GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → GeoSn0w → hspGuard

GeoSn0w / hspGuard

Licence: MIT license
Checks macOS for Kernel Task Port. It may help detect intrusive kexts that would leak the kernel task.

Programming Languages

c
50402 projects - #5 most used programming language
Makefile
30231 projects

Labels

macoskernelkernxnugeosn0w

Projects that are alternatives of or similar to hspGuard

kern.io
My personal site's source code.
Stars: ✭ 20 (+0%)
Mutual labels:  kern
XNU
Research into porting the XNU kernel to ARM devices.
Stars: ✭ 76 (+280%)
Mutual labels:  xnu
iOS-Jailbreak-Development
GeoSn0w's majestic knowledge base for iOS 12 / iOS 13 Jailbreak Development.
Stars: ✭ 55 (+175%)
Mutual labels:  xnu
Minerva-Debugger
Providing a great interface to the iOS kernel, hardware, threads and processes in a great research environment. (WIP)
Stars: ✭ 23 (+15%)
Mutual labels:  xnu

hspGuard - macOS Kernel Task Port Checker Tool

hsp comes from host_special_port(4) patch implemented by @s1guza in his hsp4 kext.

Checks macOS for Kernel Task Port. It may help detect intrusive kexts that would leak the kernel task.

Pretty much checks for the possibility to obtain the Kernel Task Port on macOS. By default, nothing should be able to obtain the kernel task port, root or not. The task port is pretty dangerous stuff. You have it, you pwn the kernel in all the right places. Simple as that.

Apple introduced back in El Capitan a new concept called SIP (System Integrity Protection). It was also dubbed as ROOTLESS by early media coverage. It now represents an additional layer of protection, for all the good it does. One can disable SIP with literally a terminal command.

The tool I made came as an idea after I saw @s1guza's kext that is able to bring the task port back to userland. One simply has to load the kext (kextload), granted SIP is disabled or weakened and BOOM. Kernel Task Port for any program asking for it and running as ROOT. @s1guza's kext is pretty useful for pen-testing, and other ethical stuff, but imagine that running on your mac without you knowing about it. Kernel Task for anyone!!

How the program works

Simple. At first we check if we are root. We can't access kernel stuff if we're not privileged enough (sudo program). Then we check if we can obtain the task port for the Kernel. Normally, we should not be able to do so even as root. The task should always return 0. If it returns any other number, it is bad. Then we proced to check for SIP. It is never a bad idea to check whether the System Integrity Protection is enabled or not. In fact, this whole kext made by @s1guza couldn't be abused by a malicious character unless SIP is seriously weakened or disabled altogether.

In theory, if a kext akin to the one made by @s1guza is loaded, all it takes for a program that is running privileged is to do something like this:

task_t get_kernel_task_port(){
    task_t kernel_task;
    host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, 4, &kernel_task);
    return kernel_task;
}

Done. This will return the kernel task port if the system is compromised. So as you can see, it is a trivial task. macOS El Capitan is actually the main target here. Although @s1guza's kext does work on macOS Sierra and High Sierra, Apple did something relatively interesting. Instead of attempting to limit the programs from grabbing the kernel task port, they limited what the program can do after grabbing it. With the release of macOS 10.12.4, you can grab the kern task port, but most of the APIs will see it like MACH_PORT_NULL, rendering it useless.

@s1guza has a way better documentation of the matter and you can check it out here.

Suffices to say that macOS El Capitan is a better target for someone who may wanna use such kext, but that does not make Sierra and High Sierra flawless.

Compiling

make hspGuard

License

Do whatever you want with the code. Remix, adapt, sell, I don't give a damn.

Special Thanks

@IBSparkes for motivation to pursue the demystifying of how csrutil works in order to grab more SIP data :P

@s1guza for his amazing hsp4 kext. Very useful thingy if you know how to use it and how not to expose your system to all the malware you can get :P Seriously, don't run this kext unless you really know what the hell you are doing.

Contact

If you wanna talk with me about the eternal life, cats, electronics, iOS, or whatever, my twitter is GeoSn0w (@FCE365). I also run the iDevice Central on YouTube so you can drop me a PM there too. You may also find me on iDevice Central Website

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].