Lumela, Habr! Kajeno ke rata ho bua ka hore na u ka sireletsa lits'ebetso joang litlhaselong tsa bahlaseli ba macOS. Mohlala, sena se na le thuso bakeng sa antivirus kapa sistimi ea backup, haholo hobane tlasa macOS ho na le mekhoa e mengata ea ho "bolaea" ts'ebetso. Bala ka sena le mekhoa ea ts'ireletso tlas'a sehiloeng.
Mokhoa oa khale oa ho "bolaea" mokhoa
Mokhoa o tsebahalang oa ho "bolaea" ts'ebetso ke ho romella lets'oao la SIGKILL ts'ebetsong. Ka bash o ka bitsa "kill -SIGKILL PID" e tloaelehileng kapa "pkill -9 NAME" ho bolaea. Taelo ea "bolaea" esale e tsejoa ho tloha matsatsing a UNIX 'me ha e fumanehe feela ka macOS, empa hape le lits'ebetsong tse ling tse kang tsa UNIX.
Joalo ka lits'ebetsong tse kang tsa UNIX, macOS e u lumella ho amohela matšoao leha e le afe ts'ebetsong ntle le tse peli - SIGKILL le SIGSTOP. Sengoliloeng sena se tla shebana haholo le lets'oao la SIGKILL e le lets'oao le etsang hore ts'ebetso e bolaoe.
macOS e khethehileng
Ho macOS, mohala oa sistimi ea polao ho XNU kernel o bitsa psignal(SIGKILL,...) ts'ebetso. Ha re leke ho bona hore na liketso tse ling tsa mosebelisi sebakeng sa mosebelisi li ka bitsoa eng ka ts'ebetso ea psignal. Ha re tlose mehala ho ts'ebetso ea psignal mecheng ea ka hare ea kernel (le hoja e ka 'na ea se ke ea e-ba nyenyane, empa re tla e tlohela bakeng sa sengoloa se seng 🙂 - netefatso ea ho saena, liphoso tsa memori, ho tsoa / ho emisa ho ts'oaroa, tlolo ea ts'ireletso ea faele, etc.
Ha re qale tlhahlobo ka ts'ebetso le mohala o tsamaisanang le sistimi . Ho ka bonoa hore ntle le mohala oa khale oa ho bolaea, ho na le mokhoa o mong o ikhethileng ho sistimi e sebetsang ea macOS mme ha e fumanehe ho BSD. Melao-motheo ea ts'ebetso ea li-call tsa tsamaiso ka bobeli e boetse e tšoana. Ke mehala e tobileng ho ts'ebetso ea kernel psignal. Hape hlokomela hore pele o bolaea ts'ebetso, tlhahlobo ea "cansignal" e etsoa - hore na ts'ebetso e ka romela letšoao ts'ebetsong e 'ngoe; tsamaiso ha e lumelle kopo leha e le efe ho bolaea mekhoa ea tsamaiso, mohlala.
static int
terminate_with_payload_internal(struct proc *cur_proc, int target_pid, uint32_t reason_namespace,
uint64_t reason_code, user_addr_t payload, uint32_t payload_size,
user_addr_t reason_string, uint64_t reason_flags)
{
...
target_proc = proc_find(target_pid);
...
if (!cansignal(cur_proc, cur_cred, target_proc, SIGKILL)) {
proc_rele(target_proc);
return EPERM;
}
...
if (target_pid == cur_proc->p_pid) {
/*
* psignal_thread_with_reason() will pend a SIGKILL on the specified thread or
* return if the thread and/or task are already terminating. Either way, the
* current thread won't return to userspace.
*/
psignal_thread_with_reason(target_proc, current_thread(), SIGKILL, signal_reason);
} else {
psignal_with_reason(target_proc, SIGKILL, signal_reason);
}
...
}
qalisoa
Mokhoa o tloaelehileng oa ho theha li-daemone ha o qala sistimi le ho laola bophelo ba bona oa qalisoa. Ka kopo elelloa hore mehloli ke ea mofuta oa khale oa launchctl ho fihla ho macOS 10.10, mehlala ea khoutu e fanoe ka sepheo sa papiso. Launchctl ea sejoale-joale e romella matšoao a phatlalalitsoeng ka XPC, logic ea launchctl e fetiselitsoe ho eona.
Ha re shebeng hore na likopo li emisoa joang hantle. Pele o romella lets'oao la SIGTERM, ts'ebeliso e lekoa ho emisoa ho sebelisoa mohala oa sistimi ea "proc_terminate".
