Reverse Engineering OS X
drivers
Egor Fedoseev
May 21, 2014
PHDays, Moscow
● OS X market share grows over the time
● Kernel-land malware is scary
● Porting drivers, of course
Why do we need that
About presentation
#OSX, #C++, #IDA, #DWARF, #Python
Not exactly a rocket science. I just didn’t see
a simple OS X driver ...
About presentation
● OS X kernel overview
● Drivers overview
● Reverse engineering a driver, facing
problems
● Solving pro...
● Hybrid XNU kernel (Mach + BSD + IOKit)
● Microkernel Mach
● BSD for unixness (POSIX, process model,
network stack, acces...
● C++ subset
● Multithreaded
● Power management, driver management,
driver layering, driver interface
● Drivers, families,...
Kernel extensions
● /System/Library/Extensions
● /Library/Extensions (codesigned)
● Application bundle:
Contents/Info.plis...
Reverse engineering a driver
● http://opensource.apple.com/
● IDA
● Hopper
● kextstat, kextlibs, kextutil
● otool
● dwarfd...
● 10.9+ — x86-64 only
● Any IDA prior to 6.5 fails to parse
relocations
● Heavily C++ — fields and virtual methods
Problems
What can we do?
● Fix relocations
● Parse VMTs to get class structures
● Process dependencies
● Kernel type library
Relocations
● No comprehensive Python library to parse
Mach-O files
● Look for LC_SYMTAB, LC_DYSYMTAB
● Hopper and otool h...
VMT
● Luckily, vtables are exported symbols
● Process relocations, look for ‘_ZVT’
● Easy way to import is to serialize da...
Dependencies
● kext/Contents/Info.plist
● com.apple.kpi -> look in mach_kernel
● otherwise look in
/System/Library/Extensi...
Kernel type library
● IDA has a way to store reusable type
information — TIL
● SDK utility tilib fails to parse C++ code
●...
Useful links
● http://opensource.apple.com/
● http://reverse.put.as/
● https://developer.apple.com/library/
● python macho...
That's all
github.com/binchewer
domi@hackerdom.ru
OS X Drivers Reverse Engineering
Upcoming SlideShare
Loading in …5
×

OS X Drivers Reverse Engineering

949 views
714 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
949
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

OS X Drivers Reverse Engineering

  1. 1. Reverse Engineering OS X drivers Egor Fedoseev May 21, 2014 PHDays, Moscow
  2. 2. ● OS X market share grows over the time ● Kernel-land malware is scary ● Porting drivers, of course Why do we need that
  3. 3. About presentation #OSX, #C++, #IDA, #DWARF, #Python Not exactly a rocket science. I just didn’t see a simple OS X driver reverse engineering tutorial yet.
  4. 4. About presentation ● OS X kernel overview ● Drivers overview ● Reverse engineering a driver, facing problems ● Solving problems
  5. 5. ● Hybrid XNU kernel (Mach + BSD + IOKit) ● Microkernel Mach ● BSD for unixness (POSIX, process model, network stack, access conrol, filesystems, etc.) ● IOKit for drivers OS X kernel
  6. 6. ● C++ subset ● Multithreaded ● Power management, driver management, driver layering, driver interface ● Drivers, families, nubs ● Registry & Catalog ● Classes hierarchy IO Kit
  7. 7. Kernel extensions ● /System/Library/Extensions ● /Library/Extensions (codesigned) ● Application bundle: Contents/Info.plist Contents/MacOS/ Contents/PlugIns ● Ordinary Mach-O file
  8. 8. Reverse engineering a driver ● http://opensource.apple.com/ ● IDA ● Hopper ● kextstat, kextlibs, kextutil ● otool ● dwarfdump ● ...
  9. 9. ● 10.9+ — x86-64 only ● Any IDA prior to 6.5 fails to parse relocations ● Heavily C++ — fields and virtual methods Problems
  10. 10. What can we do? ● Fix relocations ● Parse VMTs to get class structures ● Process dependencies ● Kernel type library
  11. 11. Relocations ● No comprehensive Python library to parse Mach-O files ● Look for LC_SYMTAB, LC_DYSYMTAB ● Hopper and otool handles relocations just fine.
  12. 12. VMT ● Luckily, vtables are exported symbols ● Process relocations, look for ‘_ZVT’ ● Easy way to import is to serialize data into C header file
  13. 13. Dependencies ● kext/Contents/Info.plist ● com.apple.kpi -> look in mach_kernel ● otherwise look in /System/Library/Extensions /Library/Extensions
  14. 14. Kernel type library ● IDA has a way to store reusable type information — TIL ● SDK utility tilib fails to parse C++ code ● dwarf2c fails to parse C++ code ● Probably the easiest way is to parse DWARF ● DWARF parser from elftools package is good
  15. 15. Useful links ● http://opensource.apple.com/ ● http://reverse.put.as/ ● https://developer.apple.com/library/ ● python macholib ● python elftools ● python dwarf2c
  16. 16. That's all github.com/binchewer domi@hackerdom.ru

×