In my recent research into BSD/OSX rootkits i discovered an issue with syscall hooks in OSX. This issue came about after apple decided to stop exporting the sysent table (i wonder why) thus making it difficult to hook system calls.
The sysent table within BSD/ the BSD section of the OSX kernel looks like this:
Luckily, gdbinit created a great tool for finding the sysent table address.
The bruteforcesysent tool works for all versions of OSX up to Yosemite where users will run into the error:
“[ERROR] Error while opening /dev/kmem. Is /dev/kmem enabled?\n“.
This error comes from the scripts inability to read and or write to /dev/kmem regardless of whether root permissions are granted. After a bit of digging i discovered that the script in fact attempts to open /dev/kmem in O_RDWR mode which is READ and WRITE mode. This means in order to proceed with execution it needs to have write permissions along with read permissions. This of course is difficult on /dev/kmem as write permissions cannot be granted (or as far as my research went i couldnt get any) meaning the line:
if((fd_kmem = open(“/dev/kmem“,O_RDWR)) == –1)
Will always fail. With some testing and many chmods i discovered that i could grant root, read permissions on /dev/kmem. Thus leading me to think that if the script was able to read kmem it would be able to find the address of sysent. Therefore i changed the line above to read:
if((fd_kmem = open(“/dev/kmem“,O_RDONLY)) == –1)
This solved the issue and allowed me to bruteforce kmem and discover the address of sysent. This tool is incredibly useful for anyone attempting to use the no longer exported table and i want to thank gdbinit for all the hard work he put into releasing this publicly!
Hopefully this helps some people who cant seem to discover get bruteforcesysent to work on Yosemite!
P.S – Im sure someone will be able to get write permissions on kmem as i didnt look into it deeply however i was unable to, feel free to send me an email if you figure out how as i would love to know!
Link to tool & gdbinit’s gihub – (https://github.com/gdbinit/bruteforcesysent)
gdbinit’s website – https://reverse.put.as/about/