Nyob zoo, Habr! Hnub no kuv xav tham txog yuav ua li cas koj tuaj yeem tiv thaiv cov txheej txheem los ntawm kev tawm tsam los ntawm cov neeg tawm tsam hauv macOS. Piv txwv li, qhov no muaj txiaj ntsig zoo rau kev tiv thaiv kab mob lossis cov txheej txheem thaub qab, tshwj xeeb tshaj yog nyob rau hauv macOS muaj ntau txoj hauv kev "tua" txheej txheem. Nyeem txog qhov no thiab kev tiv thaiv hauv qab txiav.
Txoj kev classic "tua" txheej txheem
Ib txoj hauv kev paub zoo rau "tua" txheej txheem yog xa SIGKILL teeb liab rau cov txheej txheem. Los ntawm bash koj tuaj yeem hu tus qauv "tua -SIGKILL PID" lossis "pkill -9 NAME" tua. Cov lus txib "tua" tau paub txij li hnub ntawm UNIX thiab muaj tsis yog ntawm macOS nkaus xwb, tab sis kuj nyob rau lwm lub tshuab zoo li UNIX.
Ib yam li hauv UNIX-zoo li tshuab, macOS tso cai rau koj los cuam tshuam cov teeb liab rau cov txheej txheem tshwj tsis yog ob qho - SIGKILL thiab SIGSTOP. Kab lus no feem ntau yuav tsom mus rau SIGKILL teeb liab raws li lub teeb liab uas ua rau cov txheej txheem raug tua.
macOS specifications
Ntawm macOS, tua kab hu hauv XNU ntsiav hu rau psignal (SIGKILL, ...) muaj nuj nqi. Cia peb sim saib seb lwm tus neeg siv dab tsi hauv userspace tuaj yeem hu los ntawm psignal muaj nuj nqi. Cia peb tshem tawm kev hu mus rau psignal muaj nuj nqi hauv cov txheej txheem sab hauv ntawm lub ntsiav (txawm tias lawv yuav tsis yog qhov tsis tseem ceeb, peb yuav tso lawv rau lwm tsab xov xwm 🙂 - kos npe pov thawj, nco yuam kev, tawm / txiav tawm tuav, kev tiv thaiv cov ntaub ntawv, thiab lwm yam. .
Cia peb pib qhov kev tshuaj xyuas nrog kev ua haujlwm thiab kev hu xov tooj sib tham . Nws tuaj yeem pom tau tias ntxiv rau kev hu xov tooj classic, muaj lwm txoj hauv kev uas tshwj xeeb rau macOS operating system thiab tsis pom hauv BSD. Cov qauv kev khiav hauj lwm ntawm ob qho kev hu xov tooj kuj zoo ib yam. Lawv yog cov hu ncaj qha mus rau kernel function psignal. Tsis tas li ntawd nco ntsoov tias ua ntej tua cov txheej txheem, ib qho "cansignal" check yog ua - seb cov txheej txheem puas tuaj yeem xa cov teeb liab mus rau lwm tus txheej txheem; lub kaw lus tsis tso cai rau ib daim ntawv thov tua cov txheej txheem, piv txwv li.
static int
terminate_with_payload_internal(struct proc *cur_proc, int target_pid, uint32_t reason_namespace,
uint64_t reason_code, user_addr_t payload, uint32_t payload_size,
user_addr_t reason_string, uint64_t reason_flags)
{
...
target_proc = proc_find(target_pid);
...
if (!cansignal(cur_proc, cur_cred, target_proc, SIGKILL)) {
proc_rele(target_proc);
return EPERM;
}
...
if (target_pid == cur_proc->p_pid) {
/*
* psignal_thread_with_reason() will pend a SIGKILL on the specified thread or
* return if the thread and/or task are already terminating. Either way, the
* current thread won't return to userspace.
*/
psignal_thread_with_reason(target_proc, current_thread(), SIGKILL, signal_reason);
} else {
psignal_with_reason(target_proc, SIGKILL, signal_reason);
}
...
