Created
December 22, 2018 10:08
-
-
Save orgcontrib/ed7ff8a3f076419376d9bb4873e1a6e7 to your computer and use it in GitHub Desktop.
Kextpocalypse-2 script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Script to scan a system for kexts and gather the information needed for Apple whitelisting | |
# open https://www.richard-purves.com/2017/11/12/kextpocalyse-2-the-remediation | |
plist="com.apple.syspolicy.kernel-extension-policy.plist" | |
output="$HOME/Desktop" | |
override="false" | |
# Stop IFS linesplitting on spaces | |
OIFS=$IFS | |
IFS=$'\n' | |
# Scan the drive to find 3rd party kexts | |
# Excluding /System /private ./StagedExtensions and /dev | |
echo "Searching your drive for kext files" | |
echo "This may take a while. Please wait ..." | |
echo "(please enter your password if prompted)" | |
paths=($( sudo find / \( -type d -name "System" -prune \) -o \( -type d -name "private" -prune \) -o \( -type d -name "StagedExtensions" -prune \) -o \( -type d -name "dev" -prune \) -o \( -name "*.kext" -type d -print \) )) | |
echo "" | |
# Report the details of all found | |
if [ ${#paths[@]} != "0" ]; | |
then | |
for (( loop=0; loop<${#paths[@]}; loop++ )) | |
do | |
# Get the Team Identifier for the kext | |
teamid[$loop]=$( codesign -d -vvvv ${paths[$loop]} 2>&1 | grep "Authority=Developer ID Application:" | cut -d"(" -f2 | tr -d ")" ) | |
# Get the CFBundleIdentifier for the kext | |
bundid[$loop]=$( defaults read "${paths[$loop]}"/Contents/Info.plist CFBundleIdentifier ) | |
echo "Team ID: ${teamid[$loop]} Bundle ID: ${bundid[$loop]}" | |
done | |
fi | |
echo "" | |
# Start to generate a plist file | |
echo "Processing Team IDs into xml" | |
echo "" | |
if [ ${#paths[@]} != "0" ]; | |
then | |
# Prune the duplicate ID's from the array | |
nodupes=($( echo "${teamid[@]}" | tr ' ' '\n' | sort -u )) | |
# Now write out the xml with what we've discovered | |
# Header first | |
echo '<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<dict>' > /private/tmp/tmp.xml | |
# Start with the User Override | |
echo "<key>AllowUserOverrides</key> | |
<$override/>" >> /private/tmp/tmp.xml | |
# Now the Team IDs | |
echo '<key>AllowedTeamIdentifiers</key> | |
<array>' >> /private/tmp/tmp.xml | |
for (( loop=0; loop<${#nodupes[@]}; loop++ )) | |
do | |
# Write the team identifier to the file | |
echo "<string>"${nodupes[$loop]}"</string>" >> /private/tmp/tmp.xml | |
done | |
# Now for the Bundle IDs with the Team IDs | |
echo '</array> | |
<key>AllowedKernelExtensions</key> | |
<dict>' >> /private/tmp/tmp.xml | |
for (( loop=0; loop<${#nodupes[@]}; loop++ )); | |
do | |
# Write the team identifier to the file | |
echo "<key>"${nodupes[$loop]}"</key>" >> /private/tmp/tmp.xml | |
echo '<array>' >> /private/tmp/tmp.xml | |
# Parse collected data to write out captured bundle ids that match to the team id | |
for (( loopint; loopint<${#teamid[@]}; loopint++ )); | |
do | |
if [ "${nodupes[$loop]}" = "${teamid[$loopint]}" ]; | |
then | |
echo "<string>${bundid[$loopint]}</string>" >> /private/tmp/tmp.xml | |
fi | |
done | |
# Reset internal loop variable and close tags | |
loopint=0 | |
echo '</array>' >> /private/tmp/tmp.xml | |
done | |
# Close up, we're done | |
echo '</dict> | |
</dict> | |
</plist>' >> /private/tmp/tmp.xml | |
fi | |
# Now format the file nicely and rename | |
cat /private/tmp/tmp.xml | xmllint -format - > "$output/$plist" | |
rm /private/tmp/tmp.xml | |
cat "$output"/"$plist" | |
# Reset IFS and quit | |
IFS=$OIFS | |
exit |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment