Last week, in ( part I ) of this blog mini-series, I discussed why BlockBlock required processes creation notifications, and one way to achieve this via a kext. Specifically, the blog post showed a MAC policy could be registered that would receive notification whenever a process was started.
Once I posted the blog, the venerable @osxreverser and others (mahalo Simon!), were kind enough to reach out to me to mention that such process monitoring could equally be achieved via the Kernel Authorization (KAuth) subsystem. As the KAuth interface is a more stable API than the MAC framework (which is ‘unsupported’ by Apple), I decided to explore this option.
Kernel Authorization (KAuth) Subsystem
Before getting into the details of the KAuth subsystem, its API, and how to monitor process creation; a few brief statements to summarize my explorations about the KAuth:
…it should noted that to OS X kext programmers, none of these statements are likely new!
Alright, so KAuth. Detailed in Apple’s Technical Note TN2127 , the KAuth subsystem “exports a kernel programming interface (KPI) that allows third party kernel developers to authorize actions within the kernel [and] can also be used as a notification mechanism.” For the purposes of BlockBlock and monitoring process creation, we’re only interested in the notification abilities of the KAuth subsystem.
The Technical Note provides a somewhat comprehensive overview of ‘Kernel Authorization’, so we won’t dive into to many details. However, it’s worth recognizing a few key concepts and terms:
With a decent understanding of the KAuth subsystem, it’s fairly easy to write a kext that can receive most process creation notifications in two easy steps. If you’d like to follow along in code, download the source for the kext as an Xcode project .
Implementation Step 1: Register A Listener
The kauth_listen_scope function allows one to register a listener for a existing scope. Its prototype is as follows:
The first parameter (‘identifier‘), is the name of the scope the kext is registering for (e.g. KAUTH_SCOPE_FILEOP).
The second parameter (‘callback‘), is the address of the kext’s callback function that will be automatically invoked by the KAuth subsystem whenever a event (that matches the scope) is generated.
The third parameter (‘idata‘), is a cookie or ‘refCon’, for the callback. For purposes of monitoring process creations, utilization of this parameter is not needed.
The value returned by the call to kauth_listen_scope, is a kauth_listener_t. Save this, so that the listener can be unregistered when the kext is unloaded.
Let’s look at the first two parameters a little closer.
As mentioned, the first parameter is scope of interest. Scopes are defined in sys/kauth.h as well as Technical Note TN2127 .
Conclusion(s)
To summarize; the simplicity and interface stability of the KAuth subsystem, make it a great way to track process creations in the kernel. However, if one needs to also track process that fork(), but don’t exec(), using the MAC framework may be the way to go.
Next up (part III); how the process information, captured in by BlockBlock kext, is made available to user-mode, by means of a broadcast to a system socket. Check back shortly for that new (part III), blog post!
fe shop cvv atm dumps with pin