}
tso tawm
Tus txheej txheem los tsim daemons ntawm kev pib ua haujlwm thiab tswj lawv lub neej tau pib. Thov nco ntsoov tias cov peev txheej yog rau cov laus version ntawm launchctl mus txog macOS 10.10, cov qauv code tau muab rau cov laj thawj ua piv txwv. Niaj hnub nimno launchctl xa tawm cov teeb liab ntawm XPC, launchctl logic tau tsiv mus rau nws.
Cia peb saib yuav ua li cas cov ntawv thov raug tso tseg. Ua ntej xa SIGTERM teeb liab, daim ntawv thov raug sim kom tsis txhob siv "proc_terminate" system hu.
<launchctl src/core.c>
...
error = proc_terminate(j->p, &sig);
if (error) {
job_log(j, LOG_ERR | LOG_CONSOLE, "Could not terminate job: %d: %s", error, strerror(error));
job_log(j, LOG_NOTICE | LOG_CONSOLE, "Using fallback option to terminate job...");
error = kill2(j->p, SIGTERM);
if (error) {
job_log(j, LOG_ERR, "Could not signal job: %d: %s", error, strerror(error));
}
...
<>
Hauv qab lub hood, proc_terminate, txawm tias nws lub npe, tuaj yeem xa tsis tau tsuas yog psignal nrog SIGTERM, tab sis kuj SIGKILL.
Indirect Kill - Cov peev txheej txwv
Ib rooj plaub nthuav dav tuaj yeem pom hauv lwm qhov kev hu xov tooj . Ib qho kev siv ntawm qhov kev hu xov tooj no yog txwv tsis pub siv cov peev txheej, xws li rau tus indexer kom txwv CPU lub sij hawm thiab lub cim xeeb quotas kom lub kaw lus tsis cuam tshuam los ntawm cov ntaub ntawv caching. Yog tias daim ntawv thov tau mus txog nws cov peev txheej txwv, raws li tuaj yeem pom los ntawm proc_apply_resource_actions muaj nuj nqi, SIGKILL teeb liab raug xa mus rau cov txheej txheem.
Txawm hais tias qhov kev hu xovtooj no tuaj yeem tua tau tus txheej txheem, lub kaw lus tsis tau kuaj xyuas cov cai ntawm tus txheej txheem hu xovtooj. Qhov tseeb kuaj , tab sis nws txaus los siv lwm tus chij PROC_POLICY_ACTION_SET kom hla qhov xwm txheej no.
Li no, yog tias koj "txhim" daim ntawv thov CPU siv quota (piv txwv li, cia tsuas yog 1 ns khiav), ces koj tuaj yeem tua ib qho txheej txheem hauv lub cev. Yog li, tus malware tuaj yeem tua cov txheej txheem ntawm lub kaw lus, suav nrog cov txheej txheem antivirus. Kuj nthuav yog cov nyhuv uas tshwm sim thaum tua cov txheej txheem nrog pid 1 (launchctl) - ntsiav ceeb thaum sim ua cov teeb liab SIGKILL :)
Yuav daws qhov teeb meem li cas?
Txoj hauv kev yooj yim tshaj plaws los tiv thaiv tus txheej txheem los ntawm kev raug tua yog los hloov tus taw tes ua haujlwm hauv lub rooj hu xov tooj. Hmoov tsis, txoj kev no tsis yog qhov tsis tseem ceeb rau ntau yam.
Ua ntej, lub cim uas tswj sysent qhov chaw nco tsis yog ntiag tug rau XNU kernel cim, tab sis tsis tuaj yeem pom hauv cov cim kernel. Koj yuav tau siv txoj kev tshawb nrhiav heuristic, xws li dynamically disassembling lub luag haujlwm thiab nrhiav tus pointer hauv nws.
Qhov thib ob, cov qauv ntawm kev nkag hauv lub rooj nyob ntawm cov chij uas cov ntsiav tau muab tso ua ke. Yog tias tus chij CONFIG_REQUIRES_U32_MUNGING tau tshaj tawm, qhov loj ntawm cov qauv yuav raug hloov - ib qho chaw ntxiv yuav raug ntxiv . Nws yog ib qho tsim nyog los ua ib qho kev kuaj xyuas ntxiv los txiav txim siab seb tus chij twg tau muab tso ua ke nrog, los yog lwm txoj hauv kev, kos cov cim taw qhia tawm tsam cov neeg paub.
struct sysent { /* system call table */
sy_call_t *sy_call; /* implementing function */
#if CONFIG_REQUIRES_U32_MUNGING || (__arm__ && (__BIGGEST_ALIGNMENT__ > 4))
sy_munge_t *sy_arg_munge32; /* system call arguments munger for 32-bit process */
#endif
int32_t sy_return_type; /* system call return types */
int16_t sy_narg; /* number of args */
uint16_t sy_arg_bytes; /* Total size of arguments in bytes for
* 32-bit system calls
*/
};
Hmoov zoo, nyob rau hauv niaj hnub versions ntawm macOS, Apple muab API tshiab rau kev ua haujlwm nrog cov txheej txheem. Endpoint Security API tso cai rau cov neeg siv khoom tso cai rau ntau qhov kev thov rau lwm cov txheej txheem. Yog li, koj tuaj yeem thaiv txhua qhov teeb meem rau cov txheej txheem, suav nrog SIGKILL teeb liab, siv API hais saum toj no.
#include <bsm/libbsm.h>
#include <EndpointSecurity/EndpointSecurity.h>
#include <unistd.h>
int main(int argc, const char * argv[]) {
es_client_t* cli = nullptr;
{
auto res = es_new_client(&cli, ^(es_client_t * client, const es_message_t * message) {
switch (message->event_type) {
case ES_EVENT_TYPE_AUTH_SIGNAL:
{
auto& msg = message->event.signal;
auto target = msg.target;
auto& token = target->audit_token;
auto pid = audit_token_to_pid(token);
printf("signal '%d' sent to pid '%d'n", msg.sig, pid);
es_respond_auth_result(client, message, pid == getpid() ? ES_AUTH_RESULT_DENY : ES_AUTH_RESULT_ALLOW, false);
}
break;
default:
break;
}
});
}
{
es_event_type_t evs[] = { ES_EVENT_TYPE_AUTH_SIGNAL };
es_subscribe(cli, evs, sizeof(evs) / sizeof(*evs));
}
printf("%dn", getpid());
sleep(60); // could be replaced with other waiting primitive
es_unsubscribe_all(cli);
es_delete_client(cli);
return 0;
}
Ib yam li ntawd, txoj cai MAC tuaj yeem sau npe rau hauv cov ntsiav, uas muab txoj hauv kev tiv thaiv teeb liab (txoj cai proc_check_signal), tab sis API tsis raug lees paub.
Kernel extension tiv thaiv
Ntxiv rau kev tiv thaiv cov txheej txheem hauv lub cev, kev tiv thaiv cov ntsiav txuas ntxiv nws tus kheej (kext) kuj tseem tsim nyog. macOS muab lub moj khaum rau cov neeg tsim khoom kom yooj yim tsim IOKit ntaus ntawv tsav tsheb. Ntxiv rau kev muab cov cuab yeej rau kev ua haujlwm nrog cov khoom siv, IOKit muab cov txheej txheem rau kev tsav tsheb sib tsoo siv piv txwv ntawm cov chav kawm C ++. Ib daim ntawv thov nyob rau hauv userspace yuav tuaj yeem "nrhiav" ib qho piv txwv ntawm cov chav kawm los tsim kom muaj kev sib raug zoo ntawm kernel-userspace.
Txhawm rau txheeb xyuas cov lej ntawm chav kawm hauv qhov system, muaj cov khoom siv ioclasscount.
my_kext_ioservice = 1
my_kext_iouserclient = 1
Txhua lub kernel txuas ntxiv uas xav sau npe nrog pawg tsav tsheb yuav tsum tshaj tawm cov chav kawm uas tau txais los ntawm IOService, piv txwv li my_kext_ioservice hauv qhov no. Kev sib txuas cov neeg siv cov ntawv thov ua rau tsim qhov piv txwv tshiab ntawm chav kawm uas tau txais los ntawm IOUserClient, hauv qhov piv txwv my_kext_iouserclient.
