Skip to content

Latest commit

 

History

History
30 lines (19 loc) · 2.4 KB

README.md

File metadata and controls

30 lines (19 loc) · 2.4 KB

the grey fox 🐺

The grey fox is a kernel extension for Mac OS X that logs performed system calls by any process running on the system. Research for my master thesis required a dataset of all system calls performed by benign as well as malicious processes (malware). After analysis of the gathered datasets, several system call patterns that identified malware were extracted. grey fox replaces (hooks) all the syscall function pointers in the _sysent table with pointers to own implementations that log the syscall using kprintf() and return the result of the original syscall. It also implementes two KAuth listeners on the vnode and file operations scope used to gather additional metadata regarding SYS_write and SYS_execve.

OSX versions supported: 10.6, 10.7, 10.8, 10.9, 10.10, 10.11.

NOTE: kext is now signed! 😄 Questions/requests? Let me know in the issues!

####Environment grey fox is best ran in a VM (prefereably VMware), since VMware logs flawlessly via a serial port. printf()'s buffer is not flushed in time causing malformed output. kprintf() is thread-save, since a log operation over the serial port is fully synchronous.

Manual run

Manually running grey fox is recommended. This temporarily loads grey fox in the kernel and ensures that it is not automatically started after a reboot. In case of a kernel panic (crash), your system will reboot in an untouched state.

  • Unzip grey_fox-0.x.x.zip to the Desktop
  • Open Terminal.app
  • Type: cd and drag the grey_fox-0.x.x folder into the Terminal window and hit Enter
  • Then type sudo sh run_greyfox.sh and hit Enter

Collecting logs (syscall traces)

  • Define an output file for VMware serial port (VMware docs)
  • Boot the VM
  • Load greyfox
  • Find the logs in your defined file in step 1.

Note: this is a very hacky and experimental project that uses undocumented KPI's that are due to change in next major XNU releases. Also, note that many warnings in hooker.c are suppressed by the -w compile flag. Much of the heavy lifting is done by functions taken from @osxreverser (thank you).