Mhoro, Habr! Nhasi ndinoda kutaura nezve nzira yaungadzivirira maitiro kubva pakurwiswa nevanorwisa mu macOS. Semuenzaniso, izvi zvinobatsira kune antivirus kana backup system, kunyanya sezvo pasi peMacOS pane nzira dzakati wandei dze "kuuraya" maitiro. Verenga pamusoro peizvi uye nzira dzekudzivirira pasi pekucheka.
Iyo yekare nzira ye "kuuraya" maitiro
Nzira inozivikanwa ye "kuuraya" maitiro ndeyekutumira chiratidzo cheSIGKILL kune maitiro. Kuburikidza nebash unogona kudaidza chiyero "kuuraya -SIGKILL PID" kana "pkill -9 NAME" kuuraya. Murairo we "kuuraya" wave uchizivikanwa kubva pamazuva eUNIX uye hauwanikwi chete paMacOS, asiwo pane mamwe maUNIX-senge masisitimu.
Sezvakangoita muUNIX-senge masisitimu, macOS inokutendera kuti utore chero masaini kune maitiro kunze maviri - SIGKILL uye SIGSTOP. Ichi chinyorwa chichanyanya kutarisa paSIGKILL chiratidzo sechiratidzo chinoita kuti maitiro aurawe.
macOS chaiwo
Pa macOS, iyo inouraya system inofona muXNU kernel inodaidza psignal(SIGKILL,...) basa. Ngatiedzei kuona kuti ndezvipi zvimwe zviito zvemushandisi muuserspace zvinogona kudanwa neiyo psignal basa. Ngatisarudzei mafoni kune psignal basa mumagadzirirwo emukati ekernel (kunyangwe angave asiri madiki, isu tichavasiira chimwe chinyorwa π - siginecha yekusimbisa, zvikanganiso zvekurangarira, kubuda / kumisa kubata, kutyora kuchengetedza faira, nezvimwe. .
Ngatitange ongororo nebasa uye inoenderana system call . Zvinogona kuoneka kuti mukuwedzera kune yekare kuuraya kufona, kune imwe nzira yakanangana neiyo macOS inoshanda sisitimu uye isingawanikwe muBSD. Maitiro ekushanda eese masystem mafoni akafanana zvakare. Iwo akananga kufona kune kernel basa psignal. Ziva zvakare kuti usati wauraya maitiro, cheki ye "cansignal" inoitwa - kana iyo nzira inogona kutumira chiratidzo kune imwe maitiro; iyo sisitimu haitenderi chero application yekuuraya system maitiro, semuenzaniso.
static int
terminate_with_payload_internal(struct proc *cur_proc, int target_pid, uint32_t reason_namespace,
uint64_t reason_code, user_addr_t payload, uint32_t payload_size,
user_addr_t reason_string, uint64_t reason_flags)
{
...
target_proc = proc_find(target_pid);
...
if (!cansignal(cur_proc, cur_cred, target_proc, SIGKILL)) {
proc_rele(target_proc);
return EPERM;
}
...
if (target_pid == cur_proc->p_pid) {
/*
* psignal_thread_with_reason() will pend a SIGKILL on the specified thread or
* return if the thread and/or task are already terminating. Either way, the
* current thread won't return to userspace.
*/
psignal_thread_with_reason(target_proc, current_thread(), SIGKILL, signal_reason);
} else {
psignal_with_reason(target_proc, SIGKILL, signal_reason);
}
...
}
launchd
Iyo yakajairwa nzira yekugadzira madhimoni pakutanga system uye kudzora hupenyu hwavo inotangwa. Ndokumbira utarise kuti masosi ndeechinyakare vhezheni ye launchctl kusvika ku macOS 10.10, kodhi mienzaniso inopihwa kune emifananidzo. Yemazuva ano launchctl inotumira zvikwangwani zvakatanga kuburikidza neXPC, launchctl logic yakaendeswa kwairi.
Ngatitarisei kuti maapplication anomiswa sei chaizvo. Usati watumira chiratidzo cheSIGTERM, chishandiso chinoyedzwa kumiswa uchishandisa "proc_terminate" system call.
<launchctl src/core.c>
...
error = proc_terminate(j->p, &sig);
if (error) {
job_log(j, LOG_ERR | LOG_CONSOLE, "Could not terminate job: %d: %s", error, strerror(error));
job_log(j, LOG_NOTICE | LOG_CONSOLE, "Using fallback option to terminate job...");
error = kill2(j->p, SIGTERM);
if (error) {
job_log(j, LOG_ERR, "Could not signal job: %d: %s", error, strerror(error));
}
...
<>
Pasi pehodhi, proc_terminate, zvisinei nezita rayo, inogona kutumira kwete chete psignal neSIGTERM, asiwo SIGKILL.
Indirect Kill - Resource Limit
Imwe nyaya inonakidza inogona kuonekwa mune imwe system call . Kushandiswa kwakajairwa kweiyi system kufona kudzikamisa zviwanikwa zvekushandisa, senge indexer kudzikamisa CPU nguva uye memory quotas kuitira kuti sisitimu irege kudzikiswa zvakanyanya nekuita kwefaira caching. Kana chikumbiro chasvika pamuganho wezvishandiso, sezvinoonekwa kubva kune proc_apply_resource_actions basa, chiratidzo cheSIGKILL chinotumirwa kuchiitiko ichi.
Kunyangwe iyi system yekufona ichigona kuuraya maitiro, sisitimu haina kunyatso tarisa kodzero dzemaitiro ekudaidza system call. Kuongorora chaiko , asi zvakwana kushandisa imwe mureza PROC_POLICY_ACTION_SET kunzvenga chimiro ichi.
Nekudaro, kana iwe "wakamisa" iyo application's CPU yekushandisa quota (semuenzaniso, kubvumira chete 1 ns kumhanya), saka unogona kuuraya chero maitiro muhurongwa. Nekudaro, iyo malware inogona kuuraya chero maitiro pane system, kusanganisira iyo antivirus maitiro. Zvakare zvinonakidza mhedzisiro inoitika kana uchiuraya maitiro nepid 1 (launchctl) - kernel panic kana uchiedza kugadzirisa iyo SIGKILL chiratidzo :)
Nzira yekugadzirisa sei dambudziko?
Nzira yakatwasuka yekudzivirira hurongwa kubva pakuuraiwa ndeye kutsiva chebasa chinongedzo muhurongwa hwekufona tafura. Zvinosuruvarisa, iyi nzira haisi-yakakosha nekuda kwezvikonzero zvakawanda.
Chekutanga, chiratidzo chinodzora nzvimbo yekurangarira sysent haisi yega kune XNU kernel chiratidzo, asi haigone kuwanikwa mukernel zviratidzo. Iwe uchafanirwa kushandisa heuristic nzira dzekutsvaga, senge dynamically disassembling basa uye kutsvaga chinongedzo mariri.
Chechipiri, chimiro chezvinyorwa mutafura zvinoenderana nemamureza akagadzirwa nawo kernel. Kana iyo CONFIG_REQUIRES_U32_MUNGING mureza yakaziviswa, saizi yechimiro ichachinjwa - imwe munda ichawedzerwa. . Izvo zvinodikanwa kuita imwe cheki kuti uone kuti ndeupi mureza iyo kernel yakaumbwa ne, kana neimwe nzira, tarisa mashandiro anonongedzera kune vanozivikanwa.
struct sysent { /* system call table */
sy_call_t *sy_call; /* implementing function */
#if CONFIG_REQUIRES_U32_MUNGING || (__arm__ && (__BIGGEST_ALIGNMENT__ > 4))
sy_munge_t *sy_arg_munge32; /* system call arguments munger for 32-bit process */
#endif
int32_t sy_return_type; /* system call return types */
int16_t sy_narg; /* number of args */
uint16_t sy_arg_bytes; /* Total size of arguments in bytes for
* 32-bit system calls
*/
};
Neraki, mune zvemazuva ano macOS, Apple inopa API nyowani yekushanda nematanho. Iyo Endpoint Security API inobvumira vatengi kubvumidza zvikumbiro zvakawanda kune mamwe maitiro. Nekudaro, iwe unogona kuvharira chero masaini kune maitiro, kusanganisira iyo SIGKILL chiratidzo, uchishandisa iyo yataurwa pamusoro API.
#include <bsm/libbsm.h>
#include <EndpointSecurity/EndpointSecurity.h>
#include <unistd.h>
int main(int argc, const char * argv[]) {
es_client_t* cli = nullptr;
{
auto res = es_new_client(&cli, ^(es_client_t * client, const es_message_t * message) {
switch (message->event_type) {
case ES_EVENT_TYPE_AUTH_SIGNAL:
{
auto& msg = message->event.signal;
auto target = msg.target;
auto& token = target->audit_token;
auto pid = audit_token_to_pid(token);
printf("signal '%d' sent to pid '%d'n", msg.sig, pid);
es_respond_auth_result(client, message, pid == getpid() ? ES_AUTH_RESULT_DENY : ES_AUTH_RESULT_ALLOW, false);
}
break;
default:
break;
}
});
}
{
es_event_type_t evs[] = { ES_EVENT_TYPE_AUTH_SIGNAL };
es_subscribe(cli, evs, sizeof(evs) / sizeof(*evs));
}
printf("%dn", getpid());
sleep(60); // could be replaced with other waiting primitive
es_unsubscribe_all(cli);
es_delete_client(cli);
return 0;
}
Saizvozvo, MAC Policy inogona kunyoreswa mu kernel, iyo inopa chiratidzo chekudzivirira nzira (policy proc_check_signal), asi API haina kutsigirwa zviri pamutemo.
Kernel yekuwedzera kuchengetedza
Pamusoro pekuchengetedza maitiro muhurongwa, kuchengetedza kernel yekuwedzera pachayo (kext) inodiwa zvakare. macOS inopa hurongwa hwevagadziri kuti vagadzire zviri nyore madhiraivha eIOKit. Pamusoro pekupa maturusi ekushanda nemidziyo, IOKit inopa nzira dzekutyaira mutyairi uchishandisa zviitiko zveC ++ makirasi. Chikumbiro chiri munzvimbo yevashandisi chichakwanisa "kuwana" chiitiko chakanyoreswa chekirasi kumisikidza hukama hwekernel-mushandisi.
Kuti uone huwandu hwezviitiko zvekirasi muhurongwa, pane iyo ioclasscount utility.
my_kext_ioservice = 1
my_kext_iouserclient = 1
Chero kernel yekuwedzera inoshuvira kunyoresa kune mutyairi stack inofanirwa kuzivisa kirasi inotora nhaka kubva kuIOService, semuenzaniso my_kext_ioservice mune ino kesi.Kubatanidza vashandisi maapplication kunokonzera kuumbwa kwechiitiko chitsva chekirasi inogara nhaka kubva kuIOUserClient, mumuenzaniso my_kext_iouserclient.
Paunenge uchiedza kuburitsa mutyairi kubva kune system (kextunload command), iyo chaiyo basa "bool terminate (IOOptionBits sarudzo)" inonzi. Zvakakwana kudzoka zvenhema parunhare kuti upedze kana uchiedza kuburitsa kudzima kextunload.
bool Kext::terminate(IOOptionBits options)
{
if (!IsUnloadAllowed)
{
// Unload is not allowed, returning false
return false;
}
return super::terminate(options);
}
Iyo IsUnloadAllowed mureza inogona kusetwa neIOUserClient kana ichirodha. Kana paine muganho wekurodha, iyo kextunload command inodzosa zvinotevera zvinobuda:
admin@admins-Mac drivermanager % sudo kextunload ./test.kext
Password:
(kernel) Can't remove kext my.kext.test; services failed to terminate - 0xe00002c7.
Failed to unload my.kext.test - (iokit/common) unsupported function.
Dziviriro yakafanana inofanirwa kuitirwa IOUserClient. Mamiriro emakirasi anogona kuburitswa uchishandisa IOKitLib userspace basa "IOCatalogueTerminate(mach_port_t, uint32_t mureza, io_name_t tsananguro);". Iwe unogona kudzorera nhema kana uchidana "kumisa" kuraira kusvika iyo userspace application "yafa", kureva kuti, "clientDied" basa haridanwe.
Kudzivirirwa kwefaira
Kuti udzivirire mafaira, zvakakwana kushandisa Kauth API, iyo inokubvumira kuti udzivise kupinda kune mafaira. Apple inopa vanogadzira zviziviso nezve zviitiko zvakasiyana muchikamu; kwatiri, ma operation KAUTH_VNODE_DELETE, KAUTH_VNODE_WRITE_DATA uye KAUTH_VNODE_DELETE_CHILD akakosha. Nzira iri nyore yekudzora kuwana mafaera ndeye nzira - isu tinoshandisa iyo "vn_getpath" API kuwana nzira yefaira uye kuenzanisa nzira yekutanga. Ziva kuti kukwidziridza kupihwa zita remafaira efodha nzira, sisitimu haibvumidze kupinda kune yega faira, asi kune iyo folda pachayo yakatumidzwa zita. Izvo zvinodikanwa kuenzanisa nzira yemubereki uye kurambidza KAUTH_VNODE_DELETE kwayo.
