Skip to content

Instantly share code, notes, and snippets.

@knightsc

knightsc/AVKext.c

Last active January 6, 2020 03:44
Show Gist options
  • Save knightsc/4df9789ac96d428e1d5efb551d09074d to your computer and use it in GitHub Desktop.
Save knightsc/4df9789ac96d428e1d5efb551d09074d to your computer and use it in GitHub Desktop.
Download ZIP
McAfee AVKext.kext reversed startup and control code
Raw
AVKext.c
#include <kern/locks.h>
#include <libkern/libkern.h>
#include <libkern/OSMalloc.h>
#include <mach/mach_types.h>
#include <sys/kauth.h>
#include <sys/kern_control.h>
#include <sys/sysctl.h>
#include <sys/time.h>
#include "AVKext.h"
#include "AVScan.h"
#include "AVScanBooster.h"
// Globals
int32_t gAVLogLevel;
OSMallocTag gAVMallocTag;
lck_grp_t *gAVLockGroup;
int8_t gRegisteredOID;
int32_t gUnit;
int32_t gVirexGID;
struct kern_ctl_reg gCtl;
kern_ctl_ref *gCtlref;
struct sysctl_oid sysctl__kern_com_mcafee_AV_log;
// Log Levels
#define LOG_DEBUG 0x5
#define LOG_INFO 0x4
#define LOG_WARN 0x3
#define LOG_ERROR 0x2
#define LOG_CRITICAL 0x1
// Kern Control setsockopt option_name values
#define ENABLE_KERNEL_HOOK 0x00
#define DISABLE_KERNEL_HOOK 0x01
//#define ? 0x02
#define PUT_SCAN_RESULT_MSG 0x03
#define PUT_SCAN_TIME_OUT 0x04
#define PING_KEXT 0x05
#define GENERATE_BYPASS 0x06
#define SCAN_RW_POLICY 0x07
#define SCAN_NW_POLICY 0x08
//#define ? 0x09
//#define ? 0x0a
//#define ? 0x0b
#define ADD_TRUSTED_PROCESS 0x0c
#define FLUSH_TRUSTED_PROCESS 0x0d
#define INVALIDATE_BOOSTER_CACHE 0x0e
#define ENABLE_BOOSTER_CACHE 0x0f
#define SET_LOG_LEVEL 0x10
#define CLEAR_DEVICE_ENTRIES 0x11
#define SET_KERNEL_EXCLUSIONS 0x12
#define CLEAR_KERNEL_EXCLUSIONS 0x13
int
AV_hook_deregister()
{
if (gAVLogLevel >= LOG_WARN) {
printf("MFE_AV: WARNING\"UnRegistering the kauth listener\"\n");
}
// _Mfe_deregisterKextClient(_AV_Handle_Auth_Events);
// rbx = &var_28;
// do {
// _msleep(_gActivationCount, 0x0, 0x32, "com.McAfee.AVKext", rbx);
// } while (*(int32_t *)_gActivationCount > 0x0);
return 0;
}
int
AV_hook_register()
{
int error = 0;
kauth_cred_t ucred;
ucred = kauth_cred_get();
if (ucred) {
gVirexGID = ucred->cr_posix.cr_rgid;
if (gAVLogLevel >= LOG_INFO) {
printf("MFE_AV: INFO\"Registered group - %d\"\n", gVirexGID);
}
// rax = _Mfe_registerKextClient(_AV_Handle_Auth_Events, 0x2);
// rax = -rax;
// rax = rax - rax + CARRY(RFLAGS(cf));
}
return error;
}
errno_t
HandleSend(kern_ctl_ref ctlref, unsigned int unit, void *userdata, mbuf_t m, int flags)
{
return 0;
}
errno_t
HandleGet(kern_ctl_ref ctlref, unsigned int unit, void *userdata, int opt, void *data, size_t *len)
{
return 0;
}
errno_t
HandleConnect(kern_ctl_ref ctlref, struct sockaddr_ctl *sac, void **unitinfo)
{
if (gUnit == 0) {
gUnit = sac->sc_unit;
if (gAVLogLevel >= LOG_DEBUG) {
printf("MFE_AV: DEBUG\"Scanner connected to kernel module\"\n");
}
return KERN_SUCCESS;
} else {
return ECONNREFUSED;
}
}
errno_t
HandleDisconnect(kern_ctl_ref ctlref, unsigned int unit, void *unitinfo)
{
if (gAVLogLevel >= LOG_DEBUG) {
printf("MFE_AV: DEBUG\"Scanner disconnected from kernel module\"\n");
}
gUnit = 0;
AV_hook_deregister();
return KERN_SUCCESS;
}
errno_t
HandleSet(kern_ctl_ref ctlref, unsigned int unit, void *userdata, int opt, void *data, size_t len )
{
errno_t error;
// for whatever reason user space constants are one higher than here
opt = opt - 1;
if (opt > 0x13) {
return EINVAL;
}
switch(opt) {
case ENABLE_KERNEL_HOOK:
if (gAVLogLevel >= LOG_INFO) {
printf("MFE_AV: INFO\"Recd ENABLE_KERNEL_HOOK\"\n");
}
error = AV_hook_register();
break;
case DISABLE_KERNEL_HOOK:
if (gAVLogLevel >= LOG_INFO) {
