macos_kernel.md
https://github.com/maurice-schuppe/flockflock
https://github.com/jzlka/macOS-monitoring-API-demos

macOS下Kext notarization
https://blog.csdn.net/tanhuang614/article/details/100552285

open /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks

cp -R test.kext hello.kext
sudo chmod -R 755 hello.kext
sudo chown -R root:wheel hello.kext

cp -R FlockFlock.kext tmp.kext
sudo chmod -R 755 tmp.kext
sudo chown -R root:wheel tmp.kext

Mac 内核扩展开发
https://toutiao.io/posts/fhdsfj/preview

深入解析Mac OS X & iOS 操作系统 学习笔记(十五)
https://www.jianshu.com/p/96837976c1f8

Mac system extensions for threat detection: Part 3
https://www.elastic.co/blog/mac-system-extensions-for-threat-detection-part-3

On macOS Kernel/Kext Logging
https://rw.internals.io/post/on-macOS-kernel-kext-logging/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
log show --predicate 'senderImagePath CONTAINS "Echo"'

log show --predicate "processID == 242"

log show --predicate 'sender == "org.debug.Echo"'


log stream --predicate 'senderImagePath CONTAINS "tmp"'
log show --predicate 'senderImagePath CONTAINS "tmp"'
log stream --sender tmp

log stream --predicate 'senderImagePath CONTAINS "test"'
log show --predicate 'senderImagePath CONTAINS "hello"'
log stream --predicate 'senderImagePath CONTAINS "hello"'


clang notify_demo.c -lEndpointSecurity -lbsm -o notify
codesign -f -s - --entitlements Extension.entitlements notify

clang auth_demo.c -lEndpointSecurity -lbsm -o auth
codesign -f -s - --entitlements Extension.entitlements auth
sudo ./auth
open -b com.apple.TextEdit
1
2
3
4
5
6
7
8
9
10
11
12
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.kpi.libkern</key>
	<string>15.0</string>
	<key>com.apple.kpi.bsd</key>
	<string>15.0</string>
	<key>com.apple.kpi.dsep</key>
	<string>15.0</string>
</dict>
</plist>

com.apple.kpi.dsep -> mac_policy_register
com.apple.kpi.bsd -> vn_getpath
com.apple.kpi.libkern -> std c lib

1
2
3
kextstat | grep kpi
# https://leiless.github.io/blog/posts/xnu-kext-use-private-kpi/
# https://github.com/apple-oss-distributions/xnu/blob/main/config/list_supported.sh

内核扩展
https://support.apple.com/zh-cn/guide/deployment/depa5fb8376f/web
在 macOS 11 或更高版本中,如果启用了第三方内核扩展 (Kext),就不能按需将其载入内核中。第三方内核扩展需要用户批准、重新启动 macOS 以将更改载入内核,还需要在搭载 Apple 芯片的 Mac 上将安全启动配置为“降低安全性”。

macOS内核拓展与用户态进程的通信实现(一)
https://www.jianshu.com/p/4268e02e7c4c
macOS内核拓展与用户态进程的通信实现(二)
https://www.jianshu.com/p/8318cabe9535

1
2
3
4
5
6
7
8
9
IOServiceOpen
IOConnectSetNotificationPort
IOConnectCallMethod
IOConnectMapMemory
IOConnectCallAsyncMethod
IOConnectCallStructMethod
IOConnectCallAsyncStructMethod
IOConnectCallScalarMethod
IOConnectCallAsyncScalarMethod

DNS过滤
Socket Filter -> 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#include <sys/kpi_socketfilter.h>
sflt_filter *filter;
bzero(filter, sizeof(sflt_filter));

filter->sf_handle = handle;
filter->sf_flags = SFLT_GLOBAL;
filter->sf_name = (char *)kSocketFilterName;
filter->sf_attach = socket_attach_callback;
filter->sf_detach = socket_detach_callback;
filter->sf_bind = socket_bind_callback;
filter->sf_notify = socket_notify_callback;
filter->sf_data_in = socket_data_in_callback;
filter->sf_data_out = socket_data_out_callback;
extern errno_t sflt_register(const struct sflt_filter *filter, int domain,
    int type, int protocol)
__NKE_API_DEPRECATED;

NuwaStone
https://github.com/ConradSun/NuwaStone
A macOS behavior audit system with scope of file, process and network events.
file/process -> kauth
<=10.15 kauth vnode/fileop

