Chapter 12
Rootkits
OK, you got root; now what? So far, this book has discussed how to find vulnerabilities in computers running Mac OS X and how to exploit these holes to run code of your choosing. The last couple of chapters detailed some interesting payloads to run on victims’ computers. In this final chapter we move from controlling the user space to controlling the entire operating system by running code in the kernel. Code running within the kernel has no restrictions and can make fundamental changes to the way the operating system behaves. This allows the attacker to hide files, processes, and network connections from the normal system-administration tools. This ability makes discovering the compromise extremely difficult and makes cleaning up from the attack even more difficult.
Kernel Extensions
Rootkits are pieces of code that allow an attacker to hide their presence from the victim. They can hide files, processes, and network connections. They often come with modules that provide persistent access (backdoor) and network and keyboard sniffers. Most of these activities can be done, in one form or another, by user-space programs. Early rootkits simply modified programs like ls to change their output to suit the attacker. Such rootkits are easily discovered, and more advanced versions, like the ones outlined in this chapter, rely on running code in the kernel to change the fundamentals of the operating system itself.
Kernel extensions allow dynamic kernel-level code to ...
