The grey fox is a kernel extension for Mac OS X that logs performed system calls by any process running on the system. Research for my master thesis required a dataset of all system calls performed by benign as well as malicious processes (malware). After analysis of the gathered datasets, several system call patterns that identified malware were extracted.
grey fox replaces (hooks) all the syscall function pointers in the _sysent table with pointers to own implementations that log the syscall using kprintf() and return the result of the original syscall. It also implementes two KAuth listeners on the vnode and file operations scope used to gather additional metadata regarding SYS_write and SYS_execve.
OSX versions supported: 10.6, 10.7, 10.8, 10.9, 10.10, 10.11.
NOTE: kext is now signed! 😄 Questions/requests? Let me know in the issues!
####Environment
grey fox is best ran in a VM (prefereably VMware), since VMware logs flawlessly via a serial port. printf()'s buffer is not flushed in time causing malformed output. kprintf() is thread-save, since a log operation over the serial port is fully synchronous.
Manually running grey fox is recommended. This temporarily loads grey fox in the kernel and ensures that it is not automatically started after a reboot. In case of a kernel panic (crash), your system will reboot in an untouched state.
- Unzip
grey_fox-0.x.x.zipto the Desktop - Open Terminal.app
- Type:
cdand drag thegrey_fox-0.x.xfolder into the Terminal window and hitEnter - Then type
sudo sh run_greyfox.shand hitEnter
- Define an output file for VMware serial port (VMware docs)
- Boot the VM
- Load greyfox
- Find the logs in your defined file in step 1.
Note: this is a very hacky and experimental project that uses undocumented KPI's that are due to change in next major XNU releases. Also, note that many warnings in hooker.c are suppressed by the -w compile flag. Much of the heavy lifting is done by functions taken from @osxreverser (thank you).