Kemon – An Open-Source Pre And Post Callback-Based Framework For macOS Kernel Monitoring

An Open-Source Pre and Post Callback-Based Framework for macOS Kernel Monitoring.What is Kemon?An open-source Pre and Post callback-based framework for macOS kernel monitoring. With the power of Kemon, we can easily implement LPC communication monitoring, MAC policy filtering, kernel driver firewall, etc. In general, from an attacker’s perspective, this framework can help achieve more powerful Rootkit. From the perspective of defense, Kemon can help construct more granular monitoring capabilities. I also implemented a kernel fuzzer through this framework, which helped me find many vulnerabilities, such as: CVE-2017-7155, CVE-2017-7163, CVE-2017-13883, etc.Supported FeaturesKemon’s features include:file operation monitoringprocess creation monitoringdynamic library and kernel extension monitoringnetwork traffic monitoringMandatory Access Control (MAC) policy monitoring, etc.In addition, Kemon project can also extend the Pre and Post callback-based monitoring interfaces for any macOS kernel function.Getting StartedHow to build the Kemon driverPlease use Xcode project or makefile to build the Kemon kext driverHow to use the Kemon driverPlease turn off macOS System Integrity Protection (SIP) check if you don’t have a valid kernel certificateUse the command “sudo chown -R root:wheel kemon.kext" to change the owner of the Kemon driverUse the command "sudo kextload kemon.kext" to install the Kemon driverUse the command "sudo kextunload kemon.kext" to uninstall the Kemon driverDownload Kemon