Description: This gets all non-Apple (non /System/Library/Extensions) kernel extensions, and then hashes them for upload to VirusTotal (MD5)
What The Data Shows: Malicious kernel extensions are rare, but here's a way to expand your
SQL:
WITH kext_bins as (SELECT path FROM file
WHERE directory IN
(SELECT path || '/Contents/MacOS/'
FROM kernel_extensions
WHERE path NOT LIKE '/System/Library/%') )
SELECT s.path, s.arch, s.signed, substr(s.authority, 27) as authority, h.md5
FROM signature s JOIN hash h USING (path)
WHERE path IN kext_bins AND s.hash_resources = 0 AND s.arch != '';