Playing Hide and Seek with Rootkits in OS X MemoryReturn to TOC presented at FIRST 2014

by Cem Gurkok,

Summary : The OS X Kernel has become a popular target for malicious players. Currently there are tools that provide detection for obvious OS X rootkit techniques, such as executable substitution or direct function modification (e.g. the Rubilyn rootkit). Advanced rootkits utilize advanced capabilities that are difficult to detect, such as function inlining, DTrace hooks, call reference modification, shadow syscall and trustedbsd policy tables. In this presentation, I will be exploring how to attack various kernel objects with these advanced techniques and how to detect these modifications in memory using the Volatility Framework. The presentation will include demonstrations of system manipulation on a live system and subsequent detection using the new Volatility Framework plugin.