<launchctl src/core.c>
...
error = proc_terminate(j->p, &sig);
if (error) {
job_log(j, LOG_ERR | LOG_CONSOLE, "Could not terminate job: %d: %s", error, strerror(error));
job_log(j, LOG_NOTICE | LOG_CONSOLE, "Using fallback option to terminate job...");
error = kill2(j->p, SIGTERM);
if (error) {
job_log(j, LOG_ERR, "Could not signal job: %d: %s", error, strerror(error));
}
...
<>
Tlas'a hood, proc_terminate, ho sa tsotellehe lebitso la eona, e ka romella eseng feela psignal le SIGTERM, empa hape le SIGKILL.
Indirect Kill - Moedi wa Mohlodi
Nyeoe e khahlisang haholoanyane e ka bonoa mohala o mong oa sistimi . Ts'ebeliso e tloaelehileng ea mohala oa sistimi ena ke ho fokotsa lisebelisoa tsa ts'ebeliso, joalo ka indexer ho fokotsa nako ea CPU le quotas ea memori e le hore sistimi e se fokotsehe haholo ke mesebetsi ea caching ea lifaele. Haeba kopo e fihlile moeling oa lisebelisoa, joalo ka ha ho ka bonoa ho proc_apply_resource_actions ts'ebetso, lets'oao la SIGKILL le romelloa tšebetsong.
Leha mohala ona oa sistimi o ka bolaea ts'ebetso, sistimi ha ea ka ea hlahloba ka ho lekaneng litokelo tsa ts'ebetso e bitsang mohala oa sistimi. Ehlile oa hlahloba , empa ho lekane ho sebelisa folakha e 'ngoe PROC_POLICY_ACTION_SET ho qoba boemo bona.
Kahoo, haeba u "beha" palo ea ts'ebeliso ea CPU ea kopo (mohlala, lumella 1 ns feela ho sebetsa), joale o ka bolaea ts'ebetso efe kapa efe tsamaisong. Kahoo, malware a ka bolaea ts'ebetso efe kapa efe tsamaisong, ho kenyelletsa le ts'ebetso ea antivirus. Ho khahlisang hape ke phello e etsahalang ha o bolaea ts'ebetso ka pid 1 (launchctl) - kernel panic ha e leka ho sebetsana le lets'oao la SIGKILL :)
U ka rarolla bothata joang?
Mokhoa o bonolo ka ho fetisisa oa ho thibela ts'ebetso hore e se ke ea bolaoa ke ho nkela sebaka sa pointer ho tafole ea mohala oa sistimi. Ka bomalimabe, mokhoa ona ha o bonolo ka mabaka a mangata.
Taba ea pele, letšoao le laolang sebaka sa mohopolo oa sysent ha se lekunutu feela ho letšoao la XNU kernel, empa ha le fumanehe matšoao a kernel. U tla tlameha ho sebelisa mekhoa ea ho batla ea heuristic, joalo ka ho arola ts'ebetso ka matla le ho batla pointer ho eona.
Taba ea bobeli, sebopeho sa likenyelletso tafoleng se ipapisitse le lifolakha tseo kernel e hlophisitsoeng ka tsona. Haeba folakha ea CONFIG_REQUIRES_U32_MUNGING e phatlalatsoa, boholo ba sebopeho bo tla fetoloa - sebaka se eketsehileng se tla eketsoa. . Hoa hlokahala ho etsa cheke e eketsehileng ho fumana hore na kernel e entsoe ka folakha efe, kapa ho seng joalo, hlahloba lintlha tsa ts'ebetso khahlano le tse tsejoang.
struct sysent { /* system call table */
sy_call_t *sy_call; /* implementing function */
#if CONFIG_REQUIRES_U32_MUNGING || (__arm__ && (__BIGGEST_ALIGNMENT__ > 4))
sy_munge_t *sy_arg_munge32; /* system call arguments munger for 32-bit process */
#endif
int32_t sy_return_type; /* system call return types */
int16_t sy_narg; /* number of args */
uint16_t sy_arg_bytes; /* Total size of arguments in bytes for
* 32-bit system calls
*/
};
Ka lehlohonolo, liphetolelong tsa sejoale-joale tsa macOS, Apple e fana ka API e ncha ea ho sebetsa ka lits'ebetso. Endpoint Security API e lumella bareki ho fana ka tumello ea likopo tse ngata lits'ebetsong tse ling. Kahoo, o ka thibela matšoao leha e le afe ho lits'ebetso, ho kenyelletsa le lets'oao la SIGKILL, o sebelisa API e boletsoeng ka holimo.
#include <bsm/libbsm.h>
#include <EndpointSecurity/EndpointSecurity.h>
#include <unistd.h>
int main(int argc, const char * argv[]) {
es_client_t* cli = nullptr;
{
auto res = es_new_client(&cli, ^(es_client_t * client, const es_message_t * message) {
switch (message->event_type) {
case ES_EVENT_TYPE_AUTH_SIGNAL:
{
auto& msg = message->event.signal;
auto target = msg.target;
auto& token = target->audit_token;
auto pid = audit_token_to_pid(token);
printf("signal '%d' sent to pid '%d'n", msg.sig, pid);
es_respond_auth_result(client, message, pid == getpid() ? ES_AUTH_RESULT_DENY : ES_AUTH_RESULT_ALLOW, false);
}
break;
default:
break;
}
});
}
{
es_event_type_t evs[] = { ES_EVENT_TYPE_AUTH_SIGNAL };
es_subscribe(cli, evs, sizeof(evs) / sizeof(*evs));
}
printf("%dn", getpid());
sleep(60); // could be replaced with other waiting primitive
es_unsubscribe_all(cli);
es_delete_client(cli);
return 0;
}
Ka mokhoa o ts'oanang, Leano la MAC le ka ngolisoa ka har'a kernel, e fanang ka mokhoa oa ts'ireletso ea matšoao (policy proc_check_signal), empa API ha e tšehetsoe ka molao.
Tšireletso ea kernel
Ntle le ts'ebetso ea ho sireletsa tsamaisong, ho sireletsa kernel ka boeona (kext) ho boetse hoa hlokahala. macOS e fana ka moralo bakeng sa bahlahisi ho nts'etsapele bakhanni ba lisebelisoa tsa IOKit habonolo. Ntle le ho fana ka lisebelisoa tsa ho sebetsa ka lisebelisoa, IOKit e fana ka mekhoa ea ho bokella mokhanni ho sebelisa maemo a lihlopha tsa C ++. Sesebelisoa sebakeng sa basebelisi se tla khona ho "fumana" mohlala o ngolisitsoeng oa sehlopha ho theha kamano ea kernel-userspace.
Ho bona palo ea maemo a sehlopha tsamaisong, ho na le thuso ea ioclasscount.
my_kext_ioservice = 1
my_kext_iouserclient = 1
Katoloso efe kapa efe ea kernel e lakatsang ho ingolisa ho drive stack e tlameha ho phatlalatsa sehlopha se ruang ho tsoa ho IOSservice, mohlala my_kext_ioservice tabeng ena Ho hokahanya lits'ebetso tsa mosebelisi ho etsa hore ho thehoe mohlala o mocha oa sehlopha se ruang lefa ho IOUserClient, ka mohlala my_kext_iouserclient.
Ha o leka ho laolla mokhanni ho tsoa ho sistimi (taelo ea kextunload), ts'ebetso ea "bool terminate (IOOptionBits options)" e bitsoa. Ho lekane ho khutlisa phoso ka mohala ho emisa ha o leka ho theola ho tima kextunload.
bool Kext::terminate(IOOptionBits options)
{
if (!IsUnloadAllowed)
{
// Unload is not allowed, returning false
return false;
}
return super::terminate(options);
}
The IsUnloadAllowed folakha e ka hlophisoa ke IOUserClient ha e kenya. Ha ho na le moeli oa ho jarolla, taelo ea kextunload e tla khutlisa tlhahiso e latelang:
admin@admins-Mac drivermanager % sudo kextunload ./test.kext
Password:
(kernel) Can't remove kext my.kext.test; services failed to terminate - 0xe00002c7.
Failed to unload my.kext.test - (iokit/common) unsupported function.
Tšireletso e tšoanang e tlameha ho etsoa bakeng sa IOUserClient. Maemo a litlelase a ka theoloa ho sebelisoa IOKitLib userspace function "IOCatalogueTerminate(mach_port_t, uint32_t flag, io_name_t description);". O ka khutlisa leshano ha o bitsa taelo ea "felisa" ho fihlela sesebelisoa sa "userspace" se "shoa", ke hore, "clientDied" ha e bitsoe.
Tšireletso ea Faele
Ho sireletsa lifaele, ho lekane ho sebelisa Kauth API, e u lumellang ho thibela ho fihlella lifaeleng. Apple e fana ka litsebiso mabapi le liketsahalo tse fapaneng sebakeng sena; ho rona, ts'ebetso ea KAUTH_VNODE_DELETE, KAUTH_VNODE_WRITE_DATA le KAUTH_VNODE_DELETE_CHILD li bohlokoa. Mokhoa o bonolo oa ho thibela phihlello ea lifaele ke ka tsela - re sebelisa "vn_getpath" API ho fumana tsela ea faele le ho bapisa sehlomathiso sa tsela. Hlokomela hore ho ntlafatsa ho reha bocha litsela tsa foldara ea faele, sistimi ha e lumelle ho fihlella faele ka 'ngoe, empa e lumella feela foldara ka boeona e rehelletsoeng. Hoa hlokahala ho bapisa tsela ea motsoali le ho thibela KAUTH_VNODE_DELETE bakeng sa eona.
