![]() The process “Google Chrome Helper” can be executed with a long command line argument. The following is a code snippet from using kernel control APIs.įrom Figure 16, we can see that several processes besides the main process “Google Chrome” are executed after launching the google chrome app. In particular, you can use ctl_enqueuedata to queue up data to send to the user space process, and ctl_getenqueuespace to find out how much free space is available in the queue. This data can be read from the user process using read or recv system calls. The kernel process can call a number of functions to send data back to the user space process. And it’s also a bidirectional communication mechanism between a user space application and a KEXT.įor detailed usage of this API, please see: The kernel control (kernel_control) API, which uses the SYSPROTO_CONTROL protocol, allows applications to configure and control a KEXT. I chose the kernel control API, which is a socket-based API that allows you to communicate with and receive broadcast notifications from the KEXT. Next, we will set up the user-land program, which involves the communication between kernel space and user space. So far, we have provided the key technical details regarding monitoring process execution with command line arguments in kernel on macOS. For example, when we open the Calculator app, we can see the log of the executing of the Calculator app. Try to launch some apps or execute some processes to test. After loading the KEXT successfully (I’ve tested it on macOS 10.12 and 10.13), you can open the Console.app to monitor the KEXT’s output. It is also worth noting that each parameter in buffer is separated with ‘\0’, so you need to do a string replacement operation to get the complete string of all command line arguments. Note that the member variable ip_argc represents the amount of the command line arguments. Once we have the address of structure image_params pointer, we can reference its member variables ip_startargv and ip_endargv to get the data buffer for the command line arguments of process execution. The member variable ip_csflags of structure image_params is actually the parameter csflags taken by the callback processExecWithArgsHook. Struct image_params *img = (struct image_params *)((char*)csflags-_offsetof(struct image_params, ip_csflags)) We get the structure image_params pointer by executing the following code: Developing a Tool to Monitor Process Executionįirst, you need to register your MAC Policy, as shown in Figure 1. So to analyze them, it’s fairly necessary to monitor process execution with all of the command line arguments. These new processes are frequently executed with command line arguments. During the process of analyzing malware on macOS, the malware usually executes new processes to perform specific malicious activities in background. However, it did not show how to implement monitor process execution with command line arguments. The blog series “Monitoring Process Creation via the Kernel” explains how to monitor process creation via the kernel using MACF and KAuth (Kernel Authorization). If you are interested in the research of malware and vulnerabilities on macOS, the blogs from are great study resource. ![]() In this blog, I will detail the implementation of monitoring process execution, including command line arguments, via MACF. The Mandatory Access Control Framework - commonly referred to as MACF - is the substrate on top of which all of Apple’s securities, both macOS and iOS, are implemented. The MACF on macOS is a good choice to implement this utility. So in order to more efficiently and automatically analyze the malicious behaviors of malware targeting macOS, it is necessary to develop a utility to monitor process execution. Over the years, the FortiGuard Labs team has learned that it is very common for macOS malware to launch a new process to execute its malicious activity.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |