Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Reverse Engineering OS X
drivers
Egor Fedoseev
May 21, 2014
PHDays, Moscow
● OS X market share grows over the time
● Kernel-land malware is scary
● Porting drivers, of course
Why do we need that
About presentation
#OSX, #C++, #IDA, #DWARF, #Python
Not exactly a rocket science. I just didn’t see
a simple OS X driver ...
About presentation
● OS X kernel overview
● Drivers overview
● Reverse engineering a driver, facing
problems
● Solving pro...
● Hybrid XNU kernel (Mach + BSD + IOKit)
● Microkernel Mach
● BSD for unixness (POSIX, process model,
network stack, acces...
● C++ subset
● Multithreaded
● Power management, driver management,
driver layering, driver interface
● Drivers, families,...
Kernel extensions
● /System/Library/Extensions
● /Library/Extensions (codesigned)
● Application bundle:
Contents/Info.plis...
Reverse engineering a driver
● http://opensource.apple.com/
● IDA
● Hopper
● kextstat, kextlibs, kextutil
● otool
● dwarfd...
● 10.9+ — x86-64 only
● Any IDA prior to 6.5 fails to parse
relocations
● Heavily C++ — fields and virtual methods
Problems
What can we do?
● Fix relocations
● Parse VMTs to get class structures
● Process dependencies
● Kernel type library
Relocations
● No comprehensive Python library to parse
Mach-O files
● Look for LC_SYMTAB, LC_DYSYMTAB
● Hopper and otool h...
VMT
● Luckily, vtables are exported symbols
● Process relocations, look for ‘_ZVT’
● Easy way to import is to serialize da...
Dependencies
● kext/Contents/Info.plist
● com.apple.kpi -> look in mach_kernel
● otherwise look in
/System/Library/Extensi...
Kernel type library
● IDA has a way to store reusable type
information — TIL
● SDK utility tilib fails to parse C++ code
●...
Useful links
● http://opensource.apple.com/
● http://reverse.put.as/
● https://developer.apple.com/library/
● python macho...
That's all
github.com/binchewer
domi@hackerdom.ru
OS X Drivers Reverse Engineering
Upcoming SlideShare
Loading in …5
×

OS X Drivers Reverse Engineering

1,562 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

OS X Drivers Reverse Engineering

  1. 1. Reverse Engineering OS X drivers Egor Fedoseev May 21, 2014 PHDays, Moscow
  2. 2. ● OS X market share grows over the time ● Kernel-land malware is scary ● Porting drivers, of course Why do we need that
  3. 3. About presentation #OSX, #C++, #IDA, #DWARF, #Python Not exactly a rocket science. I just didn’t see a simple OS X driver reverse engineering tutorial yet.
  4. 4. About presentation ● OS X kernel overview ● Drivers overview ● Reverse engineering a driver, facing problems ● Solving problems
  5. 5. ● Hybrid XNU kernel (Mach + BSD + IOKit) ● Microkernel Mach ● BSD for unixness (POSIX, process model, network stack, access conrol, filesystems, etc.) ● IOKit for drivers OS X kernel
  6. 6. ● C++ subset ● Multithreaded ● Power management, driver management, driver layering, driver interface ● Drivers, families, nubs ● Registry & Catalog ● Classes hierarchy IO Kit
  7. 7. Kernel extensions ● /System/Library/Extensions ● /Library/Extensions (codesigned) ● Application bundle: Contents/Info.plist Contents/MacOS/ Contents/PlugIns ● Ordinary Mach-O file
  8. 8. Reverse engineering a driver ● http://opensource.apple.com/ ● IDA ● Hopper ● kextstat, kextlibs, kextutil ● otool ● dwarfdump ● ...
  9. 9. ● 10.9+ — x86-64 only ● Any IDA prior to 6.5 fails to parse relocations ● Heavily C++ — fields and virtual methods Problems
  10. 10. What can we do? ● Fix relocations ● Parse VMTs to get class structures ● Process dependencies ● Kernel type library
  11. 11. Relocations ● No comprehensive Python library to parse Mach-O files ● Look for LC_SYMTAB, LC_DYSYMTAB ● Hopper and otool handles relocations just fine.
  12. 12. VMT ● Luckily, vtables are exported symbols ● Process relocations, look for ‘_ZVT’ ● Easy way to import is to serialize data into C header file
  13. 13. Dependencies ● kext/Contents/Info.plist ● com.apple.kpi -> look in mach_kernel ● otherwise look in /System/Library/Extensions /Library/Extensions
  14. 14. Kernel type library ● IDA has a way to store reusable type information — TIL ● SDK utility tilib fails to parse C++ code ● dwarf2c fails to parse C++ code ● Probably the easiest way is to parse DWARF ● DWARF parser from elftools package is good
  15. 15. Useful links ● http://opensource.apple.com/ ● http://reverse.put.as/ ● https://developer.apple.com/library/ ● python macholib ● python elftools ● python dwarf2c
  16. 16. That's all github.com/binchewer domi@hackerdom.ru

×