mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 20:53:37 +00:00
5.1 KiB
5.1 KiB
macOS Kernel Extensions
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
- ¿Trabajas en una empresa de ciberseguridad? ¿Quieres ver tu empresa anunciada en HackTricks? ¿O quieres tener acceso a la última versión de PEASS o descargar HackTricks en PDF? ¡Consulta los PLANES DE SUSCRIPCIÓN!
- Descubre The PEASS Family, nuestra colección exclusiva de NFTs
- Obtén el swag oficial de PEASS y HackTricks
- Únete al 💬 grupo de Discord o al grupo de telegram o sígueme en Twitter 🐦@carlospolopm.
- Comparte tus trucos de hacking enviando PR a hacktricks repo y hacktricks-cloud repo.
Basic Information
Kernel extensions (Kexts) are packages with a .kext
extension that are loaded directly into the macOS kernel space, providing additional functionality to the main operating system.
Requirements
Obviously, this is so powerful that it is complicated to load a kernel extension. These are the requirements that a kernel extension must meet to be loaded:
- When entering recovery mode, kernel extensions must be allowed to be loaded:
- The kernel extension must be signed with a kernel code signing certificate, which can only be granted by Apple. Who will review in detail the company and the reasons why it is needed.
- The kernel extension must also be notarized, Apple will be able to check it for malware.
- Then, the root user is the one who can load the kernel extension and the files inside the package must belong to root.
- During the upload process, the package must be prepared in a protected non-root location:
/Library/StagedExtensions
(requires thecom.apple.rootless.storage.KernelExtensionManagement
grant). - Finally, when attempting to load it, the user will receive a confirmation request and, if accepted, the computer must be restarted to load it.
Loading process
In Catalina it was like this: It is interesting to note that the verification process occurs in userland. However, only applications with the com.apple.private.security.kext-management
grant can request the kernel to load an extension: kextcache
, kextload
, kextutil
, kextd
, syspolicyd
kextutil
cli starts the verification process for loading an extension- It will talk to
kextd
by sending using a Mach service.
- It will talk to
kextd
will check several things, such as the signature- It will talk to
syspolicyd
to check if the extension can be loaded.
- It will talk to
syspolicyd
will prompt the user if the extension has not been previously loaded.syspolicyd
will report the result tokextd
kextd
will finally be able to tell the kernel to load the extension
If kextd
is not available, kextutil
can perform the same checks.
Referencias
- https://www.makeuseof.com/how-to-enable-third-party-kernel-extensions-apple-silicon-mac/
- https://www.youtube.com/watch?v=hGKOskSiaQo
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
- ¿Trabajas en una empresa de ciberseguridad? ¿Quieres ver tu empresa anunciada en HackTricks? ¿O quieres tener acceso a la última versión de PEASS o descargar HackTricks en PDF? ¡Consulta los PLANES DE SUSCRIPCIÓN!
- Descubre The PEASS Family, nuestra colección exclusiva de NFTs
- Obtén el swag oficial de PEASS y HackTricks
- Únete al 💬 grupo de Discord o al grupo de telegram o sígueme en Twitter 🐦@carlospolopm.
- Comparte tus trucos de hacking enviando PR a hacktricks repo y hacktricks-cloud repo.