Kextstat_ASLR: Hiding Your Rootkits Mac OSX

I found a small utility for hiding your kernal rootkits in OSX Mountain Lion. Mountain Lion introduced kernel ASLR and the kextstat util output doesn’t support (yet?) this feature. The addresses are not the real ones and this is quite annoying (kgmacros from kernel debugging also seem to fail at this!).

What this util does is to read the kernel extensions information via the /dev/kmem device (hence this util is probably not useful for a large audience) and display it like kextstat does with the correct address for each kext (just the most important information, the linked against info might be added in the future).

Besides useful for anyone wanting to read the kexts information, it’s also useful for rootkits because it implements the trick that Crisis uses to retrieve this information for 64bits kernels. The only piece left is how to find the sLoadedKexts symbol. Here it’s hardcoded for version 10.8.2.

The code is located at
One feature the devoloper palns to add is the ability to “bruteforce” the whole sLoadedKexts array. The reason is that rootkits usually decrease the count but the information remains there. One minor detail is that it may be susceptible to changes to OSArray and OSKext classes since it’s using offsets into the instance variables.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s