An Open Source Pre and Post Callback-based Framework for macOS Kernel Monitoring.
[ Breaking News - 08/28/2019 ]
macOS Catalina 10.15 Beta 7 Release Notes
https://developer.apple.com/documentation/macos_release_notes/macos_catalina_10_15_beta_7_release_notes
Endpoint Security
/* After testing, I found that these Kauth interfaces are not really removed, and Kemon still works. But I think this release note means that the door to the macOS kernel is closing. (08/28/2019) */
Kemon is an open source Pre and Post callback-based framework [1] for macOS kernel monitoring [2]. With the power of Kemon, we can easily implement XPC/IPC communication monitoring [3], Mandatory Access Control (MAC) policy filtering, network traffic and kernel extension firewall, etc. In general, from an attacker's perspective, this framework can help achieve more powerful Rootkit. From the perspective of defense, Kemon can help construct more granular monitoring capabilities.
I also implemented several kernel fuzzers [4] [7] based on this framework, which helped me find many kernel vulnerabilities, such as:
Graphics related kernel extensions:
CVE-2017-7155, CVE-2017-7163, CVE-2017-13883 [10], CVE-2018-4350, CVE-2018-4396, CVE-2018-4418 [11], CVE-2019-8807 [12], CVE-2022-22631, CVE-2022-22661, CVE-2022-46706 [22], etc.
Wi-Fi IO80211FamilyV1/V2 [5] [9]:
CVE-2020-9832, CVE-2020-9833, CVE-2020-9834 [14], CVE-2020-9899 [15], CVE-2020-10013 [16] [17] [18], CVE-2022-26761 [23], CVE-2022-26762 [24], CVE-2022-32837, CVE-2022-32847, CVE-2022-32860 [25] [26] [27], CVE-2022-32925, CVE-2022-46709 [28] [29], CVE-2023-38610 [30] [31], etc.
Bluetooth Host Controller Interface (HCI) [6]:
CVE-2020-3892, CVE-2020-3893, CVE-2020-3905, CVE-2020-3907, CVE-2020-3908, CVE-2020-3912, CVE-2020-9779, CVE-2020-9853 [13], CVE-2020-9831 [14], CVE-2020-9928, CVE-2020-9929 [15], etc.
Kernel memory mapping mechanism [8]:
CVE-2020-27914, CVE-2020-27915, CVE-2020-27936 [19] [20], CVE-2021-30678 [21], etc.
Kemon's features include:
In addition, Kemon project can also extend the Pre and Post callback-based monitoring interfaces for any macOS kernel function.
Please use Xcode project or makefile to build the Kemon kext driver
Please turn off macOS System Integrity Protection (SIP) check if you don't have a valid kernel certificate
Use the command "sudo chown -R root:wheel kemon.kext" to change the owner of the Kemon kernel extension
Use the command "sudo kextload kemon.kext" to install the Kemon kernel extension
Use the command "sudo kextunload kemon.kext" to uninstall the Kemon kernel extension
Welcome to contribute by creating issues or sending pull requests. See Contributing Guide for guidelines.
Kemon is licensed under the Apache License 2.0. See the LICENSE file.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。