Kernel Orc Curiosity
Kernel Orc Curiosity
- Subject: Kernel Orc Curiosity
- From: Eric King <email@hidden>
- Date: Tue, 20 Jan 2004 03:33:24 -0500
As always, I'm doing unusual things... So I start noticing odd behavior
in Mac OS X 10.3.2 on my PowerBook G4 (DVI 800MHz)
I'd be updating my (LONG) website (
http://www.dumbfolks.com) and all of
a sudden there'd be these huge and NOISY burst of EXTREME HD activity.
Now I'm on a Cable Modem connection with Personal Web Sharing On, but
no filesharing. No telnet. No FTP. etc... I noticed my graphics SLOWING
DOWN. I noticed the ATI 7500 HEATING UP THE KEYBOARD as it is prone to
do under high usage. I noticed in BBEdit as I typed that I would
MISTYPE ODDLY, as if someone was pressing keys my fingers just were NOT
near. Core Audio seems to be buggered CONTROLLABLY.
I noticed that during these HIGH HD ACCESS attempts that Safari would
ALWAYS QUIT. Poof. So would Netscape Poof. It's like someone KILL -9'd
it. The other day I couldn't even download my web page, which Plays a
Quicktime audio movie. Without it Crashing Safari. I tried playing it
from the Finder. It CRASHED THE FINDER. It's FINE NOW. I took
PRECAUTIONS. Seems I have a HACKER PORTAL. Checked Netinfo and hmmm.
Why so many ODD USERS. I never run email servers, especially on my
LAPTOP! Why do I have Sendmail AND Postfix users. I never installed
those. There's a lot of WEIRD sH(io)t
So Ever snooping and a bit SUSPICIOUS given the topics of my page... It
helps to have BBEdit to do this...
Open Terminal
cd /
bbedit mach_kernel
At the end is a Text Section. It's kind of neat that Mach-O files have
an OE ligature in the first 4 bytes. Look at it in Andale Mono or Apple
Chancery.
There are some VERY SUSPICIOUS EXPORTED FUNCTIONS. As well as
surprisingly FEW Mach functions... WHOLE LOT OF NETWORKING CODE. What's
an ATsocket? (Avi T?) Here are some:
.constructors_used
.destructors_used
Choke (Hmmmm... Sounds AGGRESSIVE... )
ClearRealCall
CreateFakeDECCall (DEC ethernet controller cell in ASIC... Why fake a
call?)
CreateFakeIOCall (AIRPORT has been VERY ACTIVE in my Laptop without
being On in the Prefs.)
CreateShutdownCTXCall
CutTrace (Covering tracks ?)
DoPreemptCall
LoadDBATsCall (Well, if you're going to HACK into running processes,
where are they? Globals...)
LoadIBATsCall (Executable code... )
NullCall
StoreRealCall (Well, you DO want to perform the actual syscall made...
EVENTUALLY)
SwitchContextCall (Switch Context... Hmmm.... Down Below...)
