Nanika did a great research in Mac OS kernel last year. Here is the introduction and slides.
Attacking Mac OS has become a trend as we see more and more malware with more advanced attack techniques on Mac OS. In order to gain persistent control and avoid detection, malware have started to adopt rootkit tricks. In this presentation, we will start from basic details, and try to provide a comprehensive view of rootkit on Mac OS, including both user and kernel mode.
Not only introducing general rootkit techniques, we will also disclose new and more advanced rootkit tricks by digging into more kernel objects and data structures. Besides the advanced rootkit technique, a new way to anti-tracing (anti-dtrace) will be introduced as well.
On the other hand, preventing rootkit attack is also critical. We will describe how do we design a rootkit scanner as well as host IPS to against rootkits we mentioned above.
Contact us if you need the PoC file. :)