Advancing Mac OS X Rootkit Detec on
Andrew Case (@attrc)
Volatility Foundation
Golden G. Richard III (@nolaforensix)
University of New Orleans
2 hot research areas State of Affairs more established
Live Forensics and Tradi onal Storage Memory Analysis Forensics
Digital Forensics
Reverse Engineering Incident Response
Increasingly encompasses all the others Copyright 2015 by Andrew Case and Golden G. Richard III 3 Where’s the Evidence?
Files and Filesystem Applica on Windows Deleted Files metadata metadata registry
Print spool Hiberna on Temp files Log files files files
Browser Network Slack space Swap files caches traces
RAM: OS and app data Vola le Evidence structures
Copyright 2015 by Andrew Case and Golden G. Richard III 4 Vola le Evidence
1 011 01 1 0 1 111 0 11 0 1 0 1 0 10 0
1
0 1
1 1 0 0 1 0 1 1 0 0 1
Copyright 2015 by Andrew Case and Golden G. Richard III 5 Awesomeness Progression: File Carving
Can carve Chaos: files, but More can't Faster Almost not very accurate Hurray! carve files well
Tools Manual File type Fragmenta on, appear, Mul threading, hex editor aware damned but have be er design stuff carving, et al spinning disks! issues
Images: h ps://easiersaidblogdotcom.files.wordpress.com/2013/02/hot_dogger.jpg h p://cdn.bigbangfish.com/555/Cow/Cow-6.jpg, h p://f.tqn.com/y/bbq/1/W/U/i/Big_green_egg_large.jpg h p://i5.walmar mages.com/dfw/dce07b8c-bb22/k2-_95ea6c25-e9aa-418e-a3a2-8e48e62a9d2e.v1.jpg Copyright 2015 by Andrew Case and Golden G. Richard III 6 Awesomeness Progression: Memory Forensics
Pioneering Chaos: More, efforts Beyond run more, show great Windows ?? strings? more promise
pt_finder et al More a en on Manual, Mac, … awesome but to malware, run strings, Linux, BSD li le context limited filling in the gaps func onality
Images: h ps://s-media-cache-ak0.pinimg.com/736x/75/5a/37/755a37727586c57a19d42caa650d242e.jpg,, h p://img.photobucket.com/albums/v136/Hell2Pay77/SS-trucks.jpg h p://skateandannoy.com/wp-content/uploads/2007/12/sportsbars.jpg, h p://gainesvillescene.com/wp-content/uploads/2013/03/dog-longboard.jpg Copyright 2015 by Andrew Case and Golden G. Richard III 7 Memory Analysis: 2004
$ grep –i murder /dev/mem
I loved Sally, but I murdered her in the park on… Murder Murderer! Blood is on your shoulders! Murderous You murdered my hamster! Murdered
Copyright 2015 by Andrew Case and Golden G. Richard III 8 Memory Analysis: Then
• strings – essen ally no tools besides this, circa 2004 • pt_finder (~2006) – Windows process and thread enumera on • FACE (~2008) – Memory analysis framework created at UNO – Correlates evidence in memory, network stack, network traces, filesystem – A bit closer to a framework rather than one-off tools • … Copyright 2015 by Andrew Case and Golden G. Richard III 9 Memory Analysis: Now
Capture RAM • physical memory dumping tool from live • VM memory snapshot system • VM introspec on
• strings Analyze • carving Memory Dump • Vola lity • VM introspec on
Expose OS and • to yield useful Applica on evidence Data Structures
Copyright 2015 by Andrew Case and Golden G. Richard III 10 Memory Analysis: Now
Use plugins to analyze: Running processes Hidden processes Hooks that hide malware Network connec ons Encryp on keys Private browsing data Clipboard data Vola le registry branches Command history Window hierarchy + "easily" develop new plugins Copyright 2015 by Andrew Case and Golden G. Richard III 11 Detec ng Hidden Resource U liza on
• Adversary: Direct Kernel Object Manipula on (DKOM) • Strategy: Deep analysis and cross-correla on of data kernel data structures to reveal hidden resource u liza on
PID = 2260
Doubly-linked process list in Windows kernel
Processes con nue to run because Windows C:\> fu –ph 2260 scheduler handles threads, not processes
PID = 2260
Copyright 2015 by Andrew Case and Golden G. Richard III 12
Copyright 2015 by Andrew Case and Golden G. Richard III 13
FU on PID 2260
