Sunday, June 9, 2013

MOVP II - 4.4 - What's in Your Mac OSX Kernel Memory?

Today's post will discuss a number of plugins that can retrieve forensically interesting information from within the kernel. Keep in mind, you can also use mac_yarascan to search kernel memory with yara signatures and you can use mac_volshell as an interactive tool to print kernel data structures, display kernel memory addresses as bytes, dword, qwords, or disassemble code in kernel space.


This plugin lists the loaded kernel extensions, their base addresses and size, reference count, and version number.

Note: The last several entries in the output of this plugin will likely have no base address and size. These represent the 'dummy' drivers that Mac loads as the system startup and do not correspond to real kernel modules.

$ python --profile=MacMountainLion_10_8_3_AMDx64 -f ~/10.8.3.mmr.macho mac_lsmod
Volatile Systems Volatility Framework 2.3_alpha
Address                          Size   Refs   Version      Name
------------------ ------------------ -------- ------------ ----
0xffffff7f91847000             0x3000    0     3.0.2        com.atc-nycorp.devmem.kext
0xffffff7f91841000             0x6000    0     10.1.24      com.vmware.kext.vmioplug.10.1.24
0xffffff7f91834000             0xd000    0     0104.03.86   com.vmware.kext.vmx86
0xffffff7f9182a000             0xa000    0     0104.03.86   com.vmware.kext.vmnet
0xffffff7f9181a000            0x10000    0     90.4.23      com.vmware.kext.vsockets
0xffffff7f91808000            0x12000    1     90.4.18      com.vmware.kext.vmci
0xffffff7f916d2000             0xe000    0     75.19


This plugin shows the mounted file systems, which is particularly useful when external media is plugged on or network shares are mounted.

$ python --profile=MacMountainLion_10_8_3_AMDx64 -f ~/10.8.3.mmr.macho mac_mount
Volatile Systems Volatility Framework 2.3_alpha
Device                         Mount Point                                                  Type
------------------------------ ------------------------------------------------------------ ----
/                              /dev/disk3                                                   hfs
/dev                           devfs                                                        devfs
/net                           map -hosts                                                   autofs
/home                          map auto_home                                                autofs
/Volumes/LaCie                 /dev/disk2s2                                                 hfs


This plugin enumerates sessions from the session hash table. You can use this information to link processes to user names.

$ python --profile=MacMountainLion_10_8_3_AMDx64 -f ~/10.8.3.mmr.macho mac_list_sessions
Volatile Systems Volatility Framework 2.3_alpha
Leader (Pid) Leader (Name)        Login Name               
------------ -------------------- -------------------------
           0 kernel_task                                   
         257 apsd                 _softwareupdate          
           1 launchd              _securityagent           
          -1      mike              
          11 UserEventAgent       root                     
          12 kextd                root                     
          14 notifyd              root                     
          15 securityd            root                     
          16 diskarbitrationd     root     


This plugin recovers the kernel debug buffer, which can contain a wide range of system activity, such as device insertion, hardware configurations, wireless activity, and more.

$ python --profile=MacMountainLion_10_8_3_AMDx64 -f ~/10.8.3.mmr.macho mac_dmesg
Volatile Systems Volatility Framework 2.3_alpha
deny mach-lookup
MacAuthEvent en1   Auth result for: 00:26:bb:77:d2:a7  MAC AUTH succeeded
wlEvent: en1 en1 Link UP virtIf = 0
AirPort: RSN handshake complete on en1
wl0: Roamed or switched channel, reason #8, bssid 00:26:bb:77:d2:a7
en1: BSSID changed to 00:26:bb:77:d2:a7
en1::IO80211Interface::postMessage bssid changed
MacAuthEvent en1   Auth result for: 00:26:bb:77:d2:a7  MAC AUTH succeeded
wlEvent: en1 en1 Link UP virtIf = 0
AirPort: RSN handshake complete on en1


This plugin enumerates Mac zones, which are very similar to Linux kmem_cache backed structures. You can use it to determine how many of a particular type of structure (i.e. a process object) are active and freed. For example, below you can see that 133 proc structures are active on the system. Other plugins can inherit from mac_list_zones and actually collect the addresses of each active object type, leading to a wealthy source of information regarding where to find allocated objects in memory dumps.

$ python --profile=MacMountainLion_10_8_3_AMDx64 -f ~/10.8.3.mmr.macho mac_list_zones
Volatile Systems Volatility Framework 2.3_alpha
Name                           Active Count Free Count Element Size
------------------------------ ------------ ---------- ------------
zones                                   182          0          592
vm.objects                           153401    8832498          224
vm.object.hash.entries               135206     882875           40
maps                                    149      34033          232                        26463   24372727           80                  35      13164           80                             0     220097           80
pmap                                    139       7962          256
pagetable.anchors                       139       7962         4096
proc                                    133       4042         1120


This plugin prints terminated/dead processes that it gathers by leveraging the zone enumeration API. In most cases, the UID, GID, PGID, Bits, and DTB columns will show invalid data since we could be looking at partially overwritten data structures. Also please note in some rare cases, active processes are also found in this list. We are currently investigating conditions that lead to active processes showing up in the freed process object list.  We believe the cause is related to the same issue that affects mac_pslist (see the mac_pslist discussion in MoVP II - 4.1 - Leveraging Process Cross-View Analysis for Mac Rootkit Detection).
$ python --profile=MacMountainLion_10_8_3_AMDx64 -f ~/10.8.3.mmr.macho mac_dead_procs
Volatile Systems Volatility Framework 2.3_alpha
Offset             Name                 Pid      Uid      Gid      PGID     Bits         DTB                Start Time
------------------ -------------------- -------- -------- -------- -------- ------------ ------------------ ----------
0xffffff8036349760 diskmanagementd      4158     -        -        -55...11              ------------------ 2013-03-29 12:14:31 UTC+0000
0xffffff8036349760 diskmanagementd      4158     -        -        -55...11              ------------------ 2013-03-29 12:14:31 UTC+0000
0xffffff8032c60d20 lssave               4161     -        -        -55...11              ------------------ 2013-03-29 12:14:43 UTC+0000
0xffffff803dfe08e0     4146     -        -        -55...11              ------------------ 2013-03-29 12:12:59 UTC+0000
0xffffff803dfe0d40     4145     -        -        -55...11              ------------------ 2013-03-29 12:12:59 UTC+0000
0xffffff8032c62300     4147     -        -        -55...11              ------------------ 2013-03-29 12:12:59 UTC+0000


In this post we have highlighted several plugins that can be useful in a number of investigative scenarios. Tomorrow we will look at a wide range of plugins as we analyze and detect the rubilyn kernel rootkit in memory.

No comments:

Post a Comment