Kemon is an open-source Pre and Post callback-based framework for macOS kernel monitoring. With the power of it, we can easily implement LPC communication monitoring, MAC policy filtering, kernel driver firewall, etc. In general, from an attacker’s perspective, this framework can help achieve more powerful Rootkit. From the perspective of defense, it can help construct more granular monitoring capabilities. I also implemented a kernel fuzzer through this framework, which helped me find many vulnerabilities, such as: CVE-2017-7155, CVE-2017-7163, CVE-2017-13883, etc.
- file operation monitoring
- process creation monitoring
- dynamic library and kernel extension monitoring
- network traffic monitoring
- Mandatory Access Control (MAC) policy monitoring, etc.
In addition, this project can also extend the Pre and Post callback-based monitoring interfaces for any macOS kernel function.
How to use ?
- Please turn off macOS System Integrity Protection (SIP) check if you don’t have a valid kernel certificate
- Use the command “sudo chown -R root:wheel kemon.kext” to change the owner of the driver
- Use the command “sudo kextload kemon.kext” to install the driver
- Use the command “sudo kextunload kemon.kext” to uninstall the driver