Uninformed: Informative Information for the Uninformed

Vol 4» 2006.Jun

Moving into the kernel

Since Mac OS X 10.4.6 on intel systems (the latest release of Mac OSX at the time of writing this paper) both /dev/kmem and /dev/mem have been removed. Because of this fact, a new method for entering and manipulating the kernel memory is needed.

Luckily, Mach provides a solution. By using the task_for_pid() mach trap and passing in pid=0 the kernel mach_port_t port is available. Obviously, root privileges are required in order to do so.

Once this port is acquired, you are able to read and write directly to the kernel memory using the vm_read() and vm_write() functions. You can also vm_map() or vm_remap() files and mappings directly into kernel memory.

I am using this functionality for a new version of the WeaponX rootkit, but there are plenty other reasons why this is useful.