=10.16(11.0) EndpointSecurity
network ->
<=10.15 sflt_register [NKE Network Kernel Extension KPI]
=10.16(11.0) NetworkExtension

vm_kernel_unslide_or_perm_external
https://github.com/AloneMonkey/MacKext/blob/master/AntiRootkit/macho/macho_utils.c
https://github.com/shinvou/SIPless Small KEXT to disable SIP on >= macOS 10.12.
https://github.com/snare/KernelResolver origin
https://github.com/leiless/ksymresolver
[转]Resolving kernel symbols
https://www.cnblogs.com/Proteas/p/4030779.html
https://www.bbsmax.com/A/nAJvmNb8zr/
Resolving Kernel Symbols Post-ASLR
https://www.zdziarski.com/blog/?p=6901
https://github.com/jzdziarski/kernelresolver/blob/master/kernel_resolver.c
Mac OS X内核编程,MAC驱动开发资源汇总
https://blog.csdn.net/majiakun1/article/details/78030073
Slides: Crafting macOS Root Kits
https://www.zdziarski.com/blog/?p=6909
https://www.zdziarski.com/blog/?cat=14
https://www.zdziarski.com/blog/wp-content/uploads/2017/02/Crafting-macOS-Root-Kits.pdf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
static int
exec_check_permissions(struct image_params *imgp)
{
#if CONFIG_MACF
	error = mac_vnode_check_exec(imgp->ip_vfs_context, vp, imgp);
	if (error) {
		return error;
	}
#endif

	/* Check for execute permission */
	action = KAUTH_VNODE_EXECUTE;
	/* Traced images must also be readable */
	if (p->p_lflag & P_LTRACED) {
		action |= KAUTH_VNODE_READ_DATA;
	}
	if ((error = vnode_authorize(vp, NULL, action, imgp->ip_vfs_context)) != 0) {
		return error;
	}
}
static int
exec_activate_image(struct image_params *imgp)
{
	error = exec_check_permissions(imgp);
	if (error) {
		goto bad;
	}
	/*
	 * Call out to allow 3rd party notification of exec.
	 * Ignore result of kauth_authorize_fileop call.
	 */
	if (kauth_authorize_fileop_has_listeners()) {
		kauth_authorize_fileop(vfs_context_ucred(imgp->ip_vfs_context),
		    KAUTH_FILEOP_EXEC,
		    (uintptr_t)ndp->ni_vp, 0);
	}
}
__mac_execve -> exec_activate_image

先检查macf 再检查kauth

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#if CONFIG_MACF_SOCKET_SUBSET
	if ((sa != NULL && sa->sa_family == AF_SYSTEM) ||
	    (error = mac_socket_check_bind(kauth_cred_get(), so, sa)) == 0) {
		error = sobindlock(so, sa, 1);  /* will lock socket */
	}
#else
	error = sobindlock(so, sa, 1);          /* will lock socket */
#endif /* MAC_SOCKET_SUBSET */
// sobindlock ->
/* Socket filter */
error = sflt_bind(so, nam);
// soconnectlock ->
/*
 * Run connect filter before calling protocol:
 *  - non-blocking connect returns before completion;
 */
error = sflt_connectout(so, nam);
// sonewconn ->
sflt_connectin
#if CONFIG_MACF_SOCKET_SUBSET
	error = mac_vnode_check_uipc_connect(ctx, vp, so);
	if (error) {
		socket_lock(so, 0);
		goto out;
	}
#endif /* MAC_SOCKET_SUBSET */

	error = vnode_authorize(vp, NULL, KAUTH_VNODE_WRITE_DATA, ctx);
// connectit/connectitx ->
#if CONFIG_MACF_SOCKET_SUBSET
	if ((error = mac_socket_check_connect(kauth_cred_get(), so, dst)) != 0) {
		return error;
	}

	if (auio != NULL) {
		if ((error = mac_socket_check_send(kauth_cred_get(), so, dst)) != 0) {
			return error;
		}
	}
#endif /* MAC_SOCKET_SUBSET */
connectx ->
connectx_nocancel -> connectitx
int
connect(proc_ref_t p, struct connect_args *uap, int32_ref_t retval)
{
	__pthread_testcancel(1);
	return connect_nocancel(p, (struct connect_nocancel_args *)uap,
	           retval);
}
// connect -> connectx_nocancel -> connectitx

https://github.com/leiless/ksymresolver
https://github.com/jzdziarski/kernelresolver
https://github.com/shinvou/SIPless.git
https://github.com/Ch4nc3n/HookSysCall.git
https://www.cs.dartmouth.edu/~sergey/cs108/guest_lectures/xnu-suggested-project.txt
https://man.netbsd.org/kauth.9
https://cs.dartmouth.edu/~sergey/cs258/
https://github.com/Andrej-Antipov/Kext-Install-Utility