_AARPwakeup
_ASPgetmsg
_ASPputmsg
_ATPgetreq
_ATPgetrsp
_ATPsndreq
_ATPsndrsp
_ATgetmsg
_ATputmsg
_ATsocket
_AURPaccess
_AURPcleanup
_AURPcmdx
_AURPfreemsg
_AURPgetmsg
_AURPgetri
_AURPinit
_AURPiocack
_AURPiocnak
_AURPpurgeri
_AURPrcvOpenReq
_AURPrcvOpenRsp
_AURPrcvRDReq
_AURPrcvRIAck
_AURPrcvRIReq
_AURPrcvRIRspbr>_AURPrcvRIUpd
_AURPrcvTickle
_AURPrcvTickleAck
_AURPrcvZReq
_AURPrcvZRsp
_AURPrtupdate
_AURPsend
_AURPsetri
_AURPshutdown
_AURPsndGDZL
_AURPsndGZN
_AURPsndOpenReq
_AURPsndOpenReq_funnel
_AURPsndRDReq
_AURPsndRIAck
_AURPsndRIReq
_AURPsndRIReq_funnel
_AURPsndRIRsp_funnel
_AURPsndRIUpd
_AURPsndRIUpd_funnel
_AURPsndTickle
_AURPsndZReq
_AURPsndZRsp
_AURPupdate
_AURPupdateri
_AbortIO
_AdspBad
_AgeCatalogIterator
_AlignAssist
_AlignAssist64
_AllocateNode
_AltivecAssist
_Assert
_BF_decrypt
_BF_encrypt
_BF_set_key
_BTClosePath
_BTDeleteRecord
_BTFlushPath
_BTGetInformation
_BTGetLastSync
_BTInsertRecord
_BTInvalidateHint
_BTIterateRecord
_BTIterateRecords
_BTOpenPath
_BTReloadData
_BTReplaceRecord
_BTScanInitialize
_BTScanNextRecord
_BTScanTerminate
_BTSearchRecord
_BTSetLastSync
_BTUpdateRecord
_BestBlockSizeFit
_BuildCatalogKey
_BuildCatalogKeyUTF8
_CURSIG
_CalcKeyRecordSize
_CalcMapBits
_CalcRecvWdw
_CalcSendQFree
_CallTVector
_Call_Debugger
_Call_DebuggerC
_Call_continuation (If you're using Coroutines, you do call
continuations. Via setjmp longjmp in C)
_CheckAttn
_CheckExtents
_CheckInsertParams
_CheckNode
_CheckOkToClose
_CheckReadQueue
_CheckRecvSeq
_CheckSend
_ChokeSys (Why would Choke the system?)
_CleanupGlobals
_ClearNode
_ClearReal
_ClearRealLL
_CompareCatalogKeys
_CompareExtendedCatalogKeys
_CompleteQueue
_ConvertUnicodeToUTF8Mangled
_CopyBigCatalogNodeInfo
_CopyCatalogName
_CopyCatalogNodeInfo
_CopyExtentInfo
_CreateFakeDEC (What's the deal with these FAKE calls?)
_CreateFakeDECLL
_CreateFakeIO
_CreateFakeIOLL
_CreateShutdownCTX
_CreateShutdownCTXLL
___cxa_pure_virtual
___disable_threadsignal
___doprnt
___pthread_kill
___sysctl
__cpu_capabilities
__disable_preemption (Is the Kernel REALLY supposed to be doing this?)
__dist_code (Dist_code? Distant Code? )
__doprnt
__doprnt_truncates
__eSynchronizeIO
__enable_preemption
__enable_preemption_no_check (This seems kind of dodgy...)
__giDebugLogDataInternal
__giDebugLogInternal
__giDebugReserved1
__giDebugReserved2
__length_code
__longjmp (Here's another part of what you need to hack coroutines in
C)
__mh_execute_header
__mk_sp_thread_begin (I'm guessing these are actually MachKernel calls.
NOT MANY...`'!!!'`)
__mk_sp_thread_depress_abort
__mk_sp_thread_depress_abstime
__mk_sp_thread_depress_ms
__mk_sp_thread_dispatch
__mk_sp_thread_done
__mk_sp_thread_perhaps_yield
__mk_sp_thread_switch
__mk_sp_thread_switch_continue
__mk_sp_thread_unblock
__mutex_lock
__mutex_try
__printf
__setjmp (Here's part of what you need to hack coroutines into C.)
__start
__start_cpu
__tr_align
__tr_flush_block
__tr_init
__tr_stored_block
__tr_tally
__vm_external_state_get
__vm_map_clip_end
__vm_map_clip_start
__vm_map_entry_create
__vm_map_entry_dispose
There's something very ROTTEN going on at the TOP. Who has CVS
privileges for the Mach_Kernel at Apple? Isn't that important, trusted
to primarily: ____ _____
I need to go dig up a Good Disassembler. Well, I guess this goes back
to MIT, but maybe I spooked somebody by downloading compiler tools from
Darwin for my Optimizing Compilers class. Mach-Os always have TEXT
sections... Copy paste... How should I go about CORKING this
Orc~coroutine task hopping backdoor REALTIME monitoring &
controlling port.
.:Eric
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.