cancel
Showing results for 
Search instead for 
Did you mean: 

macOS Kernel Extensions + Hashes

Description: This gets all non-Apple (non /System/Library/Extensions) kernel extensions, and then hashes them for upload to VirusTotal (MD5)

What The Data Shows: Malicious kernel extensions are rare, but here's a way to expand your

SQL:

WITH kext_bins as (SELECT path FROM file     
WHERE directory IN
        (SELECT path || '/Contents/MacOS/'        
FROM kernel_extensions        
WHERE path NOT LIKE '/System/Library/%') )
SELECT s.path, s.arch, s.signed, substr(s.authority, 27) as authority, h.md5
FROM signature s JOIN hash h USING (path)
WHERE path IN kext_bins AND s.hash_resources = 0 AND s.arch != '';

 

0 Votes
7 Comments
Community Manager
Community Manager

hello @Magneto thank you for your contribution.  Once we vet your query, if it runs as expected we'll mark it as CB Approved.

Thanks again!

Magneto
New Contributor II

Great, thanks. I'd actually update this to replace the last select line with:

SELECT s.path, s.arch, s.signed, substr(s.authority, 27) as authority, h.md5

which just formats the output of the developer ID a bit nicer (sans the repetitive bit).

 

 

jnelson
Carbon Black Employee
Status changed to: Under Review

@Magneto can you please add a semicolon to the end of your query?

Magneto
New Contributor II

Sure! I am unable to find an edit button for my original post, so here's the (updated, fixed) query with a semicolon:

 

WITH kext_bins as (SELECT path FROM file
    WHERE directory IN
        (SELECT path || '/Contents/MacOS/'
        FROM kernel_extensions
        WHERE path NOT LIKE '/System/Library/%')
)
SELECT s.path, s.arch, s.signed, substr(s.authority, 27) as authority, h.md5
FROM signature s JOIN hash h USING (path)
WHERE path IN kext_bins AND s.hash_resources = 0 AND s.arch != '';
Community Manager
Community Manager

@Magneto  -- thanks for the heads up; I will get this addressed so the edit button appears when clicking the three circles to the right of your original post.

 

Community Manager
Community Manager

@Magneto  - just an FYI that I made the update to your submission per your comment above.

Also, you should now have edit access on your query.  If not, pls let me know.  If you are able to edit, can you please choose a category for your query?  I assigned it Vulnerability Management as a place holder.

Somehow those label fields were not displaying when you originally submitted.

Thanks again!!

jnelson
Carbon Black Employee
Status changed to: Approved