DKOM Hidden Process Detec on in Vola lity
Copyright 2015 by Andrew Case and Golden G. Richard III 14 Windows, Mac, Linux
• Windows and Linux memory forensics techniques are fairly mature • Lots of func onality • More work to do, but good malware / rootkit detec on • > 115 Windows plugins for Vola lity • ~60 Mac plugins for Vola lity – Some tackle the same thing on the BSD / Mach sides • Mac OS X stuff lags behind and we're trying to fix that • Requires OS internals work, which we both like
Copyright 2015 by Andrew Case and Golden G. Richard III 15 Mac OS X
• Many APIs similar to those on Windows and Linux are commonly abused by malware on other pla orms • Exis ng Mac plugins do not check these subsystems • In addi on, many Mac-specific features are vulnerable to abuse by rootkits / malware • These aren't addressed by exis ng memory forensics tools, either
Copyright 2015 by Andrew Case and Golden G. Richard III 16 Facility: Kernel Event Callbacks
• Use: Allows registra on of callbacks to be executed before specific events occur, e.g., process execu on, system shutdown, hiberna on, et al • Abuse: Prevent security tools from loading, inject code into process before it can start, maintain persistence during reboot or shutdown • Windows API: PsSetCreateProcessNotifyRoutine • Windows detec on plugin: callbacks
Copyright 2015 by Andrew Case and Golden G. Richard III 17 Mac OS X Power Related Events
• On Mac OS X, IOKit provides an API to register interest in power-related events • Callback is triggered for no fica on – kIOMessageSystemWillPowerOff – kIOMessageSystemWillRestart – kIOMessageSystemWillSleep – kIOMessageDeviceHasPoweredOn – … • Defined in iokit/IOKit/IOMessage.h
Copyright 2015 by Andrew Case and Golden G. Richard III 18 mac_interest_handlers Plugin
• Find root of IOKit device tree • Walk tree and check for power-related interests, stored in IORegistryEntry structures • Enumerate handlers in associated IOCommand structure and verify that handlers are: – in code sec on of running kernel --or-- – in address space of a loaded kernel extension • Marked suspicious if not • Importantly: loca on of handler also hints at malware loca on • Can then target specific regions of memory and examine
Copyright 2015 by Andrew Case and Golden G. Richard III 19 Facility: Driver ßà Userland Communica on
• Use: Provide an interface for userland processes to request services from a kernel driver (read, write, change configura on, etc.) • Abuse: Provides a mechanism for a userland component to hide data, protect files, communicate with kernel-level malware • Linux API: devfs, ioctl • Linux detec on plugin: linux_check_fop
Copyright 2015 by Andrew Case and Golden G. Richard III 20 Mac OS X Driver Communica on
• Mac OS X provides several mechanisms for drivers to communicate with user space – IOKit APIs that allow userspace to search for interes ng devices – devfs • For this talk, look only at devfs • Tradi onal filesystem interface • Device registers handlers for open(), close(), read(), write(), ioctl(), etc.
Copyright 2015 by Andrew Case and Golden G. Richard III 21 Crisis: Notorious Mac OS X Malware
• Patches Ac vity Monitor to hide • Takes screenshots • Captures audio • Captures video • Connects to WiFi hotspots to transmit collected data • Basically, all the stuff you're scared malware will do to you
Copyright 2015 by Andrew Case and Golden G. Richard III 22 Crisis
• Legi mate device: /dev/pmCPU • "Evil" Crisis device: /dev/pfCPU • Kernel components live behind this device • Userspace components of Crisis use ioctl() calls to communicate with kernel components • Lots of complex hiding mechanisms in Crisis • Quickly loca ng handlers for kernel module can help direct sta c analysis
Copyright 2015 by Andrew Case and Golden G. Richard III 23 mac_devfs plugin
"Good" mdworker is associated with Spotlight search indexing. This "evil" one can now be dumped and analyzed.
Copyright 2015 by Andrew Case and Golden G. Richard III 24 Facility: Kernel Timers
• Use: Register callback to be executed a er a certain amount of me • Abuse: Allow malicious code to run periodically without needing to hook func ons, check persistence, check C&C server status, periodically exfiltrate data • Windows API: KeSetTimer • Windows detec on plugin: timers
Copyright 2015 by Andrew Case and Golden G. Richard III 25 mac_timers Plugin
• Timer data is stored in per-CPU variables • Plugin analyzes cpu_data structure for each processor • cpu_data->rtclock_timer maintains queue of mers • For each mer, output: – Registering module – Time to elapse – Address of each parameter – Address of handler func on – Suspicious? Copyright 2015 by Andrew Case and Golden G. Richard III 26 Facility: Userland Event Monitoring
• Use: Allows userland processes to monitor events on files, processes, signals, etc. • Abuse: Stop processes from execu ng, determine when security tools are installed, detect when persistence mechanisms are removed • Windows API: FindFirstChangeNotification, RegNotifyChangeKeyValue – FILE_NOTIFY_CHANGE_FILE_NAME – FILE_NOTIFY_CHANGE_SIZE • Windows/Linux detec on plugins: None (hint)
Copyright 2015 by Andrew Case and Golden G. Richard III 27 KQueue Monitoring
• Mac OS X facility that dates back to FreeBSD 4.1 • Use: Monitor file events, process crea on, signals, etc. • Abuse: Prevent processes from loading, react to process termina on, etc. • Interfaced from userland through kqueue and kevent • man kqueue / man kevent
Copyright 2015 by Andrew Case and Golden G. Richard III 28 mac_kevents Plugin
• Enumerates all kevent structures… • …(data structures kung fu in the paper)… • …in the kernel and reports: – Which processes are being monitored (by PID) and which events are being monitored (fork, exec, exit, etc.) – Which file descriptor opera ons (delete, write, rename, etc.) are being monitored and by whom – … • kqueue/kevent use is pervasive • Burden is largely on the inves gator to figure out what's cool and what's not • If you have be er ideas, share or hack! Copyright 2015 by Andrew Case and Golden G. Richard III 29 mac_kevents
Copyright 2015 by Andrew Case and Golden G. Richard III 30 mac_lsof
Copyright 2015 by Andrew Case and Golden G. Richard III 31 Facility: File System Monitoring
• Use: Provide an interface for userland processes to request services from a kernel driver (e.g., read X bytes from file Y) • Abuse: Provides a mechanism for a userland component to closely monitor filesystem opera ons, hide data, prevent modifica ons to data • Windows API: FindFirstChangeNotification • Windows/Linux detec on plugins: None!
Copyright 2015 by Andrew Case and Golden G. Richard III 32 Mac Filesystem Hooking: Another Facility
• Userland tools can monitor file system ac vity by issuing ioctl() calls against /dev/fsevents • The registered callback will be executed upon file crea on, dele on, renaming, and more • See: h p://osxbook.com/so ware/fslogger/ • Unlike many of the other facili es we've examined, this one is private and intended for use by Spotlight • Limited number of "subscribers" is supported
Copyright 2015 by Andrew Case and Golden G. Richard III 33
Copyright 2015 by Andrew Case and Golden G. Richard III 34 Final Thoughts • We now have a solid founda on in memory forensics, with Vola lity, Rekall, et al • Focus on mining remaining sources of kernel / applica on data with a special emphasis on malware mi ga on • Work like this is largely "minding the gap" hacking, but it's s ll important • Be old and have tenure (me) or be famous (Andrew) first? • Your choice J ? [email protected] / @nolaforensix [email protected] / @attrc Copyright 2015 by Andrew Case and Golden G. Richard III