forked from gdbinit/rex_versus_the_romans
-
Notifications
You must be signed in to change notification settings - Fork 0
alvarofe/rex_versus_the_romans
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
Rex versus The Romans Anti Hacking Team Kernel Extension reverser@put.as - http://reverse.put.as This is a OS X TrustedBSD module to detect Hacking Team's OS X malware in already infected systems or to warn if system is compromised by their dropper. It assumes that the malware is written to /Users/username/Library/Preferences. This assumption has been true in the past but unknown in the future. The code is very simple and needs further improvements to be future proof to any changes they might do. I do have that secret sauce but it's implemented in a commercial product. Because there is no userland daemon to receive and process the alerts, the deprecated KUNCUserNotificationDisplayNotice is used to display the alert. The downside of this is that this module uses the Unsupported KPI. It can be fixed by creating a userland daemon that receives and processes the messages from the kernel. You are encouraged to improve on this code! Please tell me about it if you do. If you want to get this module loaded on startup you can use a simple trick. Modify the kext plist and add this key: <key>AppleSecurityExtension</key> <true/> The CFBundleIdentifier must also be modified and start with com.apple.XXXXX. Now copy the kext to /System/Library/Extensions and touch that same folder. Reboot and the kext will be automatically loaded on boot. This method doesn't work with Yosemite because of strict codesigning requests. You can't sign anymore com.apple with a non-Apple certificate. Of course you need a kext codesigning certificate for this to work with Mavericks! Enjoy, fG!
About
Anti Hacking Team TrustedBSD module
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published
Languages
- C 100.0%