printf("MFE_AV: INFO\"Recd DISABLE_KERNEL_HOOK..\"\n");
}
error = AV_hook_deregister(ctlref, unit);
Clear_ScanBooster_Cache();
Clear_BoosterLRU_Cache();
break;
case PUT_SCAN_RESULT_MSG:
if (gAVLogLevel >= LOG_DEBUG) {
printf("MFE_AV: DEBUG\"PUT_SCAN_RESULT_MSG..\"\n");
}
error = AV_put_scan_result(data, len);
break;
case PUT_SCAN_TIME_OUT:
error = AV_put_scan_timeout(data, len);
break;
case PING_KEXT:
error = _AV_ping_kext();
break;
case GENERATE_BYPASS:
error = AV_Generate_Bypass_pid_list(data, len);
break;
case SCAN_RW_POLICY:
error = AV_scan_rw_policy(data, len);
break;
case ADD_TRUSTED_PROCESS:
error = AV_add_trusted_processes(data, len);
break;
case FLUSH_TRUSTED_PROCESS:
error = AV_flush_trusted_processes();
break;
case INVALIDATE_BOOSTER_CACHE:
if (gAVLogLevel >= LOG_WARN) {
printf("MFE_AV: WARNING\"MFE_AV: Recd INVALIDATE_BOOSTER_CACHE msg from UserLand\"\n");
}
Clear_ScanBooster_Cache();
Clear_BoosterLRU_Cache();
break;
case ENABLE_BOOSTER_CACHE:
if (gAVLogLevel >= LOG_WARN) {
printf("MFE_AV: WARNING\"MFE_AV: Recd ENABLE_BOOSTER_CACHE msg from ScanManager Val - %d\"\n", (int)data);
}
SetScanBoosterEnabled(data);
break;
case SET_LOG_LEVEL:
if ((int)data >= 0x6) {
// if it's invalid default to the lowest level
gAVLogLevel = LOG_CRITICAL;
} else {
gAVLogLevel = data;
}
break;
case CLEAR_DEVICE_ENTRIES:
if (gAVLogLevel >= LOG_INFO) {
printf("MFE_AV: INFO\"MFE_AV: Recd CLEAR_DEVICE_ENTRIES msg from UserLand\"\n");
}
Flush_Device_Entries(data, data, data, data);
break;
case SET_KERNEL_EXCLUSIONS:
if (gAVLogLevel >= LOG_WARN) {
printf("MFE_AV: WARNING\"MFE_AV: Recd SET_KERNEL_EXCLUSIONS msg from UserLand\"\n");
}
if (data) {
error = addExclusion(data);
}
break;
case CLEAR_KERNEL_EXCLUSIONS:
// lck_rw_lock_exclusive(*gExclu_Lock);
// rdi = *gExclusionListPtr;
// *gExclusionListPtr = *gTempExclusionListPtr;
// ClearExclusionList(rdi);
// *gTempExclusionListPtr = 0x0;
// lck_rw_unlock_exclusive(*gExclu_Lock);
break;
default:
error = KERN_SUCCESS;
}
return error;
}
errno_t
AV_userkernintf_init()
{
errno_t error;
bzero(&gCtl, sizeof(gCtl));
gCtl.ctl_id = 0x0;
gCtl.ctl_unit = 0x0;
gCtl.ctl_recvsize = 0x109a00;
gCtl.ctl_sendsize = 0x107ac0;
strlcpy(gCtl.ctl_name, "com.McAfee.AVKext", 0x11);
gCtl.ctl_flags = CTL_FLAG_PRIVILEGED;
gCtl.ctl_send = HandleSend;
gCtl.ctl_getopt = HandleGet;
gCtl.ctl_setopt = HandleSet;
gCtl.ctl_connect = HandleConnect;
gCtl.ctl_disconnect = HandleDisconnect;
error = ctl_register(&gCtl, gCtlref);
if (error) {
if (gAVLogLevel >= LOG_CRITICAL) {
printf("MFE_AV: CRITICAL ERROR\"Error in User-Kernel communication setup - %d\"\n", error);
}
}
else {
if (gAVLogLevel >= LOG_INFO) {
printf("MFE_AV: INFO\"Successfully initialized User-Kernel communication channel\"\n");
}
}
return 0;
}
kern_return_t AVKext_start(kmod_info_t * ki, void *d)
{
printf("AV Kext: Entered");
gAVLogLevel = LOG_ERROR;
gAVMallocTag = OSMalloc_Tagalloc("com.McAfee.AVKext", OSMT_DEFAULT);
if (!gAVMallocTag) {
if (gAVLogLevel >= LOG_ERROR) {
printf("MFE_AV: ERROR\"Could not allocate memory for kext\"\n");
}
return KERN_FAILURE;
}
gAVLockGroup = lck_grp_alloc_init("com.McAfee.AVKext", NULL);
if (!gAVLockGroup) {
if (gAVMallocTag) {
OSMalloc_Tagfree(gAVMallocTag);
gAVMallocTag = NULL;
}
return KERN_FAILURE;
}
if ((AVScan_init("com.McAfee.AVKext", 0x0) == 0x0) && (AVScanBooster_init("com.McAfee.AVKext", 0x0) == 0x0)) {
if (AV_userkernintf_init() == 0x0) {
sysctl_register_oid(&sysctl__kern_com_mcafee_AV_log);
gRegisteredOID = 0x1;
}
}
return KERN_SUCCESS;
}
kern_return_t AVKext_stop(kmod_info_t *ki, void *d)
{
return KERN_SUCCESS;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment