Giter Club home page Giter Club logo

mac-a-mal's Introduction

macOS versions supported 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 10.12

Environment Tested working on VMWare and VirtualBox.

See Mac-A-Mal-cuckoo for front-end host analysis machine.

mac-a-mal's People

Contributors

phdphuc avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

steveclement jbremer idkwim sun123qiang123 m00zh33 heruix ababook dothanthitiendiettiende vnsecurityresearch iradization primmus 4ch12dy 4nalysis heikipikker spiritwanderer sathishdsgithub somestupidgirl xsploited hartl3y94 adm1n007 b1tg fengjixuchui

mac-a-mal's Issues

Cannot build the project on MacOS X 10.10.5

Hello,

I have MacOS 10.10.5 on site and try to build mac-a-mal kext and grey-cuckoo. We have XCode 7.1 (7B91b).

The process looks like this:

    # Clone the repo
    $ git clone https://github.com/phdphuc/mac-a-mal.git mam
    $ cd mam
    
    # List the schemes
    $ xcodebuild -list -project mac-a-mal.xcodeproj/
    
    # Install libevent
    $ brew install libevent
    
    # Build the code (mac-a-mal.kext)
    $ xcodebuild -target mac-a-mal -configuration Release -verbose build

The last command fails with the next:

Ians-iMac-2:mam ian$ xcodebuild -target mac-a-mal -configuration Release -verbose build
2018-07-30 09:37:04.659 xcodebuild[16679:136965]  DVTAssertions: Warning in /Library/Caches/com.apple.xbs/Sources/DVTiOSFrameworks/DVTiOSFrameworks-9063/IDEiOSSupportCore/DVTiPhoneSimulatorLocator.m:94
Details:  [SimDeviceSet defaultSet] returned nil. Simulator device support disabled.
Object:   <DVTiPhoneSimulatorLocator: 0x7fe1ed66abe0>
Method:   -startLocating
Thread:   <NSThread: 0x7fe1ed099670>{number = 3, name = (null)}
Please file a bug at http://bugreport.apple.com with this warning message and any useful information you can provide.
=== BUILD TARGET mac-a-mal OF PROJECT mac-a-mal WITH CONFIGURATION Release ===

Check dependencies

CompileC build/mac-a-mal.build/Release/mac-a-mal.build/Objects-normal/x86_64/kernel_control.o mac-a-mal/kernel_control.c normal x86_64 c com.apple.compilers.llvm.clang.1_0.compiler
    cd /Users/ian/mam
    export LANG=en_US.US-ASCII
    /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang -x c -arch x86_64 -fmessage-length=238 -fdiagnostics-show-note-include-stack -fmacro-backtrace-limit=0 -fcolor-diagnostics -nostdinc -std=gnu99 -fmodules -gmodules -fmodules-prune-interval=86400 -fmodules-prune-after=345600 -fbuild-session-file=/var/folders/91/5dcx3r_91llbzvd7470yr5n00000gn/C/org.llvm.clang/ModuleCache/Session.modulevalidation -fmodules-validate-once-per-build-session -Wnon-modular-include-in-framework-module -Werror=non-modular-include-in-framework-module -fno-builtin -Wno-trigraphs -msoft-float -Os -fno-common -mkernel -Wno-missing-field-initializers -Wno-missing-prototypes -Werror=return-type -Wunreachable-code -Werror=deprecated-objc-isa-usage -Werror=objc-root-class -Wno-missing-braces -Wparentheses -Wswitch -Wunused-function -Wno-unused-label -Wno-unused-parameter -Wunused-variable -Wunused-value -Wempty-body -Wconditional-uninitialized -Wno-unknown-pragmas -Wno-shadow -Wno-four-char-constants -Wno-conversion -Wconstant-conversion -Wint-conversion -Wbool-conversion -Wenum-conversion -Wshorten-64-to-32 -Wpointer-sign -Wno-newline-eof -DKERNEL -DKERNEL_PRIVATE -DDRIVER_PRIVATE -DAPPLE -DNeXT -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.sdk -fasm-blocks -fstrict-aliasing -Wdeprecated-declarations -mmacosx-version-min=10.6 -g -Wno-sign-conversion -iquote /Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/mac-a-mal-generated-files.hmap -I/Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/mac-a-mal-own-target-headers.hmap -I/Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/mac-a-mal-all-target-headers.hmap -iquote /Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/mac-a-mal-project-headers.hmap -I/Users/ian/mam/build/Release/include -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.sdk/System/Library/Frameworks/Kernel.framework/PrivateHeaders -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.sdk/System/Library/Frameworks/Kernel.framework/Headers -I/Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/DerivedSources/x86_64 -I/Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/DerivedSources -F/Users/ian/mam/build/Release -MMD -MT dependencies -MF /Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/Objects-normal/x86_64/kernel_control.d --serialize-diagnostics /Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/Objects-normal/x86_64/kernel_control.dia -c /Users/ian/mam/mac-a-mal/kernel_control.c -o /Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/Objects-normal/x86_64/kernel_control.o
In file included from /Users/ian/mam/mac-a-mal/kernel_control.c:9:
/Users/ian/mam/mac-a-mal/kernel_control.h:31:1: error: unknown type name 'bool'
bool pid_run(int );
^
1 error generated.

CompileC build/mac-a-mal.build/Release/mac-a-mal.build/Objects-normal/x86_64/mac-a-mal.o mac-a-mal/mac-a-mal.c normal x86_64 c com.apple.compilers.llvm.clang.1_0.compiler
    cd /Users/ian/mam
    export LANG=en_US.US-ASCII
    /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang -x c -arch x86_64 -fmessage-length=238 -fdiagnostics-show-note-include-stack -fmacro-backtrace-limit=0 -fcolor-diagnostics -nostdinc -std=gnu99 -fmodules -gmodules -fmodules-prune-interval=86400 -fmodules-prune-after=345600 -fbuild-session-file=/var/folders/91/5dcx3r_91llbzvd7470yr5n00000gn/C/org.llvm.clang/ModuleCache/Session.modulevalidation -fmodules-validate-once-per-build-session -Wnon-modular-include-in-framework-module -Werror=non-modular-include-in-framework-module -fno-builtin -Wno-trigraphs -msoft-float -Os -fno-common -mkernel -Wno-missing-field-initializers -Wno-missing-prototypes -Werror=return-type -Wunreachable-code -Werror=deprecated-objc-isa-usage -Werror=objc-root-class -Wno-missing-braces -Wparentheses -Wswitch -Wunused-function -Wno-unused-label -Wno-unused-parameter -Wunused-variable -Wunused-value -Wempty-body -Wconditional-uninitialized -Wno-unknown-pragmas -Wno-shadow -Wno-four-char-constants -Wno-conversion -Wconstant-conversion -Wint-conversion -Wbool-conversion -Wenum-conversion -Wshorten-64-to-32 -Wpointer-sign -Wno-newline-eof -DKERNEL -DKERNEL_PRIVATE -DDRIVER_PRIVATE -DAPPLE -DNeXT -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.sdk -fasm-blocks -fstrict-aliasing -Wdeprecated-declarations -mmacosx-version-min=10.6 -g -Wno-sign-conversion -iquote /Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/mac-a-mal-generated-files.hmap -I/Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/mac-a-mal-own-target-headers.hmap -I/Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/mac-a-mal-all-target-headers.hmap -iquote /Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/mac-a-mal-project-headers.hmap -I/Users/ian/mam/build/Release/include -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.sdk/System/Library/Frameworks/Kernel.framework/PrivateHeaders -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.sdk/System/Library/Frameworks/Kernel.framework/Headers -I/Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/DerivedSources/x86_64 -I/Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/DerivedSources -F/Users/ian/mam/build/Release -MMD -MT dependencies -MF /Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/Objects-normal/x86_64/mac-a-mal.d --serialize-diagnostics /Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/Objects-normal/x86_64/mac-a-mal.dia -c /Users/ian/mam/mac-a-mal/mac-a-mal.c -o /Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/Objects-normal/x86_64/mac-a-mal.o
In file included from /Users/ian/mam/mac-a-mal/mac-a-mal.c:6:
In file included from /Users/ian/mam/mac-a-mal/hooker.h:16:
/Users/ian/mam/mac-a-mal/kernel_control.h:31:1: error: unknown type name 'bool'
bool pid_run(int );
^


CompileC build/mac-a-mal.build/Release/mac-a-mal.build/Objects-normal/x86_64/proc_exec_mon.o mac-a-mal/proc_exec_mon.c normal x86_64 c com.apple.compilers.llvm.clang.1_0.compiler
    cd /Users/ian/mam
    export LANG=en_US.US-ASCII
    /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang -x c -arch x86_64 -fmessage-length=238 -fdiagnostics-show-note-include-stack -fmacro-backtrace-limit=0 -fcolor-diagnostics -nostdinc -std=gnu99 -fmodules -gmodules -fmodules-prune-interval=86400 -fmodules-prune-after=345600 -fbuild-session-file=/var/folders/91/5dcx3r_91llbzvd7470yr5n00000gn/C/org.llvm.clang/ModuleCache/Session.modulevalidation -fmodules-validate-once-per-build-session -Wnon-modular-include-in-framework-module -Werror=non-modular-include-in-framework-module -fno-builtin -Wno-trigraphs -msoft-float -Os -fno-common -mkernel -Wno-missing-field-initializers -Wno-missing-prototypes -Werror=return-type -Wunreachable-code -Werror=deprecated-objc-isa-usage -Werror=objc-root-class -Wno-missing-braces -Wparentheses -Wswitch -Wunused-function -Wno-unused-label -Wno-unused-parameter -Wunused-variable -Wunused-value -Wempty-body -Wconditional-uninitialized -Wno-unknown-pragmas -Wno-shadow -Wno-four-char-constants -Wno-conversion -Wconstant-conversion -Wint-conversion -Wbool-conversion -Wenum-conversion -Wshorten-64-to-32 -Wpointer-sign -Wno-newline-eof -DKERNEL -DKERNEL_PRIVATE -DDRIVER_PRIVATE -DAPPLE -DNeXT -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.sdk -fasm-blocks -fstrict-aliasing -Wdeprecated-declarations -mmacosx-version-min=10.6 -g -Wno-sign-conversion -iquote /Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/mac-a-mal-generated-files.hmap -I/Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/mac-a-mal-own-target-headers.hmap -I/Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/mac-a-mal-all-target-headers.hmap -iquote /Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/mac-a-mal-project-headers.hmap -I/Users/ian/mam/build/Release/include -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.sdk/System/Library/Frameworks/Kernel.framework/PrivateHeaders -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.sdk/System/Library/Frameworks/Kernel.framework/Headers -I/Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/DerivedSources/x86_64 -I/Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/DerivedSources -F/Users/ian/mam/build/Release -MMD -MT dependencies -MF /Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/Objects-normal/x86_64/proc_exec_mon.d --serialize-diagnostics /Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/Objects-normal/x86_64/proc_exec_mon.dia -c /Users/ian/mam/mac-a-mal/proc_exec_mon.c -o /Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/Objects-normal/x86_64/proc_exec_mon.o

CompileC build/mac-a-mal.build/Release/mac-a-mal.build/Objects-normal/x86_64/hooker.o mac-a-mal/hooker.c normal x86_64 c com.apple.compilers.llvm.clang.1_0.compiler
    cd /Users/ian/mam
    export LANG=en_US.US-ASCII
    /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang -x c -arch x86_64 -fmessage-length=238 -fdiagnostics-show-note-include-stack -fmacro-backtrace-limit=0 -fcolor-diagnostics -nostdinc -std=gnu99 -fmodules -gmodules -fmodules-prune-interval=86400 -fmodules-prune-after=345600 -fbuild-session-file=/var/folders/91/5dcx3r_91llbzvd7470yr5n00000gn/C/org.llvm.clang/ModuleCache/Session.modulevalidation -fmodules-validate-once-per-build-session -Wnon-modular-include-in-framework-module -Werror=non-modular-include-in-framework-module -fno-builtin -Wno-trigraphs -msoft-float -Os -fno-common -mkernel -Wno-missing-field-initializers -Wno-missing-prototypes -Werror=return-type -Wunreachable-code -Werror=deprecated-objc-isa-usage -Werror=objc-root-class -Wno-missing-braces -Wparentheses -Wswitch -Wunused-function -Wno-unused-label -Wno-unused-parameter -Wunused-variable -Wunused-value -Wempty-body -Wconditional-uninitialized -Wno-unknown-pragmas -Wno-shadow -Wno-four-char-constants -Wno-conversion -Wconstant-conversion -Wint-conversion -Wbool-conversion -Wenum-conversion -Wshorten-64-to-32 -Wpointer-sign -Wno-newline-eof -DKERNEL -DKERNEL_PRIVATE -DDRIVER_PRIVATE -DAPPLE -DNeXT -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.sdk -fasm-blocks -fstrict-aliasing -Wdeprecated-declarations -mmacosx-version-min=10.6 -g -Wno-sign-conversion -iquote /Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/mac-a-mal-generated-files.hmap -I/Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/mac-a-mal-own-target-headers.hmap -I/Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/mac-a-mal-all-target-headers.hmap -iquote /Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/mac-a-mal-project-headers.hmap -I/Users/ian/mam/build/Release/include -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.sdk/System/Library/Frameworks/Kernel.framework/PrivateHeaders -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.sdk/System/Library/Frameworks/Kernel.framework/Headers -I/Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/DerivedSources/x86_64 -I/Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/DerivedSources -F/Users/ian/mam/build/Release -w -MMD -MT dependencies -MF /Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/Objects-normal/x86_64/hooker.d --serialize-diagnostics /Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/Objects-normal/x86_64/hooker.dia -c /Users/ian/mam/mac-a-mal/hooker.c -o /Users/ian/mam/build/mac-a-mal.build/Release/mac-a-mal.build/Objects-normal/x86_64/hooker.o
In file included from /Users/ian/mam/mac-a-mal/hooker.c:23:
In file included from /Users/ian/mam/mac-a-mal/hooker.h:16:
/Users/ian/mam/mac-a-mal/kernel_control.h:31:1: error: unknown type name 'bool'
bool pid_run(int );
^
In file included from /Users/ian/mam/mac-a-mal/hooker.c:32:
/Users/ian/mam/mac-a-mal/data.h:33:8: error: unknown type name 'bool'
extern bool trackpid[99999];
       ^
/Users/ian/mam/mac-a-mal/data.h:34:8: error: unknown type name 'bool'
extern bool trackglobal;
       ^
/Users/ian/mam/mac-a-mal/hooker.c:205:22: error: unknown type name 'bool'
int FindIndex( const bool a[], int size, bool value )
                     ^
/Users/ian/mam/mac-a-mal/hooker.c:205:42: error: unknown type name 'bool'
int FindIndex( const bool a[], int size, bool value )
                                         ^


** BUILD FAILED **


The following build commands failed:
	CompileC build/mac-a-mal.build/Release/mac-a-mal.build/Objects-normal/x86_64/kernel_control.o mac-a-mal/kernel_control.c normal x86_64 c com.apple.compilers.llvm.clang.1_0.compiler
(1 failure)

Support for High Sierra and Mojave

Hi, I would like to add support for this project to the relevant OS versions.

Perhaps do you know how can I detect the location of the syscall table on those versions while connecting from remote kdp.

thanks
Irad

Compiling grey-cuckoo on Guest VM (OSX 10.13)

Posting this for posteriority from mac-a-mal-cuckoo
Grey-cuckoo builds but no executable is created.
Without it every time I kextload mac-a-mal.kext the VM reboots (kernel crashes) and can't do anything with grey-cuckoo.

Can you share your VM Image

Hi,

First of all Thank you for building this but after trying a lot I didn't setup correctly MACOS Cuckoo.
.
if you won't mind, can you please share your VM Image of Guest machine so that it Help us.
.
I hope you understand our problem.
.
Thanks & Regards
Seantree

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.