Kemon

An Open-Source Pre and Post Callback-Based Framework for macOS Kernel Monitoring. With the power of it, we can easily implement LPC communication monitoring, MAC policy filtering, kernel driver firewall, etc. In general, from an attacker’s perspective, this framework can help achieve more powerful Rootkit. From the perspective of defense, it can help construct more granular monitoring capabilities. I also implemented a kernel fuzzer through this framework, which helped me find many vulnerabilities, such as CVE-2017-7155, CVE-2017-7163, CVE-2017-13883, etc.

Supported Features

• file operation monitoring
• process creation monitoring
• dynamic library and kernel extension monitoring
• network traffic monitoring
• Mandatory Access Control (MAC) policy monitoring, etc.

In addition, it can also extend the Pre and Post callback-based monitoring interfaces for any macOS kernel function.

Download

git clone https://github.com/didi/kemon.git
cd kemon
make

How to use

• Please turn off macOS System Integrity Protection (SIP) check if you don’t have a valid kernel certificate
• Use the below command to change the owner of the Kemon driver

  sudo chown -R root:wheel kemon.kext

• Use the below command to install the Kemon driver

  sudo kextload kemon.kext

• Use the below command to uninstall the Kemon driver

  sudo kextunload kemon.kext

Copyright (C) 2017 Beijing Didi Infinity Technology and Development Co.,Ltd. All rights reserved.

Source: https://github.com/didi/