• 设为首页
  • 点击收藏
  • 手机版
    手机扫一扫访问
    迪恩网络手机版
  • 关注官方公众号
    微信扫一扫关注
    迪恩网络公众号
登陆 注册
描述文字

didi/kemon: An Open-Source Pre and Post Callback-Based Framework for macOS Kerne ...

原作者: [db:作者] 来自: 网络 收藏 邀请

开源软件名称(OpenSource Name):

didi/kemon

开源软件地址(OpenSource Url):

https://github.com/didi/kemon

开源编程语言(OpenSource Language):

C 100.0%

开源软件介绍(OpenSource Introduction):

Kemon

An Open Source Pre and Post Callback-based Framework for macOS Kernel Monitoring.

[ Breaking News - 08/28/2019 ]
macOS Catalina 10.15 Beta 7 Release Notes
https://developer.apple.com/documentation/macos_release_notes/macos_catalina_10_15_beta_7_release_notes

Endpoint Security

  • The kauth API has been removed. (50419013)

/* After testing, I found that these Kauth interfaces are not really removed, and Kemon still works. But I think this release note means that the door to the macOS kernel is closing. (08/28/2019) */

What is Kemon?

Kemon is an open source Pre and Post callback-based framework for macOS kernel monitoring [1]. With the power of Kemon, we can easily implement XPC/IPC communication monitoring [2], Mandatory Access Control (MAC) policy filtering, network traffic and kernel extension firewall, etc. In general, from an attacker's perspective, this framework can help achieve more powerful Rootkit. From the perspective of defense, Kemon can help construct more granular monitoring capabilities.

I also implemented several kernel fuzzers [3] [6] based on this framework, which helped me find many kernel vulnerabilities, such as:

  1. Graphics related kernel extensions:
    CVE-2017-7155, CVE-2017-7163, CVE-2017-13883 [9], CVE-2018-4350, CVE-2018-4396, CVE-2018-4418 [10], CVE-2019-8807 [11], CVE-2022-22631 [21], etc.

  2. Wi-Fi IO80211FamilyV1/V2 [4] [8]:
    CVE-2020-9832, CVE-2020-9833, CVE-2020-9834 [13], CVE-2020-9899 [14], CVE-2020-10013 [15] [16] [17], CVE-2022-26761 [22], CVE-2022-26762 [23], etc.

  3. Bluetooth Host Controller Interface (HCI) [5]:
    CVE-2020-3892, CVE-2020-3893, CVE-2020-3905, CVE-2020-3907, CVE-2020-3908, CVE-2020-3912, CVE-2020-9779, CVE-2020-9853 [12], CVE-2020-9831 [13], CVE-2020-9928, CVE-2020-9929 [14], etc.

  4. Kernel memory mapping mechanism [7]:
    CVE-2020-27914, CVE-2020-27915, CVE-2020-27936 [18] [19], CVE-2021-30678 [20], etc.

Supported Features

Kemon's features include:

  • file operation monitoring
  • process creation monitoring
  • dynamic library and kernel extension monitoring
  • network traffic monitoring
  • Mandatory Access Control (MAC) policy monitoring, etc.

In addition, Kemon project can also extend the Pre and Post callback-based monitoring interfaces for any macOS kernel function.

Getting Started

How to build the Kemon kernel extension

Please use Xcode project or makefile to build the Kemon kext driver

How to use the Kemon kernel extension

Please turn off macOS System Integrity Protection (SIP) check if you don't have a valid kernel certificate
Use the command "sudo chown -R root:wheel kemon.kext" to change the owner of the Kemon kernel extension
Use the command "sudo kextload kemon.kext" to install the Kemon kernel extension
Use the command "sudo kextunload kemon.kext" to uninstall the Kemon kernel extension

Contributing

Welcome to contribute by creating issues or sending pull requests. See Contributing Guide for guidelines.

License

Kemon is licensed under the Apache License 2.0. See the LICENSE file.

References

  1. https://www.blackhat.com/us-18/arsenal/schedule/#kemon-an-open-source-pre-and-post-callback-based-framework-for-macos-kernel-monitoring-12085
  2. https://www.blackhat.com/us-19/arsenal/schedule/#ksbox-a-fine-grained-macos-malware-sandbox-15059
  3. https://www.defcon.org/html/defcon-26/dc-26-speakers.html#Wang
  4. https://www.blackhat.com/us-20/briefings/schedule/index.html#dive-into-apple-iofamilyv-20023
  5. https://www.blackhat.com/eu-20/briefings/schedule/index.html#please-make-a-dentist-appointment-asap-attacking-iobluetoothfamily-hci-and-vendor-specific-commands-21155
  6. https://www.blackhat.com/us-20/arsenal/schedule/index.html#macos-bluetooth-analysis-suite-mbas-19886
  7. https://www.blackhat.com/asia-21/briefings/schedule/index.html#racing-the-dark-a-new-tocttou-story-from-apples-core-22214
  8. https://www.blackhat.com/us-22/briefings/schedule/#dive-into-apple-iofamily-vol--27728
  9. https://support.apple.com/en-us/HT208331
  10. https://support.apple.com/en-us/HT209193
  11. https://support.apple.com/en-us/HT210722
  12. https://support.apple.com/en-us/HT211100
  13. https://support.apple.com/en-us/HT211170
  14. https://support.apple.com/en-us/HT211289
  15. https://support.apple.com/en-us/HT211843
  16. https://support.apple.com/en-us/HT211849
  17. https://support.apple.com/en-us/HT211850
  18. https://support.apple.com/en-us/HT211931
  19. https://support.apple.com/en-us/HT212011
  20. https://support.apple.com/en-us/HT212529
  21. https://support.apple.com/en-us/HT213183
  22. https://support.apple.com/en-us/HT213257
  23. https://support.apple.com/en-us/HT213258

鲜花
握手
雷人
路过
鸡蛋
该文章已有0人参与评论

请发表评论

全部评论

专题导读
More+
上一篇:
louisdh/source-editor: A native source editor for iOS and macOS, written in Swif ...发布时间:2022-08-18
下一篇:
z11h/awesome-touchbar: :star2: delightful macOS resources for your touchbar发布时间:2022-08-18
热门推荐
More+
热门话题
More+
阅读排行榜

扫描微信二维码

查看手机版网站

随时了解更新最新资讯

139-2527-9053

在线客服(服务时间 9:00~18:00)

在线QQ客服
地址:深圳市南山区西丽大学城创智工业园
电邮:jeky_zhao#qq.com
移动电话:139-2527-9053

Powered by 互联科技 X3.4© 2001-2213 极客世界.|Sitemap