePML4
InformationNow, we can browse the kernel virtual address space.
Machine ntedFile etectionpresentatie
Machine Informationversion variable contains a string with kernel version andcompilation timemachine info variable / structure contains:Field NameDescriptionmajor versionMajor OS Versionminor versionMinor OS Versionmax memPhysical Memory sizephysical cpuNumber of physical CPUlogical cpuNumber of logical CPU
Machine Information25/01/2010presentatie
Mounted File ile etectionpresentatie
Mounted File SystemLink-list called mountlist, defined by mount structure.Field NameDescriptionf fstypenameFile system typef mntonnameMounted directoryf mntfromnameMounted file system
Mounted File System
Kernel tedFile etectionpresentatie
Kernel Extensionskmod variable is the list-head of every loadedkernel extensions defined by kmod structure.Field NameDescriptionaddressBase AddresssizeTotal Sizehdr sizeHeader SizenameExtension NameversionVersionnextPointer to the next entry
Kernel Extensions25/01/2010presentatie
edFile etectionpresentatie
Processeskernproc variable is list-head of every BSD processesdefined by proc structure.Contains PID, Parent PID, open files (file descriptors),children, threads, name and a pointer (p pgrp field) toprocess group (pgrp structure).pgrp structure contains a pointer to session structure(pg session field).session structure contains username (s login field)who launched the process.
Processes
dFile etectionpresentatie
Syscalls Syscall address is not exportedLeopardAs explained by Jesse D’Aguanno at BH US 2008&sysent &nsysent 0x20Snow Leopard&sysent &nsysent – ((nsysent) * sizeof(sysent))25/01/2010presentatie
dFile etectionpresentatie
SyscallsIf an offset from a syscall entry is not in kernel symbols.Then, this is not normal Easy & Fast
DEMO
Special thanks to Dino Dai Zovi (Co-Author of The Mac Hacker's Handbook) Vincenzo Iozzo
Thanks for your attentionQUESTIONS ?
Initialize kernel memory manager. Browse kernel virtual address space. Collect information. Kernel Symbols Windows compiler stores symbols in externals files called *.PDB Mac OS X compiler stores symbols inside a section which is part of the executable. Mac OS X kernel ex