1
2
3
4
5
6
7
8
9
m_vnodeListener = kauth_listen_scope(KAUTH_SCOPE_VNODE, vnode_scope_callback, reinterpret_cast<void *>(this));
if (m_vnodeListener == nullptr) {
    return false;
}
m_fileopListener = kauth_listen_scope(KAUTH_SCOPE_FILEOP, fileop_scope_callback, reinterpret_cast<void *>(this));
if (m_fileopListener == nullptr) {
    kauth_unlisten_scope(m_vnodeListener);
    return false;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
static const char *scope_name[] = {
    KAUTH_SCOPE_GENERIC,
    KAUTH_SCOPE_PROCESS,
    KAUTH_SCOPE_VNODE,
    KAUTH_SCOPE_FILEOP,
};

static kauth_scope_callback_t scope_cb[] = {
    generic_scope_cb,
    process_scope_cb,
    vnode_scope_cb,
    fileop_scope_cb,
};
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
/*
 * Generic scope.
 */
#define KAUTH_SCOPE_GENERIC     "com.apple.kauth.generic"
/*
 * Process/task scope.
 */
#define KAUTH_SCOPE_PROCESS     "com.apple.kauth.process"
/*
 * Vnode operation scope.
 *
 * Prototype for vnode_authorize is in vnode.h
 */
#define KAUTH_SCOPE_VNODE       "com.apple.kauth.vnode"
/*
 * File system operation scope.
 *
 */
#define KAUTH_SCOPE_FILEOP      "com.apple.kauth.fileop"

DNS Query
port = 53

阻止网络访问
Network Extension
NEFilterSocketFlow/NEAppProxyFlow/NENetworkRule
https://github.com/Paragon-Software-Group/paragon_firewall_ce
Paragon Firewall for Mac Community Edition
https://github.com/OlexiyKhokhlov/HeyApple
https://github.com/zeek/zeek-agent-v2/blob/main/src/platform/darwin/network-extension.mm
https://github.com/zeek/zeek

1
return [NEFilterNewFlowVerdict dropVerdict];

Network Kernel Extension

1
2
sflt_register
result = EPERM;

https://qa.1r1g.com/sf/ask/4474923281/
https://developer.apple.com/fr/support/kernel-extensions/

实现 macOS 内核监控的几种方法
https://paper.seebug.org/380/

xnu_macos.md

libkdd

Kernel Data Descriptors
The KCDATA format

osfmk

kdp

Kernel Debugging Protocol

KextViewr
Netiquette Network Monitor
FileMonitor
LuLu
MacFilter
SimpleFirewall
HeyApple
paragon_firewall_ce
MachOView
macOS-system-projects
hspGuard
Kext-Install-Utility

kernelresolver
KernelResolver
HookSysCall
MacKext
bsd_kext_log
blocker
BlockBlock

macOS-monitoring-API-demos
kemon
flockflock
os-x-ios-kernel-programming
osx_and_ios_kernel_programming
NuwaStone
HelloKernControl
LittleRooter
macprocmon

macOS-Security-and-Privacy-Guide

santa
SIPless
MacKext
rust-kext

dsdump
valgrind-macos -> x64/not arm64
PureDarwin
OpenCorePkg
Masochist
LinkLiar
Surf
CloverBootloader

reverse-engineering-on-osx
LibSymbolize
idb
SandboxMirror
CoreSymbolication
liblorgnette
kdebugView
apple_internal_sdk

newosxbook-tools
dyld-shared-cache-extractor
iTerm2

OC-learn-master
LibraryInjector
ProcessMonitor
BSBacktraceLogger
HookCase
Security

awesome-iOS-resource
libimobiledevice
iOS_app_re_tools

objective-see.md
BlockBlock -> ES_EVENT_TYPE_AUTH_EXEC
FileMonitor ->

1
es_event_type_t events[] = {ES_EVENT_TYPE_NOTIFY_CREATE, ES_EVENT_TYPE_NOTIFY_OPEN, ES_EVENT_TYPE_NOTIFY_WRITE, ES_EVENT_TYPE_NOTIFY_CLOSE, ES_EVENT_TYPE_NOTIFY_RENAME, ES_EVENT_TYPE_NOTIFY_LINK, ES_EVENT_TYPE_NOTIFY_UNLINK, ES_EVENT_TYPE_NOTIFY_EXEC, ES_EVENT_TYPE_NOTIFY_EXIT};

LuLu -> NetworkExtension
Netiquette ->
//wish there was a NetworkStatistics.h
// mahalo J. Levin:
// https://twitter.com/Morpheus______
// http://newosxbook.com/src.jl?tree=listings&file=netbottom.c
KnockKnock -> 各种检查
KextViewr -> kextstat
https://www.oschina.net/p/IosHackStudy