Bobebe ba mokhoa ona e ka ba ts'ebetso e tlase ha palo ea li-prefixes e ntse e eketseha. Ho etsa bonnete ba hore papiso ha e lekane le O(prefix* length), moo prefix e leng palo ea li-prefixes, bolelele ke bolelele ba khoele, u ka sebelisa deterministic finite automaton (DFA) e hahiloeng ke li-prefixes.
Ha re nahaneng ka mokhoa oa ho theha DFA bakeng sa sete e fanoeng ea li-prefixes. Re qala likhechana qalong ea sehlongwapele se seng le se seng. Haeba li-cursor kaofela li supa tlhaku e le 'ngoe, joale eketsa cursor ka tlhaku e le' ngoe 'me u hopole hore bolelele ba mola o le mong bo boholo ka o mong. Haeba ho na le li-cursor tse peli tse nang le matšoao a fapaneng, arola li-cursor ka lihlopha ho ea ka letšoao leo li le supang 'me u phete algorithm bakeng sa sehlopha ka seng.
Tabeng ea pele (litlhaku tsohle tse tlas'a li-cursors li tšoana), re fumana boemo ba DFA bo nang le phetoho e le 'ngoe feela ho latela mola o le mong. Tabeng ea bobeli, re fumana tafole ea liphetoho tsa boholo ba 256 (palo ea litlhaku le palo e kholo ea lihlopha) ho ea linaheng tse latelang tse fumanoang ka ho bitsa mosebetsi ka ho pheta-pheta.
A re hlahlobeng mohlala. Bakeng sa sehlopha sa li-prefixes (“/foo/bar/tmp/”, “/var/db/foo/”, “/foo/bar/aba/”, “foo/bar/aac/”) o ka fumana tse latelang DFA. Palo e bontša feela liphetoho tse lebisang linaheng tse ling; liphetoho tse ling e ke ke ea e-ba tsa ho qetela.
Ha u feta linaheng tsa DKA, ho ka ba le linyeoe tse 3.
- Boemo ba ho qetela bo fihlile - tsela e sirelelitsoe, re fokotsa ts'ebetso KAUTH_VNODE_DELETE, KAUTH_VNODE_WRITE_DATA le KAUTH_VNODE_DELETE_CHILD
- Boemo ba ho qetela ha boa ka ba finyelloa, empa tsela "e felile" (molao oa null o fihlile) - tsela ke motsoali, ho hlokahala ho fokotsa KAUTH_VNODE_DELETE. Hlokomela hore haeba vnode ke foldara, o hloka ho eketsa '/' qetellong, ho seng joalo e ka e fokotsa ho faele "/foor/bar/t", e sa nepahalang.
- Boemo ba ho qetela ha boa fihla, tsela ha ea ka ea fela. Ha ho le e 'ngoe ea li-prefixes e tšoanang le ena, ha re hlahise lithibelo.
fihlela qeto e
Morero oa tharollo ea ts'ireletso e ntseng e ntlafatsoa ke ho eketsa boemo ba ts'ireletso ea mosebelisi le data ea hae. Ka lehlakoreng le leng, sepheo sena se finyelloa ka nts'etsopele ea sehlahisoa sa software sa Acronis, se koalang mefokolo eo moo tsamaiso ea ts'ebetso ka boeona e "fokolang". Ka lehlakoreng le leng, ha rea lokela ho hlokomoloha ho matlafatsa likarolo tseo tsa ts'ireletso tse ka ntlafatsoang ka lehlakoreng la OS, haholo hobane ho koala mefokolo e joalo ho eketsa botsitso ba rona joalo ka sehlahisoa. Kotsi e tlalehiloe ho Sehlopha sa Tšireletso ea Sehlahisoa sa Apple 'me e lokisitsoe ho macOS 10.14.5 (https://support.apple.com/en-gb/HT210119).
Sena sohle se ka etsoa feela haeba sesebelisoa sa hau se kentsoe ka molao kernel. Ke hore, ha ho na masoba a joalo bakeng sa software e kantle le e sa batleheng. Leha ho le joalo, joalo ka ha u bona, esita le ho sireletsa mananeo a nepahetseng a kang antivirus le li-backup systems ho hloka mosebetsi. Empa hona joale lihlahisoa tse ncha tsa Acronis bakeng sa macOS li tla ba le tšireletso e eketsehileng khahlanong le ho laolla ho tloha tsamaisong.
Source: www.habr.com