Thaum sim tshem tus tsav tsheb los ntawm lub kaw lus (kextunload hais kom ua), lub zog ua haujlwm virtual "bool terminate(IOOptionBits xaiv)" hu ua. Nws yog txaus kom rov qab tsis tseeb ntawm kev hu mus txiav thaum sim unload kom lov tes taw kextunload.
bool Kext::terminate(IOOptionBits options)
{
if (!IsUnloadAllowed)
{
// Unload is not allowed, returning false
return false;
}
return super::terminate(options);
}
Tus chij IsUnloadAllowed tuaj yeem tsim los ntawm IOUserClient thaum thauj khoom. Thaum muaj qhov txwv rub tawm, kextunload cov lus txib yuav rov qab cov zis hauv qab no:
admin@admins-Mac drivermanager % sudo kextunload ./test.kext
Password:
(kernel) Can't remove kext my.kext.test; services failed to terminate - 0xe00002c7.
Failed to unload my.kext.test - (iokit/common) unsupported function.
Kev tiv thaiv zoo ib yam yuav tsum tau ua rau IOUserClient. Piv txwv ntawm cov chav kawm tuaj yeem raug tshem tawm siv IOKitLib userspace function "IOCatalogueTerminate(mach_port_t, uint32_t chij, io_name_t piav qhia);". Koj tuaj yeem xa rov qab tsis tseeb thaum hu rau "txiav tawm" cov lus txib kom txog rau thaum daim ntawv thov userspace "tuag", uas yog, "clientDied" ua haujlwm tsis raug hu.
Kev tiv thaiv cov ntaub ntawv
Txhawm rau tiv thaiv cov ntaub ntawv, nws txaus los siv Kauth API, uas tso cai rau koj txwv tsis pub nkag mus rau cov ntaub ntawv. Apple muab cov ntawv ceeb toom rau cov neeg tsim khoom hais txog ntau yam xwm txheej hauv thaj tsam; rau peb, kev ua haujlwm KAUTH_VNODE_DELETE, KAUTH_VNODE_WRITE_DATA thiab KAUTH_VNODE_DELETE_CHILD yog qhov tseem ceeb. Txoj hauv kev yooj yim tshaj plaws los txwv kev nkag mus rau cov ntaub ntawv yog los ntawm txoj kev - peb siv "vn_getpath" API kom tau txais txoj hauv kev rau cov ntaub ntawv thiab sib piv txoj kev ua ntej. Nco ntsoov tias txhawm rau txhim kho kev hloov npe ntawm cov ntaub ntawv nplaub tshev txoj hauv kev, lub kaw lus tsis tso cai nkag mus rau txhua cov ntaub ntawv, tab sis tsuas yog mus rau nplaub tshev nws tus kheej uas tau hloov npe. Nws yog qhov tsim nyog los sib piv cov niam txiv txoj kev thiab txwv KAUTH_VNODE_DELETE rau nws.
Qhov tsis zoo ntawm txoj hauv kev no tuaj yeem ua haujlwm tsawg vim tias muaj pes tsawg tus prefixes nce. Txhawm rau kom ntseeg tau tias qhov sib piv tsis sib npaug ntawm O (prefix * ntev), qhov ua ntej yog tus lej ntawm cov ntawv ua ntej, qhov ntev yog qhov ntev ntawm txoj hlua, koj tuaj yeem siv qhov kev txiav txim siab finite automaton (DFA), ua los ntawm prefixes.
Cia peb xav txog ib txoj hauv kev tsim DFA rau cov txheej txheem ua ntej. Peb pib ua tus cursors thaum pib ntawm txhua qhov prefix. Yog tias txhua tus cursors taw tes rau tib lub cim, ces nce txhua tus cursor los ntawm ib tus cim thiab nco ntsoov tias qhov ntev ntawm tib kab yog ntau dua los ntawm ib qho. Yog tias muaj ob tus cursors nrog cov cim sib txawv, faib tus cursors rau hauv pawg raws li cov cim lawv taw tes rau thiab rov ua cov algorithm rau txhua pab pawg.
Hauv thawj rooj plaub (tag nrho cov cim hauv qab tus cursors yog tib yam), peb tau txais DFA lub xeev uas tsuas muaj ib qho kev hloov pauv raws li kab. Nyob rau hauv rooj plaub thib ob, peb tau txais ib lub rooj hloov ntawm qhov loj 256 (tus naj npawb ntawm cov cim thiab ntau tshaj plaws ntawm pawg) rau cov xeev tom ntej tau txais los ntawm kev hu xov tooj rov ua haujlwm.
Cia peb saib ib qho piv txwv. Rau cov txheej txheem ua ntej (“/foo/bar/tmp/”, “/var/db/foo/”, “/foo/bar/aba/”, “foo/bar/aac/”) koj tuaj yeem tau txais cov hauv qab no DFA. Daim duab qhia tsuas yog kev hloov pauv mus rau lwm lub xeev; lwm qhov kev hloov pauv yuav tsis yog qhov kawg.
Thaum mus dhau lub xeev DKA, tej zaum yuav muaj 3 kis.
- Lub xeev kawg tau mus txog - txoj kev muaj kev tiv thaiv, peb txwv cov haujlwm KAUTH_VNODE_DELETE, KAUTH_VNODE_WRITE_DATA thiab KAUTH_VNODE_DELETE_CHILD
- Lub xeev kawg tsis tau mus txog, tab sis txoj hauv kev "kawg" (tus neeg siv tsis tau mus txog) - txoj hauv kev yog niam txiv, yuav tsum txwv KAUTH_VNODE_DELETE. Nco ntsoov tias yog vnode yog ib daim nplaub tshev, koj yuav tsum tau ntxiv ib qho '/' thaum kawg, txwv tsis pub nws yuav txwv nws rau cov ntaub ntawv “/foor/bar/t”, uas yog tsis raug.
- Lub xeev kawg tsis tau mus txog, txoj kev tsis xaus. Tsis muaj ib qho ntawm prefixes phim qhov no, peb tsis qhia txog kev txwv.
xaus
Lub hom phiaj ntawm kev daws teeb meem kev ruaj ntseg tau tsim yog txhawm rau nce qib kev ruaj ntseg ntawm tus neeg siv thiab nws cov ntaub ntawv. Ntawm qhov tod tes, lub hom phiaj no tau ua tiav los ntawm kev tsim cov khoom lag luam Acronis software, uas kaw cov qhov tsis zoo uas lub operating system nws tus kheej yog "tsis muaj zog". Ntawm qhov tod tes, peb yuav tsum tsis txhob hnov qab ntxiv dag zog rau cov kev ruaj ntseg uas tuaj yeem txhim kho ntawm OS sab, tshwj xeeb tshaj yog vim kaw qhov tsis zoo no ua rau peb tus kheej ruaj khov raws li cov khoom lag luam. Qhov teeb meem tau tshaj tawm rau Apple Product Security Team thiab tau kho hauv macOS 10.14.5 (https://support.apple.com/en-gb/HT210119).
Tag nrho cov no tsuas yog ua tau yog tias koj qhov kev siv hluav taws xob tau raug ntsia rau hauv lub ntsiav. Ntawd yog, tsis muaj qhov tsis zoo li no rau cov software sab nraud thiab tsis xav tau. Txawm li cas los xij, raws li koj tuaj yeem pom, txawm tias kev tiv thaiv kev cai lij choj xws li antivirus thiab cov tshuab thaub qab yuav tsum ua haujlwm. Tab sis tam sim no cov khoom tshiab Acronis rau macOS yuav muaj kev tiv thaiv ntxiv rau kev tshem tawm ntawm lub cev.
Tau qhov twg los: www.hab.com