Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

ratfink

macrumors member
Original poster
Feb 11, 2012
49
0
I've been messing around with intercepting system calls. Finding examples of kernel extension code that intercepts syscalls is not easy, especially on Mountain Lion. The few that I've found use a hardcoded memory address for the _nsysent variable and use that to track down sysent. From there you can replace the pointer to whatever syscall you please. The location of _nsysent can be found by running "nm -g /mach_kernel | grep _nsysent".

The value at *_nsysent should be decimal 440 (the number of system calls in Mountain Lion). I've verified that that number is stored in /mach_kernel at that address.

Using the "pt_deny_attach" kernel extension as an example (here) I defined the following items at the start of my program:

Code:
#define _NSYSENT_OSX_10_8_0_  0xffffff8000839818
static int *_nsysent = (int *)_NSYSENT_OSX_10_8_0_;

When I put the following code inside my kernel extensions "start" procedure:

Code:
printf("Found nsysent at %p\n", _nsysent);


And I put "com.apple.kpi.libkern" in the extensions plist file as an OSBundledLibrary.

Everything loads fine and I see the 0xffffff8000839818 value listed in my system logs. But when I change it to:

Code:
printf("Found nsysent at %p (count %d)\n", _nsysent, *_nsysent);

The kernel crashes hard.

As I try to access the value at _nsysent the kernel crashes. Can anyone tell me what I'm doing wrong? Could this be due to ASLR? I figured even if ASLR moved the location of _nsysent there should still be some number at that memory address that would be returned.
 
Unless you are an Apple Core OS software engineer, or work for a computer security firm, you should not be diddling around with intercepting syscalls in the Kernel.

There are resources out on the interwebs that will describe what you are trying to do. I have read such documents myself somewhat recently, but I won't provide details.

Most of us make a decent living supporting our favorite computer platform. We don't try to impress script-kiddies in Anonymous IRC chat rooms with our super-leet code-hacking skills.
 
Unless you are an Apple Core OS software engineer, or work for a computer security firm, you should not be diddling around with intercepting syscalls in the Kernel.

There are resources out on the interwebs that will describe what you are trying to do. I have read such documents myself somewhat recently, but I won't provide details.

Most of us make a decent living supporting our favorite computer platform. We don't try to impress script-kiddies in Anonymous IRC chat rooms with our super-leet code-hacking skills.

I've been involved in the computer security field for several decades now, but your condescension is appreciated. If you're referring to the Blackhat briefings or similar talks about MacOS rootkits, those techniques do not currently work on Mountain Lion with the current linker.

I'll never understand what it is about Internet message boards that causes people to make baseless allegations against people they're never met.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.