Kemon – An Open-Source Pre And Post Callback-Based Framework For macOS Kernel Monitoring

An Open-Source Pre and Post Callback-Based Framework for macOS Kernel Monitoring.What is Kemon?An open-source Pre and Post callback-based framework for macOS kernel monitoring. With the power of Kemon, we can easily implement LPC communication monitoring, MAC policy filtering, kernel driver firewall, etc. In general, from an attacker’s perspective, this framework can help achieve more powerful Rootkit. From the perspective of defense, Kemon can help construct more granular monitoring capabilities. I also implemented a kernel fuzzer through this framework, which helped me find many vulnerabilities, such as: CVE-2017-7155, CVE-2017-7163, CVE-2017-13883, etc.Supported FeaturesKemon’s features include:file operation monitoringprocess creation monitoringdynamic library and kernel extension monitoringnetwork traffic monitoringMandatory Access Control (MAC) policy monitoring, etc.In addition, Kemon project can also extend the Pre and Post callback-based monitoring interfaces for any macOS kernel function.Getting StartedHow to build the Kemon driverPlease use Xcode project or makefile to build the Kemon kext driverHow to use the Kemon driverPlease turn off macOS System Integrity Protection (SIP) check if you don’t have a valid kernel certificateUse the command “sudo chown -R root:wheel kemon.kext" to change the owner of the Kemon driverUse the command "sudo kextload kemon.kext" to install the Kemon driverUse the command "sudo kextunload kemon.kext" to uninstall the Kemon driverDownload Kemon

Link: http://feedproxy.google.com/~r/PentestTools/~3/XL6ZRdlV9wQ/kemon-open-source-pre-and-post-callback.html

BYOB – Build Your Own Botnet

BYOB (Build Your Own Botnet)Disclaimer: This project should be used for authorized testing or educational purposes only.BYOB is an open-source project that provides a framework for security researchers and developers to build and operate a basic botnet to deepen their understanding of the sophisticated malware that infects millions of devices every year and spawns modern botnets, in order to improve their ability to develop counter-measures against these threats.It is designed to allow developers to easily implement their own code and add cool new features without having to write a RAT (Remote Administration Tool) or a C2 (Command & Control server) from scratch.The RAT’s key feature is that arbitrary code/files can be remotely loaded into memory from the C2 and executed on the target machine without writing anything to the disk.Serverusage: server.py [-h] [-v] [–host HOST] [–port PORT] [–database DATABASE]Command & control server with persistent database and console Console-Based User-Interface: streamlined console interface for controlling client host machines remotely via reverse TCP shells which provide direct terminal access to the client host machines Persistent SQLite Database: lightweight database that stores identifying information about client host machines, allowing reverse TCP shell sessions to persist through disconnections of arbitrary duration and enabling long-term reconnaissance Client-Server Architecture: all python packages/modules installed locally are automatically made available for clients to remotely import without writing them to the disk of the target machines, allowing clients to use modules which require packages not installed on the target machines Clientusage: client.py [-h] [-v] [–name NAME] [–icon ICON] [–pastebin API] [–encrypt] [–obfuscate] [–compress] [–compile] host port [module [module …]]Generate fully-undetectable clients with staged payloads, remote imports, and unlimited modules Remote Imports: remotely import third-party packages from the server without writing them to the disk or downloading/installing them Nothing Written To The Disk: clients never write anything to the disk – not even temporary files (zero IO system calls are made) because remote imports allow arbitrary code to be dynamically loaded into memory and directly imported into the currently running process Zero Dependencies (Not Even Python Itself): client runs with just the python standard library, remotely imports any non-standard packages/modules from the server, and can be compiled with a standalone python interpreter into a portable binary executable formatted for any platform/architecture, allowing it to run on anything, even when Python itself is missing on the target host Add New Features With Just 1 Click: any python script, module, or package you to copy to the ./byob/modules/ directory automatically becomes remotely importable & directly usable by every client while your command & control server is running Write Your Own Modules: a basic module template is provided in ./byob/modules/ directory to make writing your own modules a straight-forward, hassle-free process Run Unlimited Modules Without Bloating File Size: use remote imports to add unlimited features without adding a single byte to the client’s file size Fully Updatable: each client will periodically check the server for new content available for remote import, and will dynamically update its in-memory resources if anything has been added/removed Platform Independent: everything is written in Python (a platform-agnostic language) and the clients generated can optionally be compiled into portable executable (Windows) or bundled into an standalone application (macOS) Bypass Firewalls: clients connect to the command & control server via reverse TCP connections, which will bypass most firewalls because the default filter configurations primarily block incoming connections Counter-Measure Against Antivirus: avoids being analyzed by antivirus by blocking processes with names of known antivirus products from spawning Encrypt Payloads To Prevent Analysis: the main client payload is encrypted with a random 256-bit key which exists solely in the payload stager which is generated along with it Prevent Reverse-Engineering: by default, clients will abort execution if a virtual machine or sandbox is detected ModulesPost-exploitation modules that are remotely importable by clientsKeylogger (byob.modules.keylogger): logs the user’s keystrokes & the window name enteredScreenshot (byob.modules.screenshot): take a screenshot of current user’s desktopWebcam (byob.modules.webcam): view a live stream or capture image/video from the webcamRansom (byob.modules.ransom): encrypt files & generate random BTC wallet for ransom paymentOutlook (byob.modules.outlook): read/search/upload emails from the local Outlook clientPacket Sniffer (byob.modules.packetsniffer): run a packet sniffer on the host network & upload .pcap filePersistence (byob.modules.persistence): establish persistence on the host machine using 5 different methodsPhone (byob.modules.phone): read/search/upload text messages from the client smartphoneEscalate Privileges (byob.modules.escalate): attempt UAC bypass to gain unauthorized administrator privilegesPort Scanner (byob.modules.portscanner): scan the local network for other online devices & open portsProcess Control (byob.modules.process): list/search/kill/monitor currently running processes on the hostCoreCore framework modules used by the generator and the serverUtilities (byob.core.util): miscellaneous utility functions that are used by many modulesSecurity (byob.core.security): Diffie-Hellman IKE & 3 encryption modes (AES-256-OCB, AES-256-CBC, XOR-128)Loaders (byob.core.loaders): remotely import any package/module/scripts from the serverPayloads (byob.core.payloads): reverse TCP shell designed to remotely import dependencies, packages & modulesStagers (byob.core.stagers): generate unique payload stagers to prevent analysis & detectionGenerators (byob.core.generators): functions which all dynamically generate code for the client generatorDatabase (byob.core.database): handles interaction between command & control server and the SQLite database ContactWebsite: https://malwared.comEmail: security@malwared.comTwitter: https://twitter.com/malwaredllcDownload BYOB

Link: http://feedproxy.google.com/~r/PentestTools/~3/8QSu_u2pj0Y/byob-build-your-own-botnet.html