kemon: Open-Source Pre macOS Kernel Monitoring
An Open-Source Pre and Post Callback-Based Framework for macOS Kernel Monitoring. With the power of it, we can easily implement LPC communication monitoring, MAC policy filtering, kernel driver firewall, etc. In general, from an attacker’s perspective, this framework can help achieve more powerful Rootkit. From the perspective of defense, it can help construct more granular monitoring capabilities. I also implemented a kernel fuzzer through this framework, which helped me find many vulnerabilities, such as CVE-2017-7155, CVE-2017-7163, CVE-2017-13883, etc.
- file operation monitoring
- process creation monitoring
- dynamic library and kernel extension monitoring
- network traffic monitoring
- Mandatory Access Control (MAC) policy monitoring, etc.
In addition, it can also extend the Pre and Post callback-based monitoring interfaces for any macOS kernel function.
git clone https://github.com/didi/kemon.git cd kemon make
How to use
- Please turn off macOS System Integrity Protection (SIP) check if you don’t have a valid kernel certificate
- Use the below command to change the owner of the Kemon driver
sudo chown -R root:wheel kemon.kext
- Use the below command to install the Kemon driver
sudo kextload kemon.kext
- Use the below command to uninstall the Kemon driver
sudo kextunload kemon.kext
Copyright (C) 2017 Beijing Didi Infinity Technology and Development Co.,Ltd. All rights reserved.