-
-
Save hkalexling/03c29ffddb1cf414f03f4c33c1b23bd8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<dict> | |
<key>CFBundleDevelopmentRegion</key> | |
<string>en</string> | |
<key>CFBundleExecutable</key> | |
<string>$(EXECUTABLE_NAME)</string> | |
<key>CFBundleIdentifier</key> | |
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string> | |
<key>CFBundleInfoDictionaryVersion</key> | |
<string>6.0</string> | |
<key>CFBundleName</key> | |
<string>$(PRODUCT_NAME)</string> | |
<key>CFBundlePackageType</key> | |
<string>KEXT</string> | |
<key>CFBundleShortVersionString</key> | |
<string>1.0</string> | |
<key>CFBundleVersion</key> | |
<string>1</string> | |
<key>NSHumanReadableCopyright</key> | |
<string>Copyright © 2017 Alex Ling. All rights reserved.</string> | |
<key>OSBundleLibraries</key> | |
<dict> | |
<key>com.apple.kpi.bsd</key> | |
<string>8.0.0</string> | |
<key>com.apple.kpi.libkern</key> | |
<string>8.0.0</string> | |
</dict> | |
</dict> | |
</plist> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// | |
// KAuthTest.c | |
// KAuthTest | |
// | |
// Modified from https://objective-see.com/blog/blog_0x0A.html | |
// Created by Alex Ling on 28/2/2017. | |
// Copyright © 2017 Alex Ling. All rights reserved. | |
// | |
#pragma clang diagnostic push | |
#pragma clang diagnostic ignored "-Wdocumentation" | |
#pragma clang diagnostic ignored "-Wsign-conversion" | |
#include <kern/assert.h> | |
#include <mach/mach_types.h> | |
#include <libkern/libkern.h> | |
#include <libkern/OSAtomic.h> | |
#include <libkern/OSMalloc.h> | |
#include <sys/sysctl.h> | |
#include <sys/kauth.h> | |
#include <sys/vnode.h> | |
kauth_listener_t listener = NULL; | |
//callback function for file ops | |
// ->only care about KAUTH_FILEOP_EXEC | |
// for this action, grab process path, id, etc | |
static int processExec(kauth_cred_t credential, void* idata, kauth_action_t action, uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3) | |
{ | |
//path to executable | |
char* path = NULL; | |
//uid | |
uid_t uid = -1; | |
//pid | |
pid_t pid = -1; | |
//ppid | |
pid_t ppid = -1; | |
//ignore all non exec events | |
if(KAUTH_FILEOP_EXEC != action) | |
{ | |
//bail | |
goto bail; | |
} | |
//path is arg1 | |
// ->see k_auth.h for details | |
path = (char*)arg1; | |
//get UID | |
uid = kauth_getuid(); | |
//get pid | |
pid = proc_selfpid(); | |
//get ppid | |
ppid = proc_selfppid(); | |
//dbg msg | |
printf("BLOCKBLOCK KEXT: new process: %s %d/%d/%d\n", path, pid, ppid, uid); | |
//TODO alert user mode | |
//bail | |
bail: | |
return KAUTH_RESULT_DEFER; | |
} | |
kern_return_t KAuthTest_start(kmod_info_t * ki, void *d); | |
kern_return_t KAuthTest_stop(kmod_info_t *ki, void *d); | |
kern_return_t KAuthTest_start(kmod_info_t * ki, void *d) | |
{ | |
printf("starting... "); | |
listener = kauth_listen_scope(KAUTH_SCOPE_FILEOP, &processExec, NULL); | |
return KERN_SUCCESS; | |
} | |
kern_return_t KAuthTest_stop(kmod_info_t *ki, void *d) | |
{ | |
kauth_unlisten_scope(listener); | |
printf("exiting... "); | |
return KERN_SUCCESS; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment