Kernal Extensions: What are they and can they be removed/found?

Posted:
in macOS edited January 2014
I just read that Sony CD's have software in them that loads a kernal extension on your mac (It asks you if you want to do it).



So, what the heck is a kernal extension?



Can you see them in your activity monitor if its running?



Can you remove them after they are installed?



Can you find it if you search for it on your HD?



Thanks to all who answer.

Comments

  • Reply 1 of 7
    chuckerchucker Posts: 5,089member
    Quote:

    I just read that Sony CD's have software in them that loads a kernal extension on your mac (It asks you if you want to do it).



    It asks you if you want to give it admin privileges, yes.



    Quote:

    So, what the heck is a kernal extension?



    Apple's introduction



    Notice Apple's repeated, clear warnings to avoid creating kexts at all costs unless absolutely necessary.

    Quote:

    When you are trying to determine if a piece of code should be a KEXT, the default answer is generally no.



    Basically, they are drivers and other features tacked on to the kernel (the system core) to provide very low-level functionality.



    Amit Singh on the Mac OS X kernel



    Quote:

    Can you see them in your activity monitor if its running?



    No, which is part of the problem. They run as part of the kernel, not in separate processes.



    Quote:

    Can you remove them after they are installed?



    Absolutely. You'll find them in /System/Library/Extensions. Be very, very careful not to delete anything else you find in there.
  • Reply 2 of 7
    sc_marktsc_markt Posts: 1,401member
    Chucker,



    Thanks a lot.
  • Reply 3 of 7
    lundylundy Posts: 4,466member
    It's much worse if you are running Windows with Admin account.



    The Sony CD installs its rootkit without even notifying you.



    Boycott Sony/BMG. This is way over the top and an insult to the customer. Installing a freaking ROOTKIT on your machine?
  • Reply 4 of 7
    hirohiro Posts: 2,663member
    I wouldn't be surprised if this actually runs afoul of hacking laws and Sony could end up in some hot water.
  • Reply 5 of 7
    chuckerchucker Posts: 5,089member
    Quote:

    Originally posted by lundy

    The Sony CD installs its rootkit without even notifying you.



    Which, in fact, has already been exploited by a trojan.



    Funnily enough, you can use it against the DRM: hide your burning software with the means provided by the rootkit, and the DRM won't know any more that you're burning.
  • Reply 6 of 7
    pyr3pyr3 Posts: 946member
    [QUOTE]Originally posted by Chucker

    [B]No, which is part of the problem. They run as part of the kernel, not in separate processes.



    But you can use kextstat to get a list of dynamically loaded kernel modules on your system. They don't show up in activity viewer because they are drivers. (or are supposed to be drivers)



    This is the result of kextstat on my Powerbook:



    Code:


    Index Refs Address Size Wired Name (Version) <Linked Against>

    1 1 0x0 0x0 0x0 com.apple.kernel (8.3.0)

    2 10 0x0 0x0 0x0 com.apple.kpi.bsd (8.3.0)

    3 13 0x0 0x0 0x0 com.apple.kpi.iokit (8.3.0)

    4 13 0x0 0x0 0x0 com.apple.kpi.libkern (8.3.0)

    5 13 0x0 0x0 0x0 com.apple.kpi.mach (8.3.0)

    6 11 0x0 0x0 0x0 com.apple.kpi.unsupported (8.3.0)

    7 1 0x0 0x0 0x0 com.apple.iokit.IONVRAMFamily (8.3.0)

    8 1 0x0 0x0 0x0 com.apple.driver.AppleNMI (8.3.0)

    9 1 0x0 0x0 0x0 com.apple.iokit.IOSystemManagementFamily (8.3.0)

    10 1 0x0 0x0 0x0 com.apple.iokit.ApplePlatformFamily (8.3.0)

    11 45 0x0 0x0 0x0 com.apple.kernel.6.0 (7.9.9)

    12 1 0x0 0x0 0x0 com.apple.kernel.bsd (7.9.9)

    13 1 0x0 0x0 0x0 com.apple.kernel.iokit (7.9.9)

    14 1 0x0 0x0 0x0 com.apple.kernel.libkern (7.9.9)

    15 1 0x0 0x0 0x0 com.apple.kernel.mach (7.9.9)

    16 12 0x479000 0xa000 0x9000 com.apple.iokit.IOPCIFamily (1.7) <11>

    17 2 0x5cc000 0x4000 0x3000 com.apple.driver.IOPlatformFunction (1.8.0d12) <11>

    18 0 0x794000 0xf000 0xe000 com.apple.driver.AppleMacRISC2PE (1.8.0d12) <17 16 11>

    19 4 0x4dd000 0x3f000 0x3e000 com.apple.iokit.IOHIDFamily (1.4.4) <6 5 4 3 2>

    20 0 0x5de000 0x6000 0x5000 com.apple.BootCache (25.1) <6 5 4 3 2>

    21 0 0x6ba000 0x3000 0x2000 com.apple.driver.AppleCore99NVRAM (1.1) <11>

    22 0 0x646000 0xa000 0x9000 com.apple.driver.AppleMacRiscPCI (3.2.0) <16 11>

    23 0 0x4ad000 0x7000 0x6000 com.apple.driver.AppleI2C (3.4.5d2) <11>

    24 1 0x5c7000 0x5000 0x4000 com.apple.iokit.IOKeyLargo (1.7.0d1) <11>

    25 0 0x5d0000 0x7000 0x6000 com.apple.driver.AppleKeyLargo (1.7.0d1) <24 17 16 11>

    26 6 0x45b000 0x1e000 0x1d000 com.apple.iokit.IOUSBFamily (2.2.6) <11>

    27 0 0x483000 0xe000 0xd000 com.apple.driver.AppleUSBOHCI (2.2.5) <26 16 11>

    28 0 0x774000 0x20000 0x1f000 com.apple.iokit.IOPCCardFamily (1.6.1) <16 11>

    29 5 0x5e4000 0x43000 0x42000 com.apple.iokit.IOFireWireFamily (2.0.8) <11>

    30 0 0x69e000 0x1c000 0x1b000 com.apple.driver.AppleFWOHCI (2.5.2) <29 16 11>

    31 3 0x59d000 0x1f000 0x1e000 com.apple.iokit.IONetworkingFamily (1.5.0) <6 5 4 3 2>

    32 0 0x5bc000 0xb000 0xa000 com.apple.iokit.AppleGMACEthernet (1.4.2f1) <31 16 5 4 3 2>

    33 0 0x4d2000 0x4000 0x3000 com.apple.driver.AppleMPIC (1.5.2) <16 11>

    34 0 0x828000 0x4000 0x3000 com.apple.driver.AppleVIA (1.5d1) <11>

    35 3 0x4d6000 0x7000 0x6000 com.apple.iokit.IOADBFamily (8.0.0) <11>

    36 3 0x4b4000 0x11000 0x10000 com.apple.iokit.IOATAFamily (1.6.0f2) <11>

    37 0 0x5d7000 0x3000 0x2000 com.apple.driver.KeyLargoATA (1.1.0f1) <36 11>

    39 0 0x769000 0xb000 0xa000 com.apple.driver.AppleUSBHub (2.2.6) <26 11>

    40 0 0x70b000 0x15000 0x14000 com.apple.driver.ApplePMU (2.3.4d1) <19 11 6>

    41 4 0x521000 0x1d000 0x1c000 com.apple.iokit.IOSCSIArchitectureModelFamily (1.4.4) <11>

    42 0 0x53e000 0x5000 0x4000 com.apple.iokit.IOATAPIProtocolTransport (1.4.3) <41 36 11>

    43 8 0x437000 0x1d000 0x1c000 com.apple.iokit.IOStorageFamily (1.4) <6 5 4 3 2>

    44 0 0x4c5000 0xd000 0xc000 com.apple.iokit.IOATABlockStorage (1.4.2) <43 36 11>

    45 0 0x704000 0x7000 0x6000 com.apple.iokit.SCSITaskUserClient (1.4.4) <43 41 11>

    46 2 0x720000 0xa000 0x9000 com.apple.iokit.IOCDStorageFamily (1.4) <43 5 4 3>

    47 1 0x72a000 0x7000 0x6000 com.apple.iokit.IODVDStorageFamily (1.4) <46 43 5 4 3>

    48 1 0x731000 0x16000 0x15000 com.apple.iokit.IOSCSIBlockCommandsDevice (1.4.4) <43 41 11>

    49 0 0x747000 0x16000 0x15000 com.apple.iokit.IOSCSIMultimediaCommandsDevice (1.4.4) <48 47 46 43 41 11>

    50 0 0x51c000 0x5000 0x4000 com.apple.driver.AppleADBKeyboard (2.3.9) <35 19 11>

    52 0 0x7d7000 0x7000 0x6000 com.apple.driver.AppleADBMouse (2.1.0f3) <35 19 11>

    53 0 0x458000 0x3000 0x2000 com.apple.driver.AppleI2S (1.0.0d2) <11>

    54 1 0x491000 0xb000 0xa000 com.apple.iokit.IOSerialFamily (8.0.0d28) <6 5 4 3 2>

    55 0 0x49c000 0x5000 0x4000 com.apple.driver.InternalModemSupport (2.3.6) <54 26 11>

    56 3 0x7e4000 0x24000 0x23000 com.apple.iokit.IOGraphicsFamily (1.4.1) <16 6 5 4 3>

    57 2 0x808000 0x16000 0x15000 com.apple.iokit.IONDRVSupport (1.4.1) <56 16 6 5 4 3>

    58 0 0x81e000 0xa000 0x9000 com.apple.AppleOnboardDisplay (1.4.8) <57 56 16 11>

    59 0 0x7e1000 0x3000 0x2000 com.apple.driver.AppleADBButtons (2.5.1f2) <35 19 11>

    60 0 0x7a3000 0x22000 0x21000 com.apple.driver.AppleAirPort (3.4.4) <31 11 2>

    61 4 0x543000 0x1e000 0x1d000 com.apple.iokit.IOAudioFamily (1.5.5b2) <26 11>

    62 2 0x653000 0x14000 0x13000 com.apple.iokit.IOFireWireAVC (1.8.1) <29 11>

    63 1 0x667000 0x34000 0x33000 com.apple.driver.AppleFWAudio (1.1.3) <62 61 29 11>

    64 0 0x69b000 0x3000 0x2000 com.apple.driver.AppleMLANAudio (1.1.3) <63 62 29 11>

    65 0 0x75f000 0xa000 0x9000 com.apple.iokit.IOFireWireIP (1.3.4) <31 29 6 5 4 3 2>

    67 0 0x831000 0x39000 0x38000 com.apple.ATIRadeon (4.1.6) <57 56 16 11>

    68 2 0x561000 0xb000 0xa000 com.apple.driver.Apple02DBDMAAudio (2.5.6b5) <61 11>

    69 1 0x56c000 0x3000 0x2000 com.apple.driver.AudioI2SControl (2.5.6b5) <11>

    70 1 0x56f000 0x13000 0x12000 com.apple.driver.Apple02Audio (2.5.6b5) <68 61 26 11>

    72 0 0x582000 0x10000 0xf000 com.apple.driver.AppleTexas2Audio (2.5.6b5) <70 69 68 61 11>

    74 0 0x4a1000 0xc000 0xb000 com.apple.iokit.IOUSBUserClient (2.2.6) <26 11>

    77 1 0xd72b000 0x1e000 0x1e000 com.apple.driver.ndrv.ATY,Crown.0xd72cbe4 (1.0.1b42)

    78 0 0x6ce000 0x36000 0x35000 com.apple.AppleDiskImageController (110) <43 6 5 4 3 2>

    79 0 0x454000 0x4000 0x3000 com.apple.driver.XsanFilter (2.6.0) <43 11>







    All that in the Activity Viewer would be confusing... and needlessly so. How many people need to know that com.apple.iokit.IOFireWireAVC is loaded? There is no such 'easy' way to look for Sony's rootkit on Windows (rootkit detectors nonewithstanding)
  • Reply 7 of 7
    chuckerchucker Posts: 5,089member
    Quote:

    Originally posted by pyr3

    But you can use kextstat to get a list of dynamically loaded kernel modules on your system.



    Yes, absolutely.



    Quote:

    They don't show up in activity viewer because they are drivers. (or are supposed to be drivers)



    Mostly, depending on how narrow your definition of "drivers" is. Not all of what you list are really pieces of code that directly access one piece of hardware (Xsan comes to mind).
Sign In or Register to comment.