kext通信方式考虑

建议在macOS 10.15上开发kext 避免频繁重启

内核扩展

https://support.apple.com/zh-cn/guide/deployment/depa5fb8376f/web
在 macOS 11 或更高版本中,如果启用了第三方内核扩展 (Kext),就不能按需将其载入内核中。第三方内核扩展需要用户批准、重新启动 macOS 以将更改载入内核,还需要在搭载 Apple 芯片的 Mac 上将安全启动配置为“降低安全性”。

内核扩展kext和系统扩展sext例子 NuwaStone

https://github.com/ConradSun/NuwaStone
A macOS behavior audit system with scope of file, process and network events. 

1
2
3
4
5
6
file/process -> kauth
<=10.15 kauth vnode/fileop
>=10.16(11.0) EndpointSecurity
network ->
<=10.15 sflt_register [NKE Network Kernel Extension KPI]
>=10.16(11.0) NetworkExtension

类似软件 -> 火绒剑Mac版

https://www.huorong.cn/mac_download.html
https://bbs.huorong.cn/thread-84449-1-1.html

火绒剑要求11.1 只支持sext

[EndpointSecurity/NetworkExtension]

1
2
3
4
5
6
7
8
$ otool -L HRSword 
HRSword:
 /usr/lib/libEndpointSecurity.dylib (compatibility version 1.0.0, current version 197.60.1)
libuactmon.dylib:
 /usr/lib/libEndpointSecurity.dylib (compatibility version 1.0.0, current version 63.140.5)
$ otool -L libuactmon.dylib
libuactmon.dylib:
 /usr/lib/libEndpointSecurity.dylib (compatibility version 1.0.0, current version 63.140.5)

HRSword.app/Contents/Library/SystemExtensions/cn.huorong.HRSword.HRSwordEx.systemextension/Contents/Info.plist

1
2
3
4
5
6
7
8
9
10
<key>NetworkExtension</key>
<dict>
  <key>NEMachServiceName</key>
  <string>BN27PM448X.group.cn.huorong.group.HRSwordEx</string>
  <key>NEProviderClasses</key>
  <dict>
   <key>com.apple.networkextension.filter-data</key>
   <string>OCFilterDataProvider</string>
  </dict>
</dict>