Kukanganisa kwemaitiro aya kunogona kunge kuri kuita kwakaderera sezvo huwandu hwema prefixes hunowedzera. Kuona kuti kuenzanisa hakuna kuenzana neO(prefix* kureba), uko prefix iri nhamba ye prefixes, kureba ndiko kureba kwetambo, unogona kushandisa deterministic finite automaton (DFA) yakavakwa ne prefixes.
Ngatitarisei nzira yekugadzira DFA kune yakapihwa seti yezvivakashure. Isu tinotanga ma cursors pakutanga kwechivakashure chega chega. Kana macursor ese akanongedza kuchimiro chimwe chete, ipapo wedzera chitubu chega chega nechimiro chimwe uye yeuka kuti kureba kwemutsara mumwechete hukuru neumwe. Kana paine macursor maviri ane zviratidzo zvakasiyana, patsanura macursor kuita mapoka zvichienderana nechiratidzo chavanonongedza uye dzokorora algorithm yeboka rega rega.
Muchiitiko chekutanga (ese mabhii pasi pema cursors akafanana), tinowana DFA nyika ine shanduko imwe chete pamutsara wakafanana. Muchiitiko chechipiri, tinowana tafura yeshanduko yehukuru 256 (nhamba yemavara uye nhamba yepamusoro yemapoka) kune dzimwe nyika dzinotevera dzakawanikwa nekudzokorodza kudana basa.
Ngatitarisei muenzaniso. Kune seti yezvivakashure ("/foo/bar/tmp/", "/var/db/foo/", "/foo/bar/aba/", "foo/bar/aac/β) unogona kuwana zvinotevera DFA. Iyo nhamba inoratidza chete shanduko inotungamira kune dzimwe nyika; dzimwe shanduko hadzizove dzekupedzisira.
Kana uchipfuura nemuDKA nyika, panogona kunge paine nyaya nhatu.
- Mamiriro ekupedzisira asvika - nzira yakachengetedzwa, tinodzikamisa mashandiro KAUTH_VNODE_DELETE, KAUTH_VNODE_WRITE_DATA uye KAUTH_VNODE_DELETE_CHILD
- Mamiriro ekupedzisira haana kusvika, asi nzira "yakaguma" (iyo null terminator yakasvika) - nzira mubereki, zvakakosha kudzikamisa KAUTH_VNODE_DELETE. Ziva kuti kana vnode iri folda, unofanirwa kuwedzera '/' kumagumo, zvikasadaro inogona kugumira kufaira "/foor/bar/t", izvo zvisiri izvo.
- Mamiriro ekupedzisira haana kusvika, nzira haina kupera. Hapana prefixes inoenderana neichi, hatisunzi zvirambidzo.
mhedziso
Chinangwa chemhinduro dzekuchengetedza dziri kuvandudzwa ndechekuwedzera mwero wechengetedzo yemushandisi uye data rake. Kune rumwe rutivi, chinangwa ichi chinowanikwa nekugadzirwa kweAcronis software chigadzirwa, iyo inovhara izvo zvisizvo apo iyo inoshanda sisitimu pachayo "isina simba". Kune rimwe divi, isu hatifanirwe kuregeredza kusimbisa izvo zvekuchengetedza izvo zvinogona kuvandudzwa kudivi reOS, kunyanya sezvo kuvhara kusagadzikana kwakadaro kunowedzera kugadzikana kwedu sechigadzirwa. Kusagadzikana uku kwakashumwa kuApple Chigadzirwa Chekuchengetedza Chikwata uye kwakagadziriswa mu macOS 10.14.5 (https://support.apple.com/en-gb/HT210119).
Zvese izvi zvinogona kuitwa chete kana yako yekushandisa yakaiswa zviri pamutemo mu kernel. Ndiko kuti, hapana maburi akadaro ekunze uye asingadiwe software. Nekudaro, sezvauri kuona, kunyangwe kuchengetedza zvirongwa zviri pamutemo senge antivirus uye backup masisitimu zvinoda basa. Asi ikozvino zvigadzirwa zvitsva zveAcronis zve macOS zvichave nekuwedzera dziviriro kubva pakuburitsa kubva kuhurongwa.
Source: www.habr.com