KEXT无法加载,甚至系统完整性保护在10.11中被禁用

时间:2016-03-24 06:58:27

标签: macos kernel-extension

目前我正在开发一种可以阻止访问USB存储的小型KEXT。但是当我无法使用kextutil

加载我的KEXT时 
Code Signing Failure: not code signed

我确实在10.11中关闭了SIP 

System Integrity Protection status: disabled.

请帮忙。我不知道该怎么办! 感谢。

1 个答案:

答案 0 :(得分:0)

我对这些简单的步骤和文档进行了长期的研究,现在将其列出给像我这样的人。

  

在执行此步骤之前,请先禁用SIP

通过关闭Mac并通过按Command + R按钮直到出现苹果徽标来启动Mac,以恢复模式启动Mac。 打开终端应用程序,然后输入以下命令

  1. csrutil禁用
  2. 重新启动

这是重要的命令,它可以使用root用户访问该位置来应对kext,将其所有权更改为wheel,检查osbundlelibraries的相关性以及检查kext是否可加载。

sudo cp -R

sudo chown -R root:wheel

sudo kextlibs -xml //检查在信息plist中是否存在osbundlelibrary文件

sudo kextutil -n -t //检查kext并记录该kext是否可加载

sudo kextutil -n //检查kext并记录该kext是否可加载

sudo kextutil // //检查kext并记录该kext是否可加载

sudo kextload //如果内核不产生紧急情况,则加载kext

sudo kextunload //卸载您的kext

  

重要网址

https://people.sissa.it/~inno/pubs/skb-reduced.pdf

https://github.com/objective-see/LuLu

https://objective-see.com/blog/blog_0x0B.html

https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/KEXTConcept/KEXTConceptIntro/introduction.html#//apple_ref/doc/uid/10000191-SW1

https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/KernelProgramming/boundaries/boundaries.html

https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/NKEConceptual/intro/intro.html#//apple_ref/doc/uid/TP40001858-CH225-SW1

https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html#//apple_ref/doc/uid/TP0000012-TPXREF101

https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/AccessingHardware/AH_Intro/AH_Intro.html#//apple_ref/doc/uid/TP30000376

https://developer.apple.com/library/archive/documentation/Networking/Conceptual/CFNetwork/Introduction/Introduction.html#//apple_ref/doc/uid/TP30001132

https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/WritingDeviceDriver/Introduction/Intro.html#//apple_ref/doc/uid/TP30000694

https://developer.apple.com/library/archive/navigation/index.html#section=Technologies&topic=Kernel

https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/NetworkDriver/2_IONetworkingFamily/IONetworkingFamily.html

http://dbmanagement.info/Books/MIX/OS_X_and_iOS_Kernel_Programming.pdf

https://www.fortinet.com/blog/threat-research/monitoring-macos--part-iii--monitoring-network-activities-using-.html

https://fortiguard.com/events/2270/learn-how-to-build-your-own-utility-to-monitor-malicious-behaviors-of-malware-on-macOS

https://github.com/slavaim/MacOSX-Network-Sockets-Filter

http://mirror.informatimago.com/next/developer.apple.com/documentation/Darwin/Conceptual/howto/kext_tutorials/hello_kext/hello_kext.html

https://www.blackhat.com/us-18/presenters/Yu-Wang.html

内核控制/事件api的使用

https://www.synack.com/2015/12/13/monitoring-process-creation-via-the-kernel-part-iii/

最佳工作模式

https://github.com/LawlietRyuzakiCode/NKETest

http://hitcon.org/2013/download/[B1]%20Pedro_HiTCON%202013%20Presentation_v2.pdf

https://github.com/changpingc/kernet

IMP数据包创建源 enderunix Packet Creation Source 

https://github.com/robbiehanson/CocoaAsyncSocket/tree/master/Examples/GCD
https://tools.ietf.org/html/rfc7230
https://developer.apple.com/documentation/security/certificate_key_and_trust_services?language=objc
http://openssl.cs.utah.edu/docs/apps/x509v3_config.html
https://docs.mitmproxy.org/stable/concepts-howmitmproxyworks/
http://technologeeks.com/course.jl?course=OSXRE
https://www.fastcompany.com/3042030/the-huge-web-security-loophole-that-most-people-dont-know-about-and-how-its-be
https://stackoverflow.com/questions/589622/how-does-a-root-ca-verify-a-signature
https://deliciousbrains.com/https-locally-without-browser-privacy-errors/
https://rednaga.io/2017/04/09/remote_kext_debugging/
http://www.robertopasini.com/index.php/2-uncategorised/628-osx-packaging-a-kernel-extension-for-distribution-and-installation
http://ddeville.me/2015/08/using-the-vmware-fusion-gdb-stub-for-kernel-debugging-with-lldb
https://objective-see.com/blog.html
https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/KEXTConcept/KEXTConceptDebugger/debug_tutorial.html
https://forums.macrumors.com/threads/turn-off-verbose-bootup.1247361/
https://adimitrov.net/main/code/code/raw_packet.c
http://www.enderunix.org/docs/en/rawipspoof/
https://www.eit.lth.se/ppplab/IPHeader.htm#TOS,%20Type%20of%20Service
https://www.tenouk.com/download/pdf/Module39.pdf
https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/HandlingEvents/HandlingEvents.html#//apple_ref/doc/uid/TP0000018-BAJFFJAD
https://github.com/slavaim/MacOSX-Network-Sockets-Filter
https://www.blackhat.com/us-18/arsenal.html#learn-how-to-build-your-own-utility-to-monitor-malicious-behaviors-of-malware-on-macos
https://developer.apple.com/documentation/networkextension?language=objc
https://github.com/TrustRouter/TrustRouter/blob/master/client/kernelmode/MacOS/trustrouter/trustrouter.c
https://github.com/LawlietRyuzakiCode/NKETest/blob/master/TestFilter/TestFilter/TestFilter.c
https://objective-see.com/blog/blog_0x0B.html
http://www.ragingmenace.com/software/menumeters/
https://people.sissa.it/~inno/pubs/skb-reduced.pdf
http://haifux.org/lectures/122/FreeBSD_kernel_networking.pdf
http://www.zytrax.com/books/dns/ch15/

备用数据包转发并检查

sudo lsof -iTCP -sTCP:LISTEN -n -P

netstat -a -n

sudo pfctl -s nat

sudo pfctl -F all -f /etc/pf.conf

echo” rdr从任何端口将inet原型TCP传递到任何端口80-> 127.0.0.1端口8080 rdr从任何端口将inet原型TCP传递到任何端口443-> 127.0.0.1端口8443 “ | sudo pfctl -ef-

nettop

sudo tcpdump -i en0 -p -vv -A ip和主机192.168.1.92

sudo tcpdump -i en0 -p -vv -A ip

sudo tcpdump -i en0 -p -vv -A ip和net 192.0.2.0/24

相关